Delinea Documentation - Secret Server - 11.1.0

Secret Server: 10.7.000059 Release Notes

December 9, 2019

Note: The system requirements last changed with version 10.7.000000. See that version's release notes for details.

Upgrade Notes

New Features

Data Retention

Secret Server now allows administrators to permanently delete audit records for tables that either contain Personal Identifiable Information (PII) or tables that can grow large in enterprise environments. To configure these settings admins need to add the permission "Administer Data Retention" to the user's role and then the user can navigate to Admin > Data Retention. Only users with the "Unlimited Administrator" permission can assign this new permission. See the "Data Retention" section in the Secret Server Administration Guide.

Manual Rolling Upgrades

A new "Manual Rolling Upgrade" feature is available when upgrading from Secret Server version 10.7.000059 or above. Using this process, customers using clustered web nodes with a load balancer can experience little-to-no downtime during the upgrade process, but this process requires manual steps by an admin with Web node and database access. See the Minimizing Upgrade Downtime KBA.

RMQ Failover

Updated Secret Server to support durable exchanges for RabbitMQ (RMQ). This allows clustered site connectors to failover without impacting Secret Server's processing. Distributed engines will auto-update after Secret Server's upgrade to also support durable exchanges through RMQ.

Note: Older Advanced Session Recording Agents (ASRA) can be used with this version of Secret Server but ASRAs will not benefit from this change to failover handling. To include failover capability for ASRA an updated agent must be deployed. See the Secret Server Advanced Session-Recording Agent Installation KBA.

Technical Details: The ExchangeDeclare logic in MessageQueue client was altered to attempt to create durable exchanges with logging. A durable exchange is automatically re-created if RabbitMQ restarts for any reason. Non-durable exchanges disappear when RMQ goes down and can only be re-created by some external action. If the new logic detects that creating the durable queue failed, it will log an error and attempt to create a non-durable queue.

Note: The presence of legacy non-durable exchanges can prevent the automatic creation of durable exchanges. See RabbitMQ Durable Exchanges

Time-Based One-Time Passwords (TOTP)

Added a new feature where Secret Server can now generate time-based one-time passwords (TOTP) for web secrets. This allows users to implement TOTP on shared secrets. Configuring secrets for TOTP begins at the secret template level. See the Secret Server Administration Guide.

Truncated Log Data

Added the ability to truncate table logs for several types of data that log to the "Status Message" table. These messages can contribute to excessive log data and slow performance. The option to truncate each message type is called "Days to Keep Operational Logs" and is under the "Advanced" sections on the following list of configuration pages. Minimum message retention time is one day and the default is 30 days. The logs include:

Go to the Secret Server Administration Guide and search for "Days to Keep Operational Logs" to see all the locations where this can be configured.

Technical details: A background task was added that scans the status message table every 12 hours and checks the status messages against configured values for how long they should be retained. These configured values were added to applicable UI pages.

Web Browser Plugins

The Web browser plugins for Secret Server were rebuilt with a new look and feel and now have additional browser and site support. These new plugins are available for:

These features from the old browser plugins have been improved to allow more flexibility:

Users can now authenticate to Secret Server directly from the Web plugin, including support for 2FA options, such as DUO. Log in via Secret Server is also available for users with single sign-on, SAML, or other multi-factor authentication mechanisms. Web plugins automatically identify manual entry of new credentials in a Web page and offer to save the credentials as a secret. There is also improved support for sites that use multi-page login mechanisms.

See the Web Password Filler section of the Secret Server Administration Guide for more information.

Enhancements

Advanced Session Recording

Added a new setting to disable keystroke data from advanced session recording metadata. The new setting is called "Default Keystroke Recording Configuration" and can be configured under Admin > Configuration > Session Recording > Configure Advanced Session Recording. Click Collection name to edit individual collection settings or agent settings. By default, advanced session recording keystrokes are enabled. See the Secret Server Administration Guide.

Remote Password Changing upon Regex-Defined Error

Added a new regex setting to automatically retry a remote password change (RPC) with a regenerated password if the original RPC failed due to a specific type of error.

Go to Admin > Remote Password Changing, click Advanced under the Configure Password Changers section. The new setting is Attempt Password Change with new password when error contains (regex). Edit it to provide the regex failure code that will trigger the automatic next password RPC. See the Secret Server Administration Guide.

Discovery

Added messaging for when computer or dependency scans do not run due to having no scanners configured for a discovery source.

Distributed Engine Offline Status

Updated the definition of distributed engines' offline status to be the configured heartbeat interval times three. For instance, if your heartbeat interval is configured at 5 minutes, the engine will report offline if Secret Server and the engine do not successfully communicate within a 15-minute time period. Engine online and offline states were also added to subscription actions to allow notification to admins when engine states change. See the Event Subscriptions section in the Secret Server Administration Guide.

New User Interface

Licensing

A second distributed engine is now available, by default, for the local site.

Reports

Secret Template Import and Export

Updated secret template settings for importation and exportation to include:

The secret template settings that do not transfer include:

See the Can I import or export data between Secret Servers? KBA for more information.

SSH Proxy

See the Session Recording section in the Secret Server Administration Guide.

Verbose Logging

Added Verbose Logging for:

Terminal

Database SQL Indexes

Added new SQL indexes for the following areas:

Unique Field Slug IDs

Added a new "Unique Field Slug" ID column for secret templates to allow users to create secrets with duplicate field names without compromising the ability to target each field name with a unique identifier for API calls. See the Secret Template Field Types section in the Secret Server Administration Guide.

User Variables for Scripting

Added the following user-based script variables to be used in API calls as arguments:

This allows, for example, that when a specific user runs a check-out hook, they can pass a user email, ID, username, or display name as a parameter into the script to use a check-out hooks and related AD functionality in Secret Server through the API. See the "Checkout Hooks" section in the Secret Server Administration Guide.

API and Scripting

API General

Added a setting that allows users with view permission on a secret to get the secret's "autoChangeNextPassword" field in the API. This setting is enabled under Admin > Configuration > Permission Options. Set Allow View User To Retrieve Auto-Change Next Password to Yes.

New API Calls

Removed API Calls

Integrations

Performance Improvements

Security

Bug Fixes