New Features for Centrify Privileged Access Service:
Automatically Manage Discovered Accounts (preview):
The Centrify Platform provides discovery services that help automatically populate the Centrify Privileged Access Service with systems and accounts. The ‘Manage Discovered Accounts' feature builds out these Centrify discovery capabilities by allowing users to further automate the account on-boarding and management process.Today the Centrify Privileged Access Service offers the following password management services:
- Password rotation - manual, scheduled, and upon account check-in.
- Compliance with specified password profiles.
With this feature, users can automatically subscribe their discovered accounts to these management services to reduce the administrative overhead associated with manually managing the accounts.
UNIX Local Account Password Reconciliation - Phase 2 (preview):
UNIX Local Account Password Reconciliation (Unix LAPR), released earlier this year, extended the support of a privileged administrative account to reconcile local account passwords on UNIX and Linux machines without any manual intervention. Phase 2 introduces the ability to perform password reconciliation using a domain administrative account that has the limited privileges necessary to change the password of local accounts. This helps users stay true to "Just-Enough-Privilege" principles and further secures credential operations throughout your environment. In addition, this phase also provides a built-in report outlining all password reconciliation events for greater visibility and tracking.
Remove Active Directory Dependency for Gateway-Based Auditing:
In its current design, gateway-based auditing, by way of the Centrify Gateway Connectors, depends on Active Directory to discover the Centrify Audit Collectors and then subsequently authenticate via Kerberos and forward the audited data. This feature decouples the Centrify Gateway Connector from Active Directory by establishing a Transport Layer Security (TLS) communications channel to the Centrify Audit Collectors, allowing gateway-based auditing to now support environments without direct connectivity such as DMZs or in a Shared Services VPC/VNet model.
Centrify Gateway Connector Logging Improvements:
Today the Centrify Gateway Connectors are involved in multiple operations, including remote access, password reset, etc. This capability gives users the ability to identify and tag each connector-driven operation with the Centrify Gateway Connector that's performing the action. This feature improves time to resolution by increasing visibility and helping troubleshooters to quickly identify the problem source.
Centrify Browser Extension Custom App Support:
You can now use the Centrify Browser Extension to launch applications without the Centrify Admin Portal and adjust the user experience to your preferences. Two custom Centrify Browser Extension (CBE) applications, “Browser Extension” and “Browser Extension (Advanced)” have been added to the Custom tab of the application catalog. Both these templates can be used to provide single sign-on (SSO) to a Web application that requires a username and password where the login pages are dynamic, use cookies, or when header information needs to be passed. In addition, the Advanced CBE template allows you to enable SSO to a Web application that requires a user-specific URL or differs in functionality based on the browser in use.
PowerShell SDK for the Centrify Platform:
This SDK is a PowerShell module for the Centrify Platform. The module provides wrapper functions for the Centrify Platform API as PowerShell Cmdlets that can be used from scripts or from an interactive PowerShell session. The PowerShell module can be installed on a Windows Server or Workstation running PowerShell 5.0 or above. Package and source code available on https://github.com/centrify/powershell-sdk
Ansible Tower - Auth and Secrets Management Modules:
Centrify is providing customers with a credential plugin, allowing Ansible Tower to retrieve credentials from the Centrify Privileged Access Service when running tasks against systems enrolled to your Centrify Platform Tenant. This plugin will be available as part of the AWX community project and Ansible Tower.
New features for Centrify Clients for Linux and Windows:
Ansible - Centrify Client Management on UNIX/Linux Module:
Centrify provides Ansible roles that can be used in any of the Ansible playbooks and allows for management of the Centrify Cloud Suite or Centrify Server Suite Agents. These Ansible roles can be used using Ansible CLI or Ansible Tower. Roles are built so that variables can be used to granularly control the deployment, enrollment and feature configuration of the Centrify agents. Ansible roles available on https://github.com/centrify/ansible (link available as of December 23, 2020).
Local Account Clean-Up (CClient for Windows) (preview):
The Centrify CClient for Windows creates a local account upon login. Today these accounts are preserved in order to maintain any end user profile-specific changes. With this new feature, users will now have a policy level option that when set will ensure local accounts are cleaned-up upon session termination. This feature, when used in tandem with Centrify CClient's Local Group Mapping and Login (agentauth workflow), provides Just-in-Time Elevation via an ephemeral account. This empowers you to minimize your attack surface by eliminating standing privileges and granting short-lived access, as well as elevated privileges on the fly - only when needed.
MFA Grace Period Support:
Improve IT operational efficiency by applying a customizable pass-through duration for multi-factor authentication (MFA) for Linux and Windows Servers. Once this setting is configured an end user will not be re-prompted for MFA credentials at login if he/she has successfully fulfilled MFA within the set duration.
Feature Management:
Today the configuration of the Centrify CClient features is only possible during a re-enrollment operation. With this new feature, an admin can easily manage Centrify CClient features through the client page in the portal (toggle on/off) as well as via CLI tooling (cedit). This capability allows you to centralize Centrify CClient management and reduce local administration.
ARM Support:
The Centrify Client for Linux now supports aarch64 for RHEL 7.4+.
Note: this package can only be retrieved from the official Centrify repository. Please visit the Centrify Downloads Center for instructions on how to access the Centrify repository.
Changes in 20.7-HF1
The following change was made in 20.7-HF1:
- Fixed an issue where the application on webroles intermittently went unresponsive (CC-76904).
Changes & Fixes in 20.7
The following list records issues resolved in this release and behavior changes.
- Changing the host name is now supported in Centrify Hyper-Scale PAS using the Centrify-Pas-ModifyInstallation.ps1 script (CC-75977).
- A script is now provided for Centrify Hyper-Scale PAS in the Management folder to recover lost administrator access (CC-76294).
- A mechanism is now provided for Centrify Hyper-Scale PAS and Self-hosted Privileged Access Service (PAS) to increase timeouts for database commands. Two timeout values are provided, one for normal operation and one when the schema is being upgraded. The two parameters are:
UpgradeSchemaPsqlCommandTimeout (default 600 seconds)
PsqlCommandTimeout (default 180 seconds)
For Self-hosted PAS, to set the timeouts to 700 and 90 seconds respectively, add the values to the settings.json file as follows:
“UpgradeSchemaPsqlCommandTimeout”:700,
“PsqlCommandTimeout”:90
For Centrify Hyper-Scale PAS:
“Database”: {
"UserName": "postgres",
"Password": "xxxxxxxxxx",
"ServerHost": "x.x.x.x",
"ServerPort": "5432",
"UpgradeSchemaPsqlCommandTimeout": 700,
"PsqlCommandTimeout": 90
}
- A script, prune_cps_reports.ps1, is provided for Self-hosted PAS to prune provisioning reports over a configurable number of days old (CC-76020).
- The Centrify mobile app for iOS now successfully logs in when the tenant is integrated with Okta (CC-76504).
- SSH key rotation no longer leads to failure to authenticate on CentOS 7 with StrictModes set to Yes (CC-76336).
- The Discovering Systems and Accounts video link has been updated on the Getting Started Wizard completion page (CC-75936).
- Centrify clients for Linux and Windows can now use the RSA MFA option (CC-75944).
Supported Platforms:
Centrify Connector
- Windows Server 2012r2, Server 2016, Server 2019
Self-hosted Centrify Privileged Access Service
- Windows Server 2012r2, Server 2016, Server 2019
Hyper-scalable Centrify Privileged Access Service
- Windows Server 2016, Server 2019
Centrify Clients for Linux
Client for Red Hat 6:
- Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
- CentOS 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 8.0
- Fedora 30, 31
- Oracle Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9
- Amazon Linux AMI 2017.09, 2018.03
- Amazon Linux 2 2017.09, 2018.03
Client for CoreOS
- Latest stable release 2345.3.0
Client for SUSE 11
Client for SUSE 12
Client for Debian 9
- Debian 9
- Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04
Centrify Client for Microsoft Windows
- Windows Server 2012r2, Server 2016, Server 2019
Windows PAS Remote Access Kit
- Windows 10, Server 2012r2, Server 2016, Server 2019
Centrify Mobile app for Android
- Android 4.4 (API level 19) and later
Centrify Mobile app for iOS