WHAT'S NEW

What's New in Centrify Infrastructure Services 2017.2

What’s New in Centrify Infrastructure Services™ 2017.2

Starting with this release, Centrify Server Suite™ is part of Centrify Infrastructure Services.

Centrify Infrastructure Services combines comprehensive bridging of Linux and UNIX systems to Active Directory with powerful privilege management, multi-factor authentication and session monitoring across Windows, Linux and UNIX systems (formerly Server Suite). It also provides shared account password management, secure session access with robust platform features like policy enforcement, multi-directory access and access request (formerly Centrify Privilege Service™).

The net result for thousands of customers who have deployed Centrify Infrastructure Services is increased security, improved compliance and comprehensive reporting and auditing.

Centrify Infrastructure Services 2017.2 is a maintenance release, and contains new product features and enhancements to security and functionality.

Product Name Changes

Starting with this release, Centrify Server Suite is renamed and is now a part of Centrify Infrastructure Services. It offers the following services:

  • Centrify Identity Broker Service (identity bridging and consolidation based on Centrify DirectControl™)
  • Centrify Privilege Elevation Service (privilege elevation based on Centrify DirectControl)
  • Centrify Auditing & Monitoring Service (auditing based on Centrify DirectAudit™)

Identity Broker Service and Privilege Elevation Service

Upgrade considerations

If you plan to upgrade from a version prior to Server Suite 2017, you must upgrade all the components relevant to a deployment. A set of major infrastructure improvements to Infrastructure Service now requires product components to run at the same (relative) version level; otherwise, you may experience compatibility issues.

Centrify Agent™ for Windows 3.4.2

New configuration wizard

In this release, the agent configuration wizard provides more intuitive identification of the components that can be deployed: Centrify Identity Platform Services, Centrify Privilege Elevation Service and Centrify Auditing and Monitoring Service.

Multi-factor authentication (MFA) improvements

This release allows the configuration of web proxy and credentials when the system is enforcing MFA when joined to a Centrify zone.

To improve usability, this version adds new Group Policy settings: "Configure multi-factor authentication lock screen grace period" and "Configure multi-factor authentication user privilege elevation grace period" to support a grace period for multi-factor authentication in lock screen and privilege elevation scenarios.

A new diagnostics utility can be used to identify issues with MFA deployments.

Additional enhancements

  • This version features a redesigned Agent Control Panel into Centrify Agent Configuration as "Centrify Privilege Elevation Service Settings" and "Centrify Identity Services Platform Settings."
  • This version introduces improvements for customers using Citrix XenApp 6.5.

Centrify Agent for Linux 5.4.2

This release features upgrades to open source components (e.g. sudo and libcurl), as well as capabilities to support IBM AIX platforms. There are also enhancements geared towards better flexibility with Kerberos.

64-bit only architecture

  • Starting with this release, only 64-bit platforms are supported.
    • The DirectControl agent provides PAM and NSS libraries to support 32-bit applications. This includes the LDAP and NIS proxies.

Centrify-enhanced sudo (dzdo)

  • Centrify-enhanced sudo (dzdo) is now based on sudo 1.820p2
    • This includes security fixes for CVE-2017-1000367.

Centrify libcurl

  • Centrify libcurl is upgraded based on stock curl 7.54.0.
    • This includes security fixes for CVE-2017-7407 and CVE-2017-7468.

Centrify OpenLDAP proxy

  • A new configuration parameter, ldapproxy.cdctranslate.fetchbydnuid, is added in slapd.conf. This parameter controls if a search query for generic Active Directory user/group objects should be translated automatically into a search query for zone user/group instead. The default is false.

Configuration parameters

centrifydc.conf has been updated with several new parameters and enhancements.

  • New parameters
    • aix.cache.extended.attr.enable

      This parameter specifies whether to enable caching of the default values of AIX extended attributes or not. The default value for this parameter is false.
    • gp.mappers.certgp.pl.additional.cafiles

      This parameter defines a list of certificate(s) to be included in certgp.pl. It can be a list of certificate file(s), e.g. "newcert.der", or a file which contains the list of certificate file(s), e.g. "file:/etc/centrifydc/certfile_included.list", to be included. The default value for this parameter is empty.
    • gp.mappers.certgp.pl.exclude.cacerts

      This parameter defines certificate(s) to be excluded in certgp.pl. It can be one or more fingerprint(s) of certificate(s), e.g. "F3D79384E55767A9681D0104FFF22C8980EAD06E", or a file which contains the list of fingerprint(s) of certificate(s), e.g. "file:/etc/centrifydc/fingerprint_excluded.list", to be excluded. The default value for this parameter is empty.
    • krb5.sso.ignore.k5login

      This parameter specifies whether adclient k5login module should ignore .k5login for SSO. The default value for this parameter is false.
    • krb5.unique.cache.files

      This parameter specifies whether a unique Kerberos ticket cache file is used for each login even from the same user. If this parameter is set to true, each Kerberos authentication will generate a different ticket cache file for a given user. If it is set to false, it may leave the second login instance without credential cache because the only cache file may have been cleaned up by the first logout. The default on Mac OS is set to false; otherwise it is set to true.
    • lam.attributes.group.ignore

      This parameter points to a file which contains a list of AIX group attributes that the LAM module should ignore and let AIX provide the default value or return ENOATTR. The default value for this parameter is "file:/etc/centrifydc/attributes.group.ignore"
    • lam.attributes.user.ignore

      This parameter points to a file which contains a list of AIX user attributes that the LAM module should ignore and let AIX provide the default value or return ENOATTR. The default value for this parameter is "file:/etc/centrifydc/attributes.user.ignore".
    • lrpc2.message.signing

      This parameter defines the LRPC2 message signing behavior. The value can be "disabled" – do not do LRPC2 message signing, "allowed" – do LRPC2 message signing if the peer allows or requires it, and "required" – must do LRPC2 message signing. By default, this parameter is disabled.

Centrify management and console enhancements

  • Access Manager now supports more than 1000 members in a local group.
  • Access Manager and the ADUC Property Page Extension now support the ability to create a Centrify hierarchical zone without creating the corresponding zone_nis_servers group.

adedit

  • adedit now supports more than 256 characters in the "member" field setting of its "set_local_group_profile_field" function.

Centrify Report Services

  • Report Services introduces the ability to monitor zones in other domains is now supported.
  • A more frequent synchronization schedule than once a day is supported. You may now set the interval up to every 1 hour.
  • Multiple users per the entry, "member: ", in local group profile is supported.
  • You can now secure the Report Services underlying Windows service using a domain Managed Service Account (MSA).

Access Module for PowerShell

  • A new parameter, NoNisServersGroup, is added to the command, New-CdmZone, to allow the user to create a hierarchical zone without generating the corresponding zone_nis_servers group.

Centrify-enhanced PuTTY 5.4.2

  • In this release, Centrify-enhanced PuTTY is based on PuTTY 0.69
    This includes security fixes for CVE-2016-6167 and CVE-2017-6542.
  • Centrify-enhanced PuTTY is now a 64-bit program.

Deployment Manager 5.4.2

  • Centrify PuTTY 5.4.2 bundled in Centrify Deployment Manager is upgraded based on stock PuTTY 0.69.

Centrify Agent, Centrify Identity Service, Mac OS Edition for Server Suite (High Sierra)

Auditing and Monitoring Service

Auditing and Session Monitoring 3.4.1

Prerequisites for upgrading your Infrastructure Services deployment

Customers who use Identity Broker Service and Privilege Elevation Service for identity consolidation and privilege elevation on Linux and UNIX along with Auditing and Session Monitoring should always install and run the same relative versions of these components (i.e. DirectControl and DirectAudit).

The minimum version of DirectControl required by this version of Auditing and Session Monitoring is 5.4.0 (Server Suite 2017).

Enhancements

  • In this release, organizations can use AWS RDS SQL Server databases for Audit Stores; the management database still must be hosted on an internal SQL Server instance.
  • The Centrify Module for PowerShell now supports two optional arguments/parameters for database rotation that allow specifying whether the target SQL Server is an Amazon RDS instance or not and whether to enable "Data Integrity Checking" feature on the new Audit Store database or not.

UNIX and Linux Agent

  • Starting on this release, only 64-bit platforms are supported. Some agent packages still provide PAM and NSS 32-bit libraries to work with 32-bit programs.
  • A new parameter dash.cmd.audit.show.actual.user allows for the original user that invoked Centrify-enhanced sudo (dzdo) to be displayed instead of the “run as” user (e.g. root). The default parameter value is false.

Supported Platforms

Support is added for the following operating system platforms in this release:

  • Amazon Linux AMI - latest version (x86_64)
  • Debian 8.8, 8.9, 9.0, 9.1 (x86_64)
  • Fedora 26 (x86_64)
  • RHEL 7.4 (x86_64, PPC64, PPC64LE)

To see all platforms in the Centrify Server Suites within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page.

Termination of Support

Support is removed for the following operating system platforms in this release:

  • All 32-bit Linux
  • All Linux Mint and Linux Mint Debian Edition (LMDE)
  • All OpenSUSE
  • All RHEL on Itanium architecture
  • All Scientific Linux
  • All SUSE on Itanium architecture
  • AIX 6.1
  • CentOS 5.x
  • Fedora 22, 23, 24
  • Mac 10.10
  • OpenSUSE 13.2, 42.1
  • Oracle Linux 5.x
  • RedHat 4.x
  • Ubuntu 12.04 LTS, 16.10
  • VMware vMA 4.0, 4.1

This is the last release of Centrify Server Suite in which the following operating system platforms will be supported:

  • Fedora 25
  • SUSE 11 SP1 or below
  • Ubuntu 17.04

The next release will be the last release in which the following Domain Functional Level (DFL) and Forest Functional Level (FFL) will be supported:

  • Windows 2003

Security Advisories

Centrify has established product security policies documented in the web page, www.centrify.com/product-policy. You may also find the details of all the published security advisories there.

Security Fixes

In this release, additional enhancements to the local inter-process communication within Centrify *NIX components have been implemented.

Centrify Server Suite Standard Edition

Upgrading Server Suite components

If you plan to upgrade to Server Suite 2017.1 from a version prior to Server Suite 2017, you must upgrade all the components relevant to a deployment.  A set of major infrastructure improvements to Server Suite now requires product components to run at the same (relative) version level; otherwise, you may experience compatibility issues.

Centrify Agent™ for Windows 3.4.1

Support for Windows Server 2016 and Windows 10

This release of the agent fully supports Microsoft Windows 10 and Microsoft Windows Server 2016.

New privilege management for network settings

Granular privilege management is extended to network configuration settings in this release.  The new Network Manager feature enables users with proper rights to view the list of Ethernet and wireless adapters and perform basic administrative tasks such as rename or enable/disable, and configure their IP and DNS settings.

Additional enhancements

  • New group policy settings enable Centrify administrators to specify Active Directory domains that should be ignored and not processed by the agent (blacklisted) or domains that should be trusted and processed by the agent (whitelisted). for blacklisted and whitelisted domains. Please refer to "Specify a list of blacklisted domains" and "Specify a list of whitelisted domains" group policy settings under "Common Settings" for details.
  • New group policy settings configure the timeout value for multi-factor authentication (MFA) requests, and can instruct the agent to skip client certificate authentication for MFA; for example, when certificate authentication is disabled/blocked by enterprise policies or proxy settings. Please refer to "Specify the connection timeout for multi-factor authentication requests" and "Skip client certificate authentication" group policy settings under “Windows Settings\MFA Settings” for details.
  • The Privileged Desktop Centrify Start Menu will now display the shutdown/restart button even on Remote desktops when a user has shutdown privileges.
  • A new feature in the agent control panel allows a user to set credentials for Web Proxy authentication.
  • In Windows Services, the DirectAuthorize Agent service is now configured to depend on the Centrify Agent Logger service.

Centrify Agent for Linux – Centrify DirectControl™ 5.4.1

Note: These enhancements apply to all supported UNIX and Linux platform agents.

Enhancements

  • By default, the multi-factor authentication (MFA) feature now verifies the Centrify Identify Platform server certificate as per HTTPS protocol. The root CA bundle may not be present in some Unix operating systems, or may not have unexpired certificates for the certificate issues.  If you encounter SSL errors in MFA operations, you should update the root certificate authorities (CA) bundle for your *nix agents. Optionally, you can disable HTTPS server validation by setting the new parameter adclient.cloud.skip.cert.verification to true.   Also, you can specify an alternate root certificate authorities (CA) bundle using the adclient.cloud.cert.store parameter.
  • For users who require infinite credential renewal (as specified in krb5.cache.infinite.renewal.batch.users and krb5.cache.infinite.renewal.batch.groups), if the user's keytab /var/centrifydc/renewal/keytab_<uid> is available, the agent will do the initial Kerberos cache acquisition in addition to renewal.

Centrify OpenSSL

  • Centrify OpenSSL 5.4.1 is upgraded based on stock OpenSSL 1.0.2k.
    • This includes security fixes for CVE-2017-3731, CVE-2017-3732 and CVE-2016-7055.

Centrify OpenSSH

  • Centrify OpenSSH 5.4.1 is upgraded based on stock OpenSSH 7.4p1.
    • This includes security fixes for CVE-2016-10009, CVE-2016-10010, CVE-2016-10011 and CVE-2016-10012.
    • This release removes server support for the SSH v.1 protocol.

Centrify libcurl

  • Centrify libcurl is upgraded based on stock curl 7.53.1.
    • This includes security fixes for CVE-2017-2629, CVE-2016-9594, CVE-2016-9586, CVE-2016-9952 and CVE-2016-9953.

Configuration parameters

centrifydc.conf has been updated with a number of new parameters and enhancements.

  • New parameters
    • adclient.cloud.cert.store

      This parameter specifies the root CA bundle that adclient uses to verify the server certificate presented by Centrify Identity Platform. When it is not set, adclient uses the root CA bundle that openssl uses. When it is set, adclient uses the specified CA bundle instead. Please ensure the file is valid and the store is updated with the required certificates. The default is not set. This parameter is effective only when the parameter adclient.cloud.skip.cert.verification is set to false.
    • adclient.cloud.skip.cert.verification

      Centrify MFA support in DirectControl requires the use of HTTPS protocol to communicate with Centrify Identity Platform. Starting in Suite 2017.1, the *nix agent verifies the certificate presented by Centrify Identity Platform as a security feature specified in the HTTPS protocol.   This parameter specifies whether to bypass this validation step. The default is false (i.e., always verifies server certificate).
    • krb5.conf.k5login.directory

      This parameter specifies an alternative location for a user’s .k5login files. It has no default setting. If it is not set, the user’s .k5login file will be set as {%home_dir}/.k5login. For example, if it is set to <k5login_directory>, the user’s .k5login file will be set as <k5login_directory>/<user’s unixname>.

Centrify DirectManage™ and console enhancements

  • Role assignment supports a description field in hierarchical zones and the corresponding support is now added to Access Manager and Report Services in this release.
  • DirectControl now allows customers to store their own information as custom attributes for role, role assignment and computer role definition. This capability has been added in Access Manager, Report Services, Access Module for PowerShell, the DirectControl SDK and the adedit command module.
  • Note: This new feature only applies to hierarchical zones.

adedit

  • adedit now supports a new "customattr" field for role assignments, roles and computer roles in a hierarchical zone.

Centrify Report Services

  • Report Services now supports the description field of a role assignment in a hierarchical zone in various report views.
  • Report Services now supports the newly added custom attribute for role definition, role assignment and computer role in a hierarchical zone in various report views.
  • Additional performance optimization is applied to the Login Summary Report in this release.

Access Module for PowerShell

  • A new property CustomAttributes is added to the cmdlets New-CdmRole, Set-CdmRole, New-CdmRoleAssignment, Set-CdmRoleAssignment, New-CdmComputerRole and Set-CdmComputerRole to allow users to manage this record with their own custom data.

Deployment Manager 5.4.1

  • Allow deployment to some newly supported platforms for Centrify Server Suite. For a list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Suite release notes.

Centrify Agent, Centrify Identity Service, Mac OS Edition for Server Suite 2017.1

  • Please see the release notes file for information on new and enhanced features for the Centrify Agent for Mac.

Centrify Server Suite Enterprise Edition

Auditing and Session Monitoring – Centrify DirectAudit™ 3.4.1

Prerequisites for upgrading your Server Suite deployment

Centrify DirectControl™ is a pre-requisite for Centrify DirectAudit on Linux and UNIX.  Customers who use Centrify DirectControl for identity consolidation and privilege elevation on Linux and UNIX along with Centrify DirectAudit should always run the same relative versions of these components. 

The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017).

Enhancements

  • File monitoring functionality is enhanced by adding /var/centrify to the default advanced monitoring directory list and file monitoring events will not be generated when configuration files are modified by Centrify Agent for Linux daemon.
  • Added an "advanced_monitoring" query to dainfo using the -q option which can return the following values: "enabled: online" (0), "enabled: offline" (1), "enabled: unknown" (2), "disabled" (3), "not supported" (4) and "unknown" (5).
  • SElinux context “centrify_log_t” is added to the file centrifyda_client.log so that NSS applications can still write to this log in debug mode.
  • In Windows Services, the DirectAudit Agent service is now configured to depend on Centrify Agent Logger service.

UNIX and Linux Agent

  • The system limits for the number of open files per process may be low (e.g., 1024) in some operating systems. This will result in errors in the DirectAudit daemon when there are many concurrent audited sessions.   If you see this warning message in the system log:  “The number of open files reached the limitation.  Need to increase the limitation, then restart dad to take effect”, please modify the configuration parameter dad.process.fdlimit to increase the number of file descriptors allowed (this value must be less than system hard limit).  In addition, there is  a new group policy entry: 'Set soft limit of open files' in "Computer Configuration" -> "Centrify DirectAudit Settings" -> "UNIX Agent Settings" -> "DirectAudit Daemon Settings" to configure this parameter.

Supported Platforms

Support is added for the following operating system platforms in this release:

  • Amazon Linux AMI - latest version (x86_64)
  • CentOS 6.9 (x86_64)
  • Oracle Linux 6.9 (x86_64)
  • RHEL 6.9 (x86_64)
  • Ubuntu 17.04 (x86_64)
  • Windows Server 2016
  • Windows 10

To see all platforms in the Centrify Server Suites within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page.

Termination of Support

Support is removed for the following operating system platforms in this release:

  • Citrix XenServer 6.0, 6.1
  • IBM Virtual I/O Server 1.x
  • Linux Mint Debian Edition 201303, 201403
  • Windows 8

This is the last release of Centrify Server Suite in which the following operating system platforms will be supported:

  • All 32-bit Linux
  • All Linux Mint and Linux Mint Debian Edition (LMDE)
  • All OpenSUSE
  • All RHEL on Itanium architecture
  • All Scientific Linux
  • All SUSE on Itanium architecture
  • AIX 6.1
  • CentOS 5.x
  • Fedora 22, 23, 24
  • Mac 10.10
  • OpenSUSE 13.2, 42.1
  • Oracle Linux 5.x
  • Redhat 4.x
  • Ubuntu 12.04 LTS, 16.10
  • VMware vMA 4.0, 4.1

Security Advisories

Centrify has established product security policies documented in the web page, www.centrify.com/product-policy. You may also find the details of all the published security advisories there.

Security Fixes

The zip files for all Windows components in this release and all releases in Centrify Download Center will now unpack into clean folders that contain only the software installation package. This is to avoid a potential DLL hijacking vulnerability, which cannot occur if the installation package is launched from a folder in which it is the only file.

Sensitive data is now encrypted in the local inter-process communication within Centrify *NIX components.