We would like to inform you that SafeNet Authentication Service LDAP Sync Agent 3.7.0  is now available. 

This release brings the following features:

• Security is improved by ensuring that password authentications only succeeds with valid (non-expired) AD passwords
• The display of end-user password sync status and expiry information on the STA and SAS console allows admins to understand why an authentication failed, and lets them check that the password is up to date.
• Synchronization of users from Azure AD

Installation and configuration instructions, along with the agent itself, can be downloaded from the Gemalto Customer Portal KB0018219

We are pleased to announce that the SafeNet MobilePASS+ app 1.3.4 for Windows is now available.

This release features Compatibility with SAS and STA in the  EU Service Zone.

SafeNet MobilePASS+ app 1.3.4 for Windows can be downloaded from Windows Store

Gemalto is announcing End-of-Sale and Last Time Buy opportunities for SafeNet Multilink Encryptor CN8000, 5X10GBPS With Chassis, 8002 Cards, SafeNet Multilink Encryptor, CN8000, 10X10GBPS With Chassis, 8002 Card, and CN8000 interface card 8002 (Ethernet ONLY).

We encourage our customers to transition to the SafeNet Multilink Encryptor CN8000 with 8003 Cards, a best-in-class high-assurance encryption solution providing maximum security and performance, and certified to the highest security standards. SafeNet High Speed Encryptors (HSE) ensure the most secure data-in-motion protection, maximum performance, near-zero overhead with “set and forget” management, and lowest total cost of ownership.

Limited quantities remain; products are available on a first-come, first-served basis.

Maintenance will be available for renewal through January 1, 2020

Ethernet Platforms for End-of-Sale
• SafeNet Multilink Encryptor CN8000, 5X10GBPS With Chassis, 8002 Cards
• SafeNet Multilink Encryptor CN8000, 10X10GBPS With Chassis, 8002 Card
• CN8000 interface card 8002 (Ethernet ONLY)

The following are key dates in the End-of-Sale process:

End-of-Sale Date: 3/31/2019
Start of Good Faith Support: 1/1/2022
End-of-Life/End-of-Support: 12/31/2022

The following are the latest product highlights/enhancements for the SafeNet data protection portfolio:

ProtectApp 8.10.1 (JCE)

     API Enhancements:

•Retrieving custom attributes of a KeySecure user.
•Update API support for AES-GCM in local mode.

FPE Enhancements:

•Support for Unicode for FPE Algorithm in local mode.

Persistent Cache changes:

•Security Updates

BYOK Enhancements:

• Enhancements in BYOK (PKCS1v2.1/RSAOAEP-SHA1 wrapping algorithm supported in KeySecure in 8.10. Updated BYOK as earlier wrapping was done in local mode).

Web Services:

•Retrieving custom attributes of a KeySecure user.

ProtectApp 8.5 (.NET Core)
     New Initiative with following supported functionality in Remote mode

•Creation of Keys.
•AES algorithms AES/CBC/PKCS7Padding ,AES/ECB/NoPadding.
•HMAC
•Sign/Verify using RSA keys with PKCS1Padding/PSSPadding

ProtectApp 8.9.1 (.NET)
     Persistent Cache changes

•Security Updates.
•Enhancements in Persistent Cache.

ProtectApp 8.9.1 (ICAPI)
     Persistent Cache changes

•Security Updates.
•Enhancements in Persistent Cache.

ProtectApp Integrations

•Protectapp JCE integration with SalesForce integration for supporting Cache only.
•AWS RDS SQL Server 2016 (Always Encrypted) with ProtectApp CNG
•Azure AQL Server 2016 (Always Encrypted) with ProtectApp CNG
•IIS 7 on Windows 2008 with ProtectApp CNG.

Tokenization 8.10.1
     API Enhancements

•Batch insert with Custom Token Property for all databases.
•Get Custom Token Property for tokens for SQL Server, Oracle, Informix and MySQL

Web Services

•Adding Support of JBoss.
•REST/SOAP API for batch insert with Custom Token Property for all databases.
•REST/SOAP API to get Custom Token Property for tokens for SQL Server, Oracle, Informix and MySQL

Miscellaneous

•Upgrading JCE in TM package to 8.10.0
Bug Fixes:
•(TM-8670) Token Service cannot connect to Database
ProtectDB SQL Server 8.10.1 Installer Update
•Installer supports Windows Authentication on SQL Server
Bug Fixes
•Fixes for large datatypes.

ProtectDB DB2 8.8
     IPV6 support

•ProtectDB DB2 client can work with IPV6 on k170v.

As of 30 May, 2019 we are planning to stop sales of SafeNet Authentication Manager for OTP use cases. We will continue to sell SafeNet Authentication Manager with certificate‐based tokens for existing customers. The End‐of‐Sale Schedule is outlined below.

Products Affected:

• SafeNet Authentication Manager OTP tokens
• SafeNet Authentication Manager maintenance contracts for OTP tokens
• SafeNet Authenticator Manager licenses sold only with OTP tokens

A detailed End of Sale Announcement can be downloaded HERE

Gemalto is pleased to announce the release of version 2.3.0 of the Luna EFT Payment HSM.

This release of Luna EFT Payment HSM introduces key features expanding the software’s capabilities in terms of flexibility, logging and monitoring and addition of new payment standards. This includes:

• AES DUKPT – This release adds AES DUKPT according to ANSI X9.24-3 (2017). A new key specifier “Format 26” is introduced to support the AES key based DUKPT scheme.
• Remote System Logging via syslog – This release allows to send error logs from Luna EFT Payment HSM to configured remote syslog servers. A new web page for remote syslog server configuration is introduced in the Luna EFT Administration Console.
• Audit Logs Auto Archiving – This release introduces a new LunaSH command to support auto archiving of EFT audit logs, allowing for more automated audit log retrieval.
• Backup and Restore of HSM Configuration – This release adds functionality to secure backup/restore of HSM configurations via the web console.
• VFPE Program Enhancement – This release adds a new host function EA000D (FPE-CRYPTO-SET) to support data translation, encryption and decryption for VFPE Program.
• RSA Performance Improvements – This release provides RSA performance improvements for various OBM functions.
• Updated Host Functions – This release provides updates to various host functions concerning operation in PCI mode and key specifier extensions
  – EMV-PIN-CHANGE-UNBLOCK-MULTI (EE2021)
  – DECIPHER-4 (EE0807)
  – MAC-GEN-UPDATE-AES (EE0712)
  – MAC-GEN-FINAL-AES (EE0713)
  –  MAC-VER-FINAL-AES (EE0714)

Please go to the SafeNet Support Portal** to download the EFT 2.3.0 Software Release and the Customer Release Notes (use Document Number: KB0018136).

**Log in required.  Contact CustomerPortalSupport@Gemalto.com for assistance.

We are pleased to inform you that SafeNet Authentication Service Agent for Windows Logon (WLA) 2.2.8 is now available. 

This new release brings security improvements.

Installation and configuration instructions, along with the agent itself, can be downloaded from the Gemalto Customer Portal KB0018143

The Gemalto IDSS Security Response team recently identified a vulnerability in ProtectServer 2 firmware. We are committed to ensuring you are protected against known security issues, and consistently monitor for any security and vulnerability issues. 

Description: Recent reported vulnerabilities in ProtectServer HSM firmware could allow an attacker unauthorized access to the ProtectServer HSM via PKCS#11 API bypass (Severity Level – High). In addition, areas that could possibly result in a potential DoS attack via malformed requests have been identified (Severity Level – Medium).

Risk: Exploitation of these vulnerabilities could lead to a denial of service attack or potentially other attack vectors against the integrity of the firmware in the HSM.
 
Products Affected: ProtectServer 2 devices running firmware 5.00.02 and above.
 
Mitigation: Gemalto has released updated firmware to address these vulnerabilities. You should take priority action to update your firmware to version 5.03.01. Login to the Support Portal is required.

• ProtectServer Network HSM (PSIE-2) Firmware 5.03.01 Knowledge Base Article & Update

Gemalto is very pleased to announce the release of ProtectToolkit 5.7. This release, compatible with all ProtectServer 2 models, provides the following new features and enhancements:

Multifactor Authentication

SafeNet ProtectToolkit 5.7 now supports multifactor authentication using the SafeNet 110 OTP (One- Time Password) Token. This authentication scheme adds another layer of security by requiring both the memorized token PIN and a 6- digit number randomly generated by the SafeNet 110 OTP Token.

USB API Support for FMs

On Linux clients, you can now use the USB API to write applications that can interact with the HSM via the card USB port. This functionality can include:

• Wrapping of PKCS objects and storing them on a USB flash memory drive
• Backup of SMFS stored key (non- PKCS keys)

The USB API works with your custom FM to enable the desired functionality.

Secure Package Updates

On SafeNet ProtectServer Network HSM and Network HSM Plus shipped with SafeNet ProtectToolkit 5.7, you can now update the appliance software image to future releases by applying a secure package provided by Gemalto.

Ed25519 Curve Support

The ed25519 curve has been added to SafeNet ProtectToolkit 5.7 for sign/verify operations. Ed25519 uses a new key type, CKK_ EC_ EDWARDS , and the set of new EDDSA sign/verify mechanisms.

AES CCM Support

SafeNet ProtectToolkit 5.7 introduces the AES_ CCM mechanism, described at https://tools.ietf.org/html/rfc3610.

OpenSSL Library Supporting Big Numbers

The FM- SDK now includes a pre- compiled OpenSSL library ( libfmbn ), which allows support for Big Numbers in FMs. Use the FM sample ssldemo as a reference to use this library with your FMs. OpenSSL documentation can be found at https://www.openssl.org/ .

New in Firmware 5.04.00

Along with supporting the above new features, the following new mechanisms are available in firmware 5.04.00:

• CKM_ AES_ CCM
• CKM_ EC_ EDWARDS_ KEY_ PAIR_ GEN
• CKM_ EDDSA 
• CKM_ SHA1_ EDDSA
• CKM_ SHA3_ 256_ EDDSA
• CKM_ SHA3_ 384_ EDDSA
• CKM_ SHA3_ 512_ EDDSA
• CKM_ SHA224_ EDDSA
• CKM_ SHA256_ EDDSA
• CKM_ SHA384_ EDDSA
• CKM_ SHA512_ EDDSA

Firmware 5.04.00 also contains all of the fixes from version 5.03.01.

Please go to the SafeNet Support Portal**to download the release notes – details as follows:

• Release notes – Knowledge Base Article KB0018272
  
• PTK 5.7 Software (PTK-C;PTK-J;PTK-M) – Doc ID: KB0018273 / DOW0003317
  
• PTK 5.7 Documentation – Doc ID: KB0018274 / DOW0003318
  
• Firmware Version 5.04.00 – Doc ID: KB0018276 / DOW0003320

**Log in required.  Contact CustomerPortalSupport@Gemalto.com for assistance.

We would like to announce the release of SafeNet Authentication Client (SAC) 10.2 for Mac.

This version offers the following features:

• Support for MacOS Mojave (10.14)
• Support for Classic Client V3 cards: Introduced as part of the eBanking migration plan to use IDPrime MD cards
• Support for SafeNet IDPrime 940/3940 (due to be released in Q1 2019)
• Support for SafeNet eToken 5300
• Security  and performance enhancements: Various optimizations implemented to improve security and performance
• ITI Certification Mode support: Administrator PIN change required on first logon and initialization process protection by Administrator PIN.
• New Common Criteria Card Profile support: PUK (Personal Unblocking Key) replacement for Admin Key to unlock user PIN codes

SafeNet Authentication Client (SAC) 10.2 for Mac is now available for download from the Gemalto Support Portal KB0018305 and release note is attached.

SafeNet Crypto Command Center version 3.4 is now GA, featuring the highlights listed in the table below.

Visit the Gemalto Support portal to download this latest software, or contact your Gemalto Representative for additional information.

We are pleased to announce the following SafeNet MobilePASS+ releases:

SafeNet MobilePASS+ for Android v1.6.3

This release brings the following features:

• Android P support
• Google Project Fi support

Download: KB0018329 and Google Play

SafeNet MobilePASS+ app for Windows v1.4.2

This release brings the following features:

• Enterprise Deployment Support : EXE file installer is now available for customers to download SafeNet MobilePASS+, this brings easy deployment to enterprise users who may not have permissions to download applications from the Windows Store.
• Accessibility feature: Support for high contrast theme support
• FIPS Compliance: First release to be FIPS compliant (FIPS 140-2)

Download: Windows Store, EXE File KB0018353, APPX Bundle KB0018324

SafeNet MobilePASS+ SDK for Windows v1.3.0

This release brings the following features:

• Accessibility features
• FIPS compliance

Download: KB0018361

We are pleased to announce the release of SafeNet Authentication Service Agent for Windows Logon (WLA) 2.3.0.

This release brings the following feature:

Skip OTP feature for unlock events: When end user only needs to unlock his machine, this feature enables skipping the OTP prompt and only AD password is needed.

Installation and configuration instructions, along with the agent itself, can be downloaded from the Gemalto Customer Portal KB0018354

We are pleased to announce the release of SafeNet ProtectV 4.7.0, which expands its support for public clouds with support for Oracle Cloud Infrastructure.  This release also supports ProtectV clients for Ubuntu 18.04 LTS and RHEL 7.6, and enable either automatic or manual control of disk encryption in Windows servers. 

Feature Details:

Password Expiration Policy – SafeNet ProtectV 4.7.0 incorporates a password expiration policy for SafeNet ProtectV users. Passwords of the users (including the SafeNet ProtectV administrators) now have an expiration period of 90 days.

Password Complexity Validation – Complexity of the passwords of SafeNet ProtectV users and the SafeNet ProtectV Manager Database (SPVMDB) is now validated. The new passwords must be at least ten characters, contain at least one upper case letter, one lower case letter, one digit, and one special character.

Enhanced Account Lockout – The account lockout feature has been enhanced. A user’s account will be locked for 10 minutes after three failed login attempts instead of five. The remaining time until the account is locked will be displayed on the login screen.

Windows Auto Protection – A new option, Windows Auto Protection, is provided on the ProtectV Manager Console. This can be used to configure automatic encryption behavior of Windows client instances on registration. By default, encryption of a Windows client instance starts as soon as it is registered with SafeNet ProtectV Manager.

Support for Oracle Cloud Infrastructure – SafeNet ProtectV 4.7.0 extends support for ProtectV Manager on Oracle Cloud Infrastructure. You can launch your ProtectV Manager virtual machine on Oracle Cloud Infrastructure.

Improved User Name Conventions – SafeNet ProtectV now validates values entered in the Username and Display Name fields on the ProtectV Manager Console. These fields allow alphabets and numbers only; special characters are not allowed. If a special character is entered, the message “Username and Display Name should contain alphabets and numbers only.” is displayed.

Support for on premise, cloud and as a service key managers 

Support for wide variety of public and private clouds, including:

• Amazon Web Services (AWS) For
• Microsoft Azure
• Google Cloud Platform
• IBM Bluemix Cloud (formerly SoftLayer)
• VMware
• Microsoft Hyper-V
• Oracle Cloud Infrastructure

For download and customer release notes, please visit our Gemalto Customer Support Portal:

• ProtectV 4.7.0
• ProtectV Manager 4.7.0 Customer Release Notes

We are pleased to announce the release of SafeNet Data Protection On Demand Version (DPoD) 1.7. This release makes it easier than ever before to migrate from alternate Cloud HSM vendors such as AWS, and to integrate with a variety of technology partners including CyberArk and Microsoft.

For current AWS Cloud HSM Classic (Luna) customers, we now offer a Key Migration Guide for AWS. This guide explains in simple terms how to transfer key material from an Amazon Web Services (AWS) Cloud HSM Classic to a DPoD HSM on Demand service.

We are also excited to announce 5 new integration tiles in our expanding portfolio of HSM on Demand services:

• HSM on Demand for CyberArk Digital Vault
• HSM on Demand for Java Code Signer
• HSM on Demand for Microsoft ADCS
• HSM on Demand for Microsoft Authenticode
• HSM on Demand for Microsoft SQL Server

HSM on Demand for CyberArk Digital Vault provides a root of trust for CyberArk Digital Vault’s top-level encryption key in an HSM. By generating the server key using HSM-based entropy, HSM on Demand provides secure key storage.  Click here for the integration guide.

HSM on Demand for Java Code Signer performs cryptographic sign operations on Java artifacts using an encryption key generated on an HSM. Security is significantly enhanced by generating signing keys and certificates using HSM entropy and Java code signing crypto operations are performed inside the HSM on Demand Service. Click here for the integration guide.

HSM on Demand for Microsoft ADCS provides a root of trust for Microsoft Root Certificate Authority (CA) signing key in an HSM. This enforces hardened boundaries for the CA’s root cryptographic signing key, which is used to sign the public keys of certificate holders. By providing the root of trust for the CA’s public key Microsoft’s security is bolstered for example when configuring applications servers hosting Microsoft ADCS in dispersed data centers. Click here for the integration guide and video tutorial.

HSM on Demand for Microsoft Authenticode generates and secures Microsoft Authenticode certificates on an HSM and by doing so, provides hardened boundaries for Microsoft Authenticode digital certificates. Click here for the integration guide.

HSM on Demand for Microsoft SQL Server enables Microsoft SQL Server cryptographic operations on an HSM. The HSM provides root of trust for storage of keys used in Microsoft SQL so that encryption keys do not reside with encryption data. Data can be encrypted by using encryption keys that only the database user has access to on in the HSM on Demand service and cryptographic operations such as key creation, encryption, decryption, etc. can be offloaded to the HSM. Click here for the integration guide.

All the current integration guides can be found here.

The latest release also includes multi-factor authentication (MFA) support, allowing DPoD users to employ a mobile application which generates one-time password. Currently DPoD supports a number of authenticators including Google Authenticator, Authy and 1Password but we are working closely with the Gemalto Identity and Access Management teams to integrate Gemalto’s solutions into upcoming releases. As part of our efforts to continuously enhance security, you are required to log in using multi-factor authentication using an authentication application on a mobile device. MFA increases user account security by requiring users to configure an MFA token linked to their DPoD user account that generates unique 6-digit time-based one time passwords (TOTP). We will inform you as soon as Gemalto’s STA and SAS solutions are integrated too. For more details, click here.

The recent release also includes our expanded platform capabilities for multi-tier distributor models. This additional tenant management tier in the DPoD platform enables us to better support distributors, and/or service providers who manage their own channels or Virtual Service Providers. As we focus our efforts on building our MSP/MSSP channel, this capability adds more commercial channel layers to DPoD, and enables us to expand our go to market. This will be further enhanced in upcoming releases as we expand capabilities including a service provider hosted onboarding, with their own dedicated registration forms and automated registration processes, as well as white labeling options. With a smoother onboarding process than ever before, we encourage you to sign up now for a free evaluation here. For additional details about this and other release features, please refer to the DPoD 1.7 Customer Release Notes.

As part of our commitment to offering services and resources that enable our customers to meet local and international governance and compliance needs, we are pleased to announce that DPoD has now achieved the internationally recognized ISO 27001 and SOC 2 certification. This provides customers with the confidence of using a service that has undergone a thorough independent review and comprehensive audit.

For more information, visit the SafeNet Data Protection On Demand website and sign up now for a free evaluation.

For all questions about SafeNet Data Protection On Demand, please email us at dpondemand@gemalto.com.

We are pleased to announce the release of SafeNet ProtectFile Windows v8.10.1, which improves formatting of logs redirected to a Syslog server according to the Syslog Protocol RFC 5424* guidelines. This release also adds support for migration of distributed resources such as disks and SQL instances among cluster nodes (file servers) in a Windows cluster.

For download and customer release notes, please visit our Gemalto Customer Support Portal:

• ProtectFile Windows v8.10.1 Customer Release Notes
• ProtectFile Windows v8.10.1 Download

*Refer to https://tools.ietf.org/html/rfc5424 for details on RFC 5424.

We are pleased to inform you that Service Agent for Outlook Web Application (OWA) 2.1.2. is now available. 

This updated version features the following improvements:

• Support for Office Online Server (OOS) with Exchange 2016
• Key security upgrades to increase agent’s robustness

Installation and configuration instructions, along with the agent itself, can be downloaded from the Gemalto Customer Portal KB0018417

Gemalto is pleased to announce that SafeNet KeySecure version 8.10.1 is now available for the following physical appliances:

• SafeNet KeySecure k460 (R320 and R330 chassis)
• SafeNet KeySecure k450 (R320 and R330 chassis)
• SafeNet KeySecure k250

Virtual deployments are also available through SafeNet Virtual KeySecure on AWS and VMware.

Below are new feature enhancements available in the SafeNet KeySecure 8.10.1 release:

SNMP Traps Added for Network Failure: SNMP Trap has been added to alert when an HSM is unable to connect to the network in three attempts.

SNMP Trap OIDs Added in MIB file: SNMP Trap OIDs has been added in the MIB file. (MIB is a collection of information used for managing devices in the network). OID (Object Identifier) is an identifier used to point to an object in the MIB hierarchy in SNMP-enabled network devices.

Support Added to Perform Database Vacuum: New CLI command schedule cdbvacuum added to perform a database vacuum. For more information on how to perform a vacuum, refer to Chapter 27, “System Health” in the SafeNet KeySecure CLI Reference Guide.

Security Enhancements for Web Admin Password: As a security enhancement, the web admin password will now be obfuscated at the Login, Logout, and Change Password pages.

Key Backup Process Functionality Optimized for Erratic Network Connection: Backup process is enhanced to fare erratic connection and network failure:

• Support added to log details of backup and restore processes.
• Functionality added to deploy a retry mechanism in event of HSM connectivity failure.
• SafeNet KeySecure will make three attempts to re-establish the network connection.

If unable to connect after 3 attempts:

• For single HSM, the backup process will create a smaller backup.
• For HSM HA, if a single HSM fails, SafeNet Virtual KeySecure will try to recommence the backup process from other available HSM(s). If other HSM(s) are also unable to connect to the network, the backup process will create a smaller backup.

SNMP Trap Alerts added for Following Events:

• When backup process is unsuccessful.
• When Key Count is less than expected.
• When HSM is unable to connect to the network in three attempts.
• When File Descriptor (FD) limit reaches 80% of the max FD limit.

Logging Enhancements for Automatic Backup Process:

Support added to log and display supplementary information related to backup process, such as ‘Automatic Backup Start Log’ and ‘Backup/Restore initiated’.

For a full list of product enhancements and issues resolved in this release, please refer to the customer release notes available on the Gemalto Customer Support Portal: KeySecure 8.10.1 Appliance Customer Release Notes (Document Part Number: 007-000307-001)

This release is compatible with the following SafeNet Data Protection portfolio client platforms and versions:

• ProtectFile-Linux 8.10.1
• ProtectFile-Windows 8.10.1
• ProtectDB SQL Server 8.10.1
• ProtectDB Oracle 8.10.0
• ProtectDB DB2 8.8.0
• ProtectDB Teradata 8.5.0
• ProtectApp-JCE 8.10.1
• ProtectApp-.Net 8.10.1
• ProtectApp-ICAPI 8.10.1
• Tokenization Manager 8.10.1
• SafeNet ProtectV

Older versions of the SafeNet client platforms are also expected to work with SafeNet KeySecure 8.10.1

For a full list of supported upgrade and migration paths for customers, please read the customer release notes, available on the Gemalto Customer Support Portal.

*Note: Registered users may access the documents via the Gemalto Customer Support Portal. New users can visit the customer registration page to create an account.

As part of our ongoing product communication, below is an End-of-Life reminder for IDBridge K3000 and IDBridge CT510.

IDBridge K3000: 
Effective as of April 3, 2019, IDBridge K3000 will be End-of-Life (EOL), for details please see the End-of-Life announcement.

IDBridge CT510: 
Effective as of March 31, 2019, IDBridge CT510 will be End-of-Life (EOL), for details please see the End-of-Life announcement.

We are excited to release the first version of our next generation smart cards – the SafeNet IDPrime 3940/940.

It offers the latest in cryptographic security and updated certifications, including CC, eIDAS, ANSSI, eSignature and eSeal. SafeNet IDPrime 3940/940 is the first release of several next generation smart cards that will be released over the coming months.

The supporting middleware for SafeNet IDPrime 3940/940 is SafeNet Authentication Client (SAC) 10.6 Post GA and the supporting minidriver is SafeNet Minidriver 10.2 Post GA.

SafeNet IDPrime 3940/940 will be an eventual replacement for the IDPrime MD 3840/840, and it can now be offered instead.

 Note:

• eIDAS certification and French ANSSI qualification to be approved in Q1 2019
• The French ANSSI qualification of IDPrime MD 3840/840 is due to expire on July 2019. French customers who are following this regulation will need to migrate to IDPrime 940/3940 before July 2019.