HomeDocumentationAPI Reference
Log In
These docs are for v17. Click to read the latest docs for v33.

Release Notes for This Release

Suggest Edits

17.2

This is an incremental release over 17.1.

Bug Fixes

  • [PX-3815] Fix issues with Web Proxy openssl
  • [PX-3967] Fix user tag misbehaviours
  • [PX-3972] Fix long CN in the cert requests by Web Proxy, Carrier and Extender
  • security improvements

17.1

This is an incremental release over 17.0.

Excluding issues related to PX-3707 Optional components not displayed in the GUI, the Important Notes and Known Issues from 17.0 also apply to this release.

Bug Fixes

  • [PX-3699] Extender status not displayed under Service Status
  • [PX-3707] Optional components not displayed in the GUI
  • [PX-3714] SSH Bastion: public-key client authenticated connections fail when target connection uses keyboard-interactive authentication with stored passphrase.

17.0

Important Notes

New Streamlined HA Upgrades
Keyvault config files are now automatically synchronized between PrivX servers and do not need to be copied manually. For more information about HA upgrades, see High-Availability Deployment: Upgrade.

Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 17:

  1. Install PrivX-17 RPM without automatic postinstall:

    # SKIP_POSTINSTALL=1 yum install PrivX-17.0-....

  2. Enable legacy-x509-certificate support:

    # echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env

  3. Run postinstall manually:

    # /opt/privx/scripts/postinstall.sh

📘

Note

Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and not guaranteed to be available in future releases.

License Upgrade for Future Upgrade Support
If your initial PrivX deployments started with version 15 or earlier it is likely running with a Nalpeiron license, which shall be obsoleted in a future PrivX release. To enable upgrading to future PrivX versions, request and set up a new license according to Converting to New License Format.

Reset Custom Disclaimers
Custom disclaimers are reset during upgrade. You should back up your custom disclaimers before upgrade, then recreate them after upgrade. For more information about setting custom disclaimers, see Custom Disclaimers.

Automatic Removal of Duplicate Services
Previous versions allowed entering duplicate host-service addresses, which were not supported and may have resulted in undefined behavior. When upgrading to this version, duplicates are automatically removed. For details about any removed services, check the installation logs.

Minimum TLS version for LDAP directories is now TLS 1.2.
TLS 1.0 and TLS 1.1 are no longer supported.

Optional components not displayed in the GUI (updated on Mar. 8th, 2021)
Optional components (PrivX Extender, PrivX Carrier and PrivX Web Proxy) are not visible in the PrivX admin UI status page. The issue will be fixed by PrivX 17.1 point release

Upgrading to the Latest Version

  • Upgrading to this version is supported from three previous major versions (16.x, 15.x, 14.x)
  • If you are planning to upgrade from an older version, please contact support.

Supported Releases

We produce security and stability fixes for the three latest major releases (17.x, 16.x, 15.x).

New Features

  • [PX-1694] - Deployment script will notify user, if OpenSSH version is too old. New configuration flags for deploy script.

  • [PX-2311] - Allow filtering users on OIDC source level

  • [PX-3217] - Administer PrivX settings via WebUI (rolestore,hoststore,monitor and trailindex)

  • [PX-3337] - Possibility to remove old connection metadata
.
  • [PX-3350] - Filter for connections with access roles

  • [PX-3357] - Change default behavior to open connection in a new tab

  • [PX-3424] - Renaming of navigation items
 on WebUI
  • [PX-3479] - Copy on select in SSH terminal
.
  • [PX-3540] - Support for ctrl-shift-c and ctrl-shift-v in the SSH web client
.
  • [PX-3492] - Synchronized clipboard support for web RDP on Chrome and Edge browsers
.

Bug Fixes

  • [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX

  • [PX-1903] - User and audit event searching: Inconsistent behavior with special offset and limit values

  • [PX-2094] - Services handle search params in a non-consistent way

  • [PX-2163] - 'PrivX Configuration' host setting is not enforced

  • [PX-2946] - Multiple directories scanning the same cloud hosts update the same hosts in db

  • [PX-2948] - Race condition in host-store service uniqueness check

  • [PX-2992] - Backend accepts negative values for floating time in direct role assignment

  • [PX-3033] - Allow HA upgrade without copying config files between HA nodes

  • [PX-3071] - Keydown gets stuck for web carrier connections

  • [PX-3242] - Use (dn= instead of (cn= in superuser default and documentation

  • [PX-3251] - Housekeeping for workflow_roles table

  • [PX-3290] - Add a permission for granting access roles to audited connection

  • [PX-3311] - Web login does not fill credentials on HP iLO 4 or Dell iDRAC environments
. See Carrier config file for details.
  • [PX-3316] - services read config files in wrong order

  • [PX-3317] - services missing db related attributes in service-specific tomls

  • [PX-3325] - Role permission error with two user directories

  • [PX-3332] - Add "View" menu items to hamburger menus where items have detail pages.

  • [PX-3339] - Guacd segfault after resizing browser multiple times

  • [PX-3340] - Change "extender" to "web access gateway" for consistency.

  • [PX-3346] - Remove HostServices cache and enforce service address uniqueness at db level

  • [PX-3349] - Hyphen (-) is not allowed in api client name

  • [PX-3372] - Access roles for transcript search

  • [PX-3375] - Audit events do not log year or node info to timestamps

  • [PX-3382] - Caching: creating and getting resources immediately sometimes return 404 not found

  • [PX-3413] - Correct spelling of "log in" when used a verb

  • [PX-3414] - authorizer / connection manager: enhanced auditevents and connection metadata w.r.t principal key authentication

  • [PX-3420] - privx-agent-ctl does not show directory username in target selection list

  • [PX-3433] - New command line options for deploy script

  • [PX-3437] - Generating keyvaults keys cannot handle some special characters in init_db.sh script

  • [PX-3442] - Misleading error is returned if api client do not have a valid permissions for ops

  • [PX-3444] - Role-store returns non-existing users in role member listing

  • [PX-3445] - Show all connections with access roles

  • [PX-3451] - Search by deleted access role respond with result(s).

  • [PX-3453] - Add some username length validations for hosts

  • [PX-3460] - initial_install.sh does not check value of env var PRIVX_DISABLE_SELINUX

  • [PX-3466] - Connection search as service returns invalid results

  • [PX-3472] - Disclaimer JSON is not validated

  • [PX-3485] - Wrong Native Client Address is shown to customer

  • [PX-3501] - Caching issue: search returns count of 50 when there are 52 entries in the database

  • [PX-3513] - Clipboard download for web connections doesn't work

  • [PX-3523] - Settings: invalid scope in URL does not result in some forms of 4xx error

  • [PX-3526] - Updating a user with a duplicate tag is possible.

  • [PX-3528] - LDAP default user filter does not work

  • [PX-3536] - Service-starting event missing for settings service

  • [PX-3542] - API: wrong permission enums used in API tests

  • [PX-3547] - Carrier web sockets: Firefox certstore does not accept all certificates in the bundle

  • [PX-3567] - License manager: panic found in system test

  • [PX-3571] - RDP/Web windows resize: resizing is not triggered when PrivX browser is resized during RDP/Web connection initialization

  • [PX-3572] - Some available RDP keymaps are missing from the UI

  • [PX-3573] - License manager: set_license.sh no longer works out of the box

  • [PX-3576] - access-role-revoked audit event is triggered without any real temporary access being revoked

  • [PX-3584] - Firewall commands are not run in postinstall if SELINUX is disabled

  • [PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.


Improvements

  • [PX-2334] - Simplified certificate login allowing roles to be created for accessing host without reconfiguring target hosts. This is an alternate way for configuring hosts.
  • [PX-3026] - API documentation improvements

  • [PX-3446] - Officially support Amazon Linux

  • [PX-3505] - Allow filtering out AWS roles by name

  • [PX-3516] - Add external ID support for assume-role requests for additional security

  • [PX-3525] - Allow fetching assume-role temporary credentials for roles on other AWS accounts

  • [PX-3530] - Allow fetching temporary AWS API tokens via API clients

  • [PX-3532] - Common env variable file for services

  • [PX-3641] - Remove duplicate host-service addresses on install.

Known issues

  • [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:
 
      # scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

  • [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
    NOTE: In case of manual changes in the extra component .toml files:
    • Before upgrading, please copy the .toml files to another folder.

    • After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.

  • [PX-1875] - Web proxy login does not work, if login page does requests to multiple domains

  • [PX-1980] - Several audit events are missing username information.

  • [PX-2947] - No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] - PrivX role mapping to AD OU not working as expected.

  • [PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
  • [PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
  • [PX-3637] - Multipart/form-data logins for web service will fail, if password field name is defined in web service config
  • [PX-3707] - Optional components not displayed in the GUI

Updated over 2 years ago