Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Centrify 21.4 Release Notes

18 June,21 at 12:34 AM

Updated June 17, 2021


New Features for the Centrify Vault Suite:
 

Granular Admin Rights

With Vault Suite 21.4, Centrify is introducing more granular Administrative Rights that you can assign to Roles. The new rights are: Add Cloud Providers, Add Domains, and Add Secrets. These new rights allow administrators to grant more specific permissions to groups of users.

User-added image

Additionally, with the PAS Admin User right also assigned, the "Domains" and "Cloud Providers" tabs will now be visible to that user.

Note: in this release, the "Add Secrets" right is only available upon request via an explicit entitlement. If you would like to test this out, please contact Centrify Support to have it enabled for your tenant. For tenants with the "Add Secrets" right enabled, "Privilege Service Users" and "Privilege Service Power Users" will only be able to add new Secrets if they also have the "Add Service" right granted.


 

Custom Attributes for Systems and Accounts Objects


This new feature extends a capability that was previously only available for the "Users" object. You can now add custom attributes to the "Systems" and "Accounts" objects.

User-added image

This new feature gives you more flexible customized reporting. For example, your report query can search for and report on all systems with a custom attribute "pci_systems" set to the value "yes."

Your custom attributes can also be queried and modified via API calls to the Centrify Platform. Thus, for example, external applications or scripts whose logic depends on a specific "System" or "Account" custom attribute value can call a Centrify API to obtain it.

Note: spaces in attribute names are not supported. Replace space with an underscore.


 

Mandatory MFA Setup


Before this release, it was at the users' discretion whether or when to configure MFA second factors in Centrify Vault Suite. Thus, should an MFA policy trigger for a user with no second factors configured, the user would be explicitly denied access. Especially in time-critical situations where the user needs to (for example) check out a vaulted account password or initiate a remote login session to a server, this results in a delay until the user can rectify the situation.

New in this release is the ability to force users to configure MFA second factors. Via policy, you can select which authentication methods are mandatory - to be immediately configured when a user signs in before they are allowed to proceed further. Since these policies can target users based on Sets, you can build policies around sets tailored to different types of users, solving complex cases where all users may not have access to the same authentication mechanisms.

The diagram below is an example of enabling this feature for OATH OTP and Security Questions.

User-added image

Users subject to this policy will see the following screen at their first login to the Centrify Vault Suite, forcing them to configure required authentication mechanisms and allowing them to configure more if they want to. 

Once the mandatory second factors are configured, the user can continue to the Vault Suite landing page. Also, you can configure non-mandatory second factors during this process, or the user is free to do this at any time via their Profile settings.

User-added image

User-added image

User-added image

User-added image

 

Custom SAML Claim Mapping for IDP Federation


Centrify Identity Provider (IDP) Federation profiles now support custom SAML Claim mapping, allowing for larger dynamic group management by using single or multi-valued strings from SAML Claims coming from the IDP.

In the Custom Mappings screen during Partner Management configuration, you can now identify single or multi-valued SAML Claim attribute names and associate a federated Group Name for each expected value.

In the example below, our goal is to dynamically add federated users into appropriate Centrify Groups based on which department they belong to. Thus, we can query the multi-valued SAML Claim attribute "Department" and, based on its value, dynamically add the user to the appropriate Centrify Group "Sales," "Engineering," or "Marketing." According to the configured mappings, users with more than one Attribute Name match in their SAML token will be automatically added to the appropriate Centrify Groups.

User-added image

This new feature can be used in addition to the existing "Group Mappings" feature, which is looking for a multi-valued attribute named Group.

User-added image


 

AWS EC2 Instance Continuous Discovery and Automated Management (GA)


For cloud migration projects, organizations are moving their in-house applications to the Cloud. For many, the path of least resistance is to lift and shift their VMs and apps into their preferred cloud platform. Whether on-premises or in the cloud, administrators will still need to log in for troubleshooting and maintenance. When on-premises, this is trivial; admins can easily log in with their on-premises enterprise identity (e.g., AD or LDAP credentials). In the cloud, however, there's no immediate direct line-of-sight to the on-premises domain controllers without implementing a site-to-site VPN or replicating your directory infrastructure in the cloud. A typical shortcut is to provide the admins with SSH Keys and local accounts to log in to the Linux VMs and the local administrator account password for Windows VMs. Team members working on the same Linux VM will typically share a single privileged local account. 

All this introduces complexity, risk, and operational overhead. There's no accountability when using shared privileged accounts. If compromised, they give the threat actor the keys to the kingdom, so they increase your attack surface and risk. When there is a personnel change in the team, the rotation of SSH keys and the local administrator account password on all the VMs running in the cloud is operationally intensive. The more VMs, the more work involved. Such efforts are often ignored, resulting in back-doors and potential vectors of attack.

Centrify's Cloud Provider capability, introduced in the 20.6 release, helps address these issues. Adding to the management of AWS root/billing accounts and vaulting of AWS IAM users and their associated Access Keys, this release adds:

  • Discovery now supports a new type for "AWS EC2 Instances" alongside the existing "Active Directory" and "Port Scan" discovery types.

  • Continuous Discovery supports the automatic removal of terminated instances and the addition of new instances to the Centrify Platform. 

  • Additional "Actions" for discovered EC2 instances that support automatic:

    • Downloading and installing a Centrify Client (Windows and Linux).

    • Enrolling the system into the Centrify Platform.

    • Downloading and configuring the "Use My Account" certificate to enable single-click log in from the vault UI.

    • Configuring local sudoers policies to grant users elevated privileges on the system.

  • The ability to automatically deploy a Centrify Gateway Connector on an AWS EC2 Windows instance for a specific VPC and subnet.


User-added image

User-added image

User-added image


 

Federated User Support for Native SSH/RDP Through the Centrify Gateway Connector


Before this release, RDP and SSH connections via the Centrify Gateway Connector did not support federated users. In this release, federated users can now launch RDP and SSH connections through the Centrify Gateway Connector.

 

Oracle Database Support


This release adds two new Oracle database capabilities:

  • Encrypted connections from the Centrify Gateway Connector to Oracle databases

    • The Centrify Gateway Connector can now detect the encryption settings in the target Oracle database and use the settings defined.

    • Note: This has been accomplished by updating the ODP.NET libraries on the Centrify Gateway Connector. You will need to update your ODP.NET libraries on the Centrify Gateway Connector host machine. Please refer to this Centrify Knowledge Base article for more details: KB-51964.

  • Vaulting Oracle 18c and 19c database accounts

    • Before this release, Centrify Vault Suite only supported vaulting Oracle 11g and 12c accounts. With the update to ODP.NET libraries mentioned above, this release now supports 18c and 19c databases.
       

 

Mobile Application User Interface Updates, Including Privilege Elevation Workflow Support


The Centrify Mobile Application user interface has been updated to improve usability, navigation, and features.

These improvements include:

  • For emergency break-glass situations, fast access to resources via search (including the search for Sets and recently searched)

  • Access to system details and offline rescue passcode

  • A separate  Alternate Administration (AA) accounts section in the domain drill down

  • Modernized User interface:

    • Improved main navigation tabs at the bottom of the screen

    • Dark mode

    • An updated mobile authenticator that's closely associated with the passcodes feature

    • A simplified Settings list

    • An extensible structure not confined to a single tab list

Also, the Centrify Mobile Application can now receive privilege elevation request notifications from the Centrify Client, making it easier for approvers to quickly review and allow or reject those requests directly from their mobile device without the need to login to the Centrify Vault Suite portal.

User-added image User-added image


 

New Features for the Centrify Cloud Suite:


Alpine Linux Support


The Centrify Client is now supported on Alpine Linux - the Linux distribution based on musl and BusyBox - designed for security, simplicity, and resource efficiency.

User-added image


 

Authentication Priority Order for Domain-Joined Windows Servers


You can now configure the Centrify Client on Windows to support federated directory login even if the Windows server is also domain-joined. This allows users to log in with (for example) their Azure AD or Okta Directory federated account as the primary authentication method.

Centrify administrators will be able to configure a list of domain suffixes that the Centrify Client will use to determine whether or not to send an authentication request to the Centrify Vault Suite. If a domain suffix is not on this list, Centrify Vault Suite will not attempt authentication. Instead, it will pass to Active Directory. 


 

Auto-Update for the Centrify Client


With this new feature, instead of manually downloading and installing Centrify Client updates on enrolled systems, you can now configure the Centrify Client to auto-update to ensure it is always at the latest version.

Auto-update is configured by policy on a per-system basis or for a set of systems.

Centrify Client will auto-update according to the following conditions:

  • If the Centrify Client is on a Long-Term Support (LTS) version, the Centrify Client will update to the latest LTS client (with any bug/vulnerability fixes)

  • If the Centrify Client is on a non-LTS version, then the Centrify Client will update to the most recent version of the software


The Centrify Client auto-update process will leverage the Centrify Platform job system. Upon completing an update, the job system will email an update report summarizing success or failure with other relevant details.

As part of auto-update, the Centrify Client system activities will be updated.


 

Other Features

Notice of discontinuation

  • With the 21.5 release we are planning to drop browser extension support for Microsoft Internet Explorer version 11, due to Microsoft end-of-life-ing the product and to improve the security posture of the cloud service.

  • In the 21.5 release support for TLS 1.1 will be fully deprecated from Centrify cloud products, including mobile apps. Only TLS 1.2 and above will be allowed. Note: previously this was communicated for release 21.3; the timeline has been pushed back to allow customers additional time to prepare for this change.


Known Issues

  •  Default policy is not being created for newly provisioned child tenants in a MSP tenant. Workaround is to manually create default profile. (CC-78647).

  

Changes in hot fix 2

  • This hot fix resolves an issue with double-byte characters for customers on Azure pods, that could cause notifications to fail and result in the error, "Arithmetic operation resulted in an overflow" (CC-78673).


Changes in hot fix 1

  • Resolved an issue that could cause intermittent error while doing OTP authorization (CC-78614).


Changes

The following list records issues resolved in this release and behavior changes.
 

  • Scram-sha-256 must now be used for passwords instead of md5 with PostgreSQL on HSPAS. The method to upgrade an existing PostgreSQL installation is documented here: https://www.postgresql.org/docs/11/auth-password.html# (CC-77843).

  • Starting with this release there is no support for Android 4.4 in the Centrify Android app. Users with Android 4.4 devices may continue to use the release 21.3 Android app, however functionality introduced after 21.3 may not work as expected (CC-77738).

  • A new connector registry setting has been added to allow choice of audit data compression mode. Choices are Default, Uncompressed or QuickLZ150 to best match the environment (CC-78219).

  • Resolved an issue whereby in some situations discovery jobs were running twice (CC-78187).

  • Federated users can now login to a Unix or Windows machine using native SSH/RDP support (CC-73794).

  •  It is now possible to customize UNIX / Linux script timeout values on a per system basis. Previously it was only possible to set the timeout value for all systems (CC-78220).

  • System discovery now works when the time zone is set to Singapore (CC-78174).

  • Resolved an issue with port scan discovery whereby it would fail to add servers when using Import systems detected without known credentials (CC-78276).

  • -RedisTrustServerSSL is now supported in the Centrify-Pas-ModifyInstallation.ps1 script in HSPAS (CC-78175).

  • Resolved an issue whereby cagent would fail to start after a reboot on Linux machines (CC-78132).

  • It is now possible to store multiple key-value pairs in a single KeyValue-type secret. All the key-value pairs are accessed / managed as a single object so, for example,  permissions are set on the individual parent secret, not on individual key-value pairs and individual key-value pairs will not be found through search (CC-78133).

  • WebRDP connections no longer drop after 5 – 7 minutes with Chrome 88 and above (CC-77620).

 

Supported Platforms

Centrify Connector

  • Windows Server 2012r2, Server 2016, Server 2019

Self-hosted Centrify Privileged Access Service

  • Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable Centrify Privileged Access Service

  • Windows Server 2016, Server 2019

Centrify Clients for Linux

Client for Red Hat 6:

  • Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1

  • CentOS 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 8.0, 8.1, 8.2, 8.3

  • Fedora 30, 31, 32

  • Oracle Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9

  • Amazon Linux AMI 2017.09, 2018.03

  • Amazon Linux 2 2017.09, 2018.03

Client for Red Hat 7 (ARM architecture):

  • 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1

Client for SUSE 12

  • SUSE 12, 15


Client for Debian 9

  • Debian 9

  • Ubuntu 16.04LTS, 18.04LTS, 20.04LTS

Client for Alpine Linux 3

  • Alpine Linux 3.14 x

Centrify Client for Microsoft Windows

  • Windows Server 2012r2, Server 2016, Server 2019

Windows PAS Remote Access Kit

  • Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

  • Android 5 (API level 21) and later

Centrify app for iOS

  • iOS 12 and above


(Tested systems and devices for Privileged Access Service are listed in the documentation)