Major Release 8.0 Notes

Our new module, SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Key Manager, gives security and network teams a simple, centralized solution to simplify SSH key management and mitigate the risk of emerging SSH-based attacks.

The SSH Key Manager allows you to:

• Discover: Inventory SSH authorized_keys across your servers and cloud infrastructure

• Analyze: Review your key inventory to detect and remediate things like unauthorized root access, stale keys, and keys that belong to users that should no longer have access

• Rotate: Configure automated key rotation alerts and enable self-service key generation and rotation by SSH users

• Automate: Keep DevOps and admin teams moving with automated key deployment, which can be baked into the server provisioning process in highly automated cloud environments

• Report: Generate reports to keep an eye on user and service account keys in your environment, including their lifecycle, access, and trust relationships

Note:  If you are re-installing the Keyfactor Bash Orchestrator The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise., you must run the uninstall.sh script before re-running the install.sh script.

Note:  The certificate used during the Keyfactor Bash Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. installation needs to be in PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. format.

• Links to the specific areas of the Keyfactor Command documentation are now available in the application.

• Adding a certificate to a certificate store has been updated from the previous tree view control to a searchable grid to make management of certificate stores at scale more efficient.

• Grids have changed to allow selecting via checkboxes and to include tabs to make the less frequently used functions grouped in a less front and center way.

• Some areas of the application now have expandable/collapsible functionality to hide information when it isn’t needed to provide a cleaner interface.

You can now enter explicit credentials when contacting the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.. The requester will be provided in the request in order to track who is acting on the CA. Additionally, permissions for who can enroll for a certificate can be defined on a Keyfactor Command Security Role level.

• Daylight Savings Time (DST) is now shown as the time zone locale for the clients using Keyfactor Command, rather than as the UTC offset, which is what Microsoft CA uses. This causes issues during DST in time zones that do not have DST to appear off by an hour.

• Microsoft IIS settings to change authentication to support the "Use Active Directory Password" application setting for the Keyfactor Command portal must be made manually.

• When using Basic Authentication, the authentication in Microsoft IIS may need to be configured manually for the KeyfactorAnalysis portal.

• Authentication between the KeyfactorPortal, KeyfactorAPI, and KeyfactorAnalysis sites needs to be configured with the same authentication type, SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers., and host name The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername)..

• Editing certificate details on a collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). for a CA while an initial sync is running on the CA will cause inaccurate numbers to display in the Edit All window.

• If a CA is not scheduled to sync under "PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Management" it will not appear in lists to select for things like inclusion in "Dashboards and Reports".

• Syncing an Issuing CA before syncing its parents in the chain causes Keyfactor Command to show the wrong requester for the chain certificates.

• Keyfactor Command cannot support a CA in the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. with the same NetBIOS name as a CA in a trusted forest.

• In some upgrade cases, the Certificate Search page only partially loads or enrollment returns a System.Exception error. Opening the Developer Tools with F12 key and performing an Empty Cache and Hard Reload will resolve this problem.

• Running large SSL scans can impact Keyfactor Command application performance if the Windows Agent/Orchestrator performing the scan is installed on the same server as the Keyfactor Command portal.

• If you receive an error when opening the portal that "the underlying connection was closed" please be sure you have all of the latest Windows Updates installed.

• In Windows, drive mapping is done on a per-user basis. If you would like scheduled reports to be saved to a mapped drive, the timer service account needs to have that mapping created for them beforehand.

• Exporting a report to Microsoft Excel can fail with a 401 error in Microsoft Edge. Chrome or Firefox can successfully export to Excel. This problem is being worked on by the reporting engine vendor (Logi Analytics).

• Users configured for Logi Analytics reporting cannot have double quotes in the password field.

• Occasionally, the "Please Wait" message will hang. Control + F5 will fix this.