SAKA 4.14.0

Release Notes
- SAKA 4.15.1
- SAKA 4.14.0
- SAKA 4.13.0
- SAKA 4.12.0
- SAKA 4.11.0
- Upgrading from SAKA 4.x
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- HSM Battery Replacement
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Internal Repositories Rocky 9.x
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Check Replication
- Replicate Essentials Only
- Disable Replication to Inactive Nodes
- Known Behavior
- Manual Replication For Specific Range of Data
- Back
Appendices
- Adding a Disaster Recovery Backup (DRB) Node to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the DRB Node
  - Step #3 on the EXISTING server
  - Step #4 on the DRB node
  - Post-Installation
  - Back
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Configure Syslog
- Create Software Keystore HSM Credential
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Migration Information
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.3
  - Back
- Modifying the Appliance's IP Address or Hostname
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Replace CMOS Battery
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Using a Custom Trust Store
- Using HAProxy as a Load Balancer
- Using the Key Migration Tool (KMTool)
  - Prerequisites
  - Mechanics
  - Details
  - Back
- Test Appliance Funcationality
  - Using pingsaka script
  - Common Errors
  - Back
- Back

Fixes and Changes in SAKA 4.14.0

#	Explanation
RFE-224	Reduce SAKA build size As the software in the SAKA stack (e.g., JDK, LDAP, etc.) is updated, newer SAKA distributions include packages to ensure the new software is available when an appliance cannot access the internet to download them directly. Over time, the size of the SAKA distribution has increased while older software packages still remain in the build. In an effort to reduce the size of the SAKA build, the following measures have been taken: Unused JDK packages are now excluded by the SAKA build creation tool. Unused OpenLDAP packages are now excluded by SAKA build creation tool. Removed a duplicate set of libraries in the $STRONGAUTH_HOME/lib/ directory. It is now a symbolic link in new SAKA builds (4.14.0+).
RFE-228	Disable and re-enable replication during SAKA upgrade Prior to SAKA version 4.14, StrongKey has asked customers to disable replication before running the upgrade script and re-enable replication when the script finishes. Sometimes customers would forget to re-enable replication, causing issues with missing replication data. Instead of handling this process manually, the upgrade script now automatically disables replication ports during upgrade script execution to prevent replication issues.
RFE-251	Increase Timeout during reboot for MariaDB service There are some cases where the MariaDB service takes longer than usual to start up post-reboot of the appliance. This increased start up time would then cause the service to time out, thus preventing MariaDB from starting. To prevent this, the MariaDB service's timeout has been increased to 900 seconds.
RFE-252	Update upgrade instructions to reflect new systemd unit name for Payara Messaging in SAKA upgrade script has been updated from "Glassfish" to "Payara".
BUG-73	Fix SafeNet (Thales) ProtectServer 3 domain creation failed with FIPS mode enabled There was a problem where the server was not able to wrap/unwrap symmetric keys using the normal Java KeyStore object with FIPS mode enabled on the SafeNet HSM causing the domain creation process to fail. The code has been updated to wrap/unwrap keys using the keystore objects provided by the HSM manufacturer. The server also now assigns a label to the newly-created private key. This label can be used to help migrate one domain at a time.
BUG-109	Fix Payara restart post-Rocky migration Similar to RFE-251, the Payara service would sometimes take longer to start up post-reboot of the appliance. This increased start up time would then cause the service to time out, thus preventing Payara from starting. To prevent this, the Payara service's timeout has been increased to 900 seconds. In addition, an error would occur when the Payara service would start up faster than the MariaDB service. This would cause errors in the log since the SAKA server could not access the local database. The Payara service now starts after waiting for MariaDB service to start.
BUG-117	Fix SAKA bundles not picking up Java options Windows, Mac, and Linux SAKA Tool bundle scripts now include the JDK_JAVA_OPTIONS (introduced in 4.13.0 with the move from JDK 11 to JDK 21) necessary to make requests to the SAKA server. This change has also been added to SAKA versions 4.13.3+.
BUG-118	Fix Cross-Server BDK and TPK token retrieval error during RPB Fixed error that occurs when ReEncrypt Pin Block (RPB) web service is called and the BDK and TPK used for the transaction are originally stored on different SID's. During the RPB web service, the SID is retrieved from the BDK request and the same SID was being used to retrieve the symmetric key to decrypt the TPK. If the TPK was originally encrypted on a different SID, it would not decrypt correctly which would lead to the following error: CRYPTO-ERR-1006: Unsupported cryptographic transform: AES/GCM/NoPadding]] If the TPK for was loaded to the cache prior to this transaction, the server would successfully perform the RPB transaction and so it did not fail 100% of the time.
BUG-120	Fixed out of order null check in getJsonValue in non-standalone SKFS (SAKA) environments Mismatch between common method "getJsonValue" in SAKA-FS and standalone SKFS environments, where a null check was being done too early in SAKA-FS.
BUG-121	Fix SKL-ERR-1000 error message being printed in successful encryption requests Sometimes a benign "SKL-ERR-1000" error was logged as an additional line during the SAKA encryption REST webservice even in successful transaction. This log would have no impact on encryption functionality. Example of error log: SKL-ERR-1000: Caught an exception: [TXID=XXX-1732137068, START=1732137068, FINISH=1732206488, TTE=XXX] This extra log has been removed.

Click here for StrongKey FIDO Server (SKFS) release notes.