Lieberman RED Identity Management, Version 5.5.1
Welcome to RED Identity Management version 5.5.1. This release is available at no charge to customers with a current Software Support and Maintenance Agreement.
These Release Notes are organized into the following sections:
Version 5.5.1 includes bug fixes and other improvements. Highlights include:
- Okta, Ping Identity, OneLogin, and Active Directory Federation Services (ADFS) federated login support.
- New logging features.
- New option to output compliance reports as PDF and/or comma-separated value (CSV) files.
- New option to automatically copy a password to the clipboard without displaying the password on screen during password checkout.
- You can now add LDAP users directly to the RED Identity Management delegation system.
- You can now verify that the Session Recording feature is properly installed and configured using the new “Test” button.
Version 5.5.0 included new features and bug fixes. Highlights include:
- New Linux/UNIX Systems View.
- Improved support for SSH key management.
- Added Xerox Phaser printer support.
- Added the ability to use Azure Active Directory or SalesForce Force.com as an authentication provider when logging into the RED Identity Management web client.
- New configurable scanner provides more options for identifying system types during scheduled management set updates.
Web services now support multi-factor authentication.
New in This Release
This section summarizes features and changes in product functionality introduced since version 5.5.0 of RED Identity Management.
- Okta, Ping Identity, OneLogin, and Active Directory Federation Services (ADFS) federated authentication support powered by SAML. This release includes SAML-powered authentication support for Okta, Ping Identity, OneLogin, and ADFS as authenticators in addition to our existing OAuth/OpenID support. See “SAML Identity Provider Configuration” for documentation. Our team is already working on the next version of our cloud identity integrations and is looking for input from our customers on how to improve our cloud integrations. If you have any problems with these integrations, please contact us so we can assist you. We are very interested in your feedback.
- New logging features. A diagnostic logging option has been added that can help trace why one or more systems may have been added or removed from a management set during a dynamic refresh operation. You can also choose to write zone processor log files to a custom location. For details, see “Configuring Logging.”
- Compliance report changes, including New compliance report formats. In addition to HTML, you can now output compliance reports as PDF or CSV files. Note that PDF output requires the installation of the wkhtmltopdf component when you install RED Identity Management. The wkthmltopdf component is an open source PDF encoder that is distributed with RED Identity Management. Installation is optional.
This release also includes the following minor changes around compliance reports:
- Compliance reports are now automatically generated when the data snapshot is taken. As before, reports are created from information that is stored in the compliance reporting database.
- Reports are now saved as .zip archives in the RED Identity Management database. Previously, reports were stored under the ReportResources directory on the system that generated the report. Now when the RED Identity Management web client opens a compliance report, the report is retrieved from the RED Identity Management database.
- Compliance report snapshots that were generated prior to RED Identity Management 5.5.1 can no longer be opened in the RED Identity Management web client. Instead, use the management console to open these reports.
- Compliance report snapshots can no longer be initiated from the RED Identity Management web client. Use the management console instead.
See “Compliance Reporting” for complete documentation.
- New option to automatically copy a password to the clipboard so the password does not have to be revealed. You can now configure password checkouts to automatically copy the password to the clipboard so that the user can paste the password as needed when prompted for credentials. If this option is selected, RED Identity Management does not display the password on screen. See “Security Tab Help” (in the “Configuring the RED Identity Management Web Client” topic) for details.
- Add LDAP users directly to the delegation system. When creating a delegation identity in the management console, you can now directly use an LDAP account if the LDAP server is set up as an authentication server in RED Identity Management. Previously you had to add LDAP users to a role, and then use the role as the delegation identity. For details, see “Adding Identities to RED Identity Management.”
- New Session Recording “Test Configuration” feature. After the RED Identity ManagementRemoteLauncherInstaller.exe program installs the Application Launch and Session Recording features, the “Session Recording Configuration” dialog opens. This dialog includes new configuration settings and a Test button that will check if the configuration is valid. For details, see “Installing the Application Launcher and Session Recording Features” in the Application Launching & Session Recording Guide.
New in Version 5.5.0
- New Linux/UNIX Systems View. Similar to the existing “Windows System View” but for Linux, UNIX, and UNIX-like systems. This view shows system information, a timestamp indicating the last time RED Identity Management connected to each system, and a “Status” column that shows the result of the connection attempt. See “Five Views” in the Admin Guide for details.
- Support for Azure AD as an authenticator. You can now use Azure Active Directory as an authentication provider when logging into the RED Identity Management web client. First add RED Identity Management as a native client application in Azure AD, then configure RED Identity Management to use Azure AD as an OAuth2 authentication server. See “Azure Active Directory Authentication Configuration” for details.
- Support for Salesforce (Force.com) as an authenticator. You can now use Salesforce as an authentication provider when logging into the RED Identity Management web client. First add RED Identity Management as a connected app on the Force.com website, then configure RED Identity Management to use Salesforce as an OAuth 2 authentication server. See “Salesforce (Force.com) Authentication Configuration” for details.
- New system scanner. An improved scanner that identifies new systems and adds them to management sets is included in this release. The scanner probes target systems using as many as nine different protocols. Depending on configuration the scanner can use Ping, SMB, SSH, Telnet, SNMP, IPMI, and other protocols to determine if newly discovered systems match known types (for example, Linux/UNIX, Windows, IPMI devices, SNMP devices, SQL Server, Oracle database, and so on) and add them to management sets accordingly. If the scanner cannot identify the system type, Dynamic Type-mapping rules can be created to identify the system type. Scan results are written to an XML file that the rules parse. Use either basic pattern matching or XPath-based mapping to identify systems based on system name or another attribute and add them to management sets. See “Getting Started Adding Systems to a Management Set” for details.
- Multi-factor authentication support for web services and PowerShell. Your code can now use multi-factor authentication to log in to RED Identity Management web services. Any multi-factor authentication (MFA) scheme RED Identity Management supports can now be used to securely log in through the PowerShell, REST, and SOAP interfaces. To successfully implement MFA with web services you must have access to the MFA token value and provide it at the time of the login request. Use the MFATokenCode parameter to pass the token value. See the Get-LSLoginToken (PowerShell), DoLogin2 (REST), and DoLogin (SOAP API) reference documentation for details.
Support for New Systems and Devices
New in Version 5.5.0
- Xerox Phaser printer support. RED Identity Management now supports Xerox 6700 printers and variations. RED Identity Management can manage the administrator account and password. To get started, see “Enrolling Xerox Phaser Printers” in the Admin Guide.
Web Services and PowerShell Updates
- New commands in 5.5.1. The following commands are new in this release.
New commands for managing Xerox Phaser printers:
- Get-LSListSystemsInManagementSetXeroxPhaserInstances (CMDlet). Gets the Xerox Phaser printers for the management set specified. The corresponding web service API is ManagementSetOps_GetXeroxPhaserInstanceListForManagementSet.
- New-LSSystemInManagementSetXeroxPhaserInstance (CMDlet). Adds Xerox Phaser printers and variations to a target management set. The corresponding web service API is ManagementSetOps_AddXeroxPhaserInstanceToManagementSet.
- Remove-LSSystemFromManagementSetXeroxPhaserInstance (CMDlet). Removes a target Xerox Phaser printer from the specified management set. The corresponding web service API is ManagementSetOps_RemoveXeroxPhaserInstanceFromManagementSet.
- Get-LSSystemName (CMDlet). Gets a system name when you pass in either the computer name, the DNS name, or the IP address. The corresponding web service API is QueryTargetInfo_SystemName.
- Get-LSSSHKey (CMDlet). Returns the stored public SSH key as a Hex-encoded string. Returns an error if the private key is not stored. The corresponding web service method is AccountStoreOps_GetSSHKey.
- Get-LSPasswordOperations (CMDlet). Returns a list of RED Identity Management operations (permissions) for the specified stored credential. The corresponding web service API is AccountStoreOps_GetPasswordOperations.
Known Issues and Workarounds
- Oracle Back-End Data Store. Customers running Oracle as a back-end data store for RED Identity Management should not upgrade to RED Identity Management version 5.5.0 or RED Identity Management version 5.5.1. Oracle back-end data store support will be re-introduced in a future version of RED Identity Management for customers who have current Oracle support contracts.
- SSH key import requires both the private and public keys.To properly import an SSH key in this version of RED Identity Management, you must import both the private and public keys. The “Import Private Key” dialog provides an “Import public key for this private key” If you fail to select this option, however, RED Identity Management will calculate an incorrect signature (fingerprint) for the key. To work around this issue, import both the private and public keys. This issue has been confirmed in RED Identity Management versions 5.5.0 and 5.5.1. See “Connecting to SSH Targets With Imported SSH Keys” in the Admin Guide for details.
- Manually removing a system from a management set may now require an additional step.If you delete a system from a management set and the system is part of a static inclusion list, you now have to manually remove the system from the inclusion list and then re-run the update to prevent the system from being added back to the set during future refresh/lookup jobs. This is a change in behavior. Prior to version 5.5.0, if you deleted a system from a management set it automatically removed the system from the static inclusion list. See “Removing Systems From a Management Set” for more information.
- Non-Windows systems added to a management set may be logged as Windows. During a management set update RED Identity Management may incorrectly log that a Windows system was added to a management set when in fact a UNIX, Linux, Cisco, AS400, OS390, or similar system was added. This is a known issue that only affects logging. Systems are properly added to the correct node(s) otherwise.
- Azure System Discovery. The RED Identity Management system discovery feature supports “classic” Azure virtual machines. In version 5.5.1 RED Identity Management does not discover Azure virtual machines created using the newer “Resource Manager” model. To enroll VMs created using the Resource Manager model, click Add Systems in the management console Actions pane and manage the system using a custom management set.
For more information about Azure deployment models, see “Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources” on the azure.microsoft.com website.
- Update the Sudo response file to enable CBC and CTR cipher support. The Sudo response file (xml) is missing the Encryption parameter, meaning only the following ciphers are supported: AES 256 CBC and 3DES CBC. To support additional CBC and CTR ciphers, set the Encryption parameter to ALL by adding the following line to each command stanza that requires it:
See “About Response Files” in the RED Identity Management Admin Guide for details.
Bug Fixes and Other Updates
The following is a partial list of customer-reported issues that were resolved in version 5.5.1.
- RDP Enhancement. In version 5.5.1 you can now configure the loadbalanceinfo string in the generated RDP file. This update resolves an issue that prevented the RED Identity Management App Launcher feature from being able to establish a connection in environments with load balancers. (Case 980)
The following is a partial list of customer-reported issues that were resolved in version 5.5.0.
- ServiceNow Integration Update. Password checkouts from ServiceNow no longer fail if the ServiceNow ticket has a large number of incident records. (Cases 5548, 943, 986)