Automatic Password Reconciliation for Local Accounts on UNIX and Linux Systems
Out of sync passwords can interrupt IT operations and impact security. This new feature will extend the support of a privileged local administrative account to reconcile passwords of local accounts on UNIX and Linux, without manual administrative intervention. This will guarantee that Centrify is the single source of truth for passwords used to access infrastructure. Systems with managed local accounts enabled for automatic maintenance will have password updates that happen automatically when the stored credentials don't match the local password on the system.
The ability to add thousands of different device types that support the SSH protocol is now supported in the form of SSH Self-Service Resource Profiles. This is the first phase of what will become the Centrify Integration Hub self-service portal for custom device and application plugins. The Centrify Integration Hub with SSH Self Service Resource Profiles will provide the tools necessary to create, test, and validate numerous custom SSH device plugins, called Resource Profiles, in a self-service model. The SSH device profiles will allow for customizations to be made to specific systems and account operations from password management to password reconciliation.
In Phase I of the Centrify Integration Hub, we present the following features for SSH Self-Service Resource Profiles:
Resource Profiles for SSH-enabled devices.
Provides the ability to define custom system profiles leveraging the Expect framework.
Includes support for Credential Verification, Password Rotation, Password Reconciliation, and Proxy Accounts.
Delivers an SSH Test Kit for validating functionality.
New option for cunenroll A new option (-t, --terminate-user-sessions) has been added to cunenroll. Use together with delete so that all of the sessions will be terminated if there are any user sessions logged in from the Centrify Identity Platform.
Mapping of federated users to other federations It is now possible to map federated users to users in other federations, based on the user’s domain. A checkbox is provided in the partner edit dialog to enable mapping to other federations on the authentication tab.
New video in Getting Started Wizard A new video has been added to the Getting Started Wizard to provide an overview of the Discovery feature, called “Discovering Systems and Accounts”
End of Life Notification
This section contains notifications for upcoming termination of apps, features, programmatic access or device support.
The version 1 ServerAgent/VerifyPassword REST API has been removed in this release. The replacement version 2 API is serveragent/verifypasswordv2 (CC-65426).
The following list records issues resolved in this release and behavior changes.
To improve security, emails sent by the cloud service have been changed from “firstname.lastname@example.org” to no “no-reply-[user]@[customercname]”. It is important to note that the “From” address of email no longer matches the underlying “From” (in email headers) and this may trip up some Spam filters. You should whitelist email from @customerCNAME in your Spam filters, where customercname is your system CNAME (customerID.my.centrify.net) (CC-72791).
/uprest/GetUPData once again returns a list of apps the user can launch (i.e. has been granted access to), since the introduction of the new UI it would not return a list of apps (CC-71252).
Login to Linux through cagent has been optimized to remove the timeout hang that some customers were experiencing (CC-73498, CPSSUP-1034).
The error message provided when unable to add a UNIX system to PAS has been improved to provide more information about the failure (CC-66864, CPSSUP-658).
The performance of the UI has been improved when loading set members when there are a large number of sets (CC-73526).
The discovery of local Windows accounts no longer requires the remote registry service to be running on the target system (CC-72703).
Orphaned federated users (i.e. users with an owning federation that no longer exists) can now be deleted and do not cause any search which they are in to fail (CC-73504).
Rotating passwords for SQL Server accounts with the escape character ‘\’ as the special character no longer fail (CC-72184, CPSSUP-959).
It is now possible to disable the connector SSH banner using the “Enable Custom Banner” option. Toggling the option Off will disable the banner (CC-71279, CPSSUP-906).
To reduce confusion when a loading Secrets operation in the UI takes a long time, the UI now indicates that data is loading (CC_70693, CPSSUP-858).
The Connector has been updated to check for computers when validating a user, causing intermittent dzdo MFA issues in some cases (CC-72348).
The Secrets folder browser search now clears the search string when entering a folder from the search results, showing all rows within the folder that you have permission for (CC-71431, CPSSUP-917).
When cunenroll is executed in the context of a machine service account, it was not able to delete the service account as the service account is running the thread that processes the request. They are deleted in this scenario in 20.1 (CC-72388).
As there is no functionality using the Backchannel Agent currently, the Backchannel options have been removed from cinfo and cdiag (CC-72183).
In the cloud agent, user names are no longer case sensitive for Active Directory user names as the user has no knowledge how their UPNs are stored in AD (CC-70698).
Successful enrollment and unenrollment using the cloud agent is now logged to stdout instead of stderr (CC-70967, CPSSUP-878).
The cenroll man page has been updated to remove the –tenant-suffix option as it is not valid (CC-70707).
The Cloud Agent now unenrolls correctly on CoreOS (CC-70660).
Changes for Hot Fix 1.
The Linux agents have been updated – in some circumstances the agent would segfault (CC-73692).
The Windows agent has been updated to 20.1 – in the GA version of the 20.1 release the 19.5 Windows agent was provided (CPSSUP-1114).
Password reconciliation failed on AIX machines (CC-73654).
Changes for Hot Fix 2.
Password reconciliation caused failed login on AIX machines (CC-73654)
Backend worker processes could be unable to connect to storage under some circumstances and lead to multiple notifications being received for the same event or no notifications being received (CC-73752).
Changes for Hot Fix 3.
Fixed a bug with the TRUSTe logo where it was not clickable. Clicking the logo now takes you to the Centrify page at truste.com (CC-72226).
Mobile login would fail if the password field contained any unacceptable characters. The password field is now whitelisted to avoid unnecessary validation (CC-73817, CPSSUP-1135).