PAM360 Release Notes

New Feature

Intending to provide uninterrupted access to passwords, we have introduced another functionality - the Read-Only (RO) server for the PostgreSQL database. Unlike the concept of High Availability, where there will be one Primary server and one Secondary server, the Read-Only server can be configured in multiple. The Read-Only servers function as mirror servers, synchronizing all of the Primary server's operations. In the event of the Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server. Read-Only Servers can be configured from 'Admin >> Configurations >> Read-Only Server.'

New Feature

PAM360 Remote Connect - a Native Desktop Client for Remote Access
Introducing PAM360 Remote Connect—an independent desktop client for Windows, designed to facilitate direct remote access to Windows and SSH-based target resources without the need for multiple remote clients or web browsers. PAM360 Remote Connect harnesses the ability of Windows' native Remote Desktop client and the SSH Putty client to launch RDP and SSH-based connections from a centralized console. The lightweight desktop client directly leverages the PAM360 web application's privilege access governance to regulate remote access to the critical assets in your environment. It offers enhanced ease of use and a superior user experience with its faster and smoother RDP and SSH-based remote connections. Besides, it has auditing capabilities—the session audit trails are recorded in PAM360's web application. PAM360 Remote Connect is compatible with PAM360 build 5600 and above. To learn more and to download PAM360 Remote Connect, click here.

Bug Fixes

• From build 5500 onwards, administrators were unable to delete a user profile if the user had created any type of resource discovery task. Also, if the user owned a discovery schedule, administrators were unable to transfer the schedule ownership to another user from 'Discovery >> Schedule.'
• We identified several SQL injection vulnerabilities in the Search and Resource Group export operations that were caused by improper user input validation. These issues have been fixed.

New Feature

PAM360 now supports creating schedules for automatically discovering new privileged accounts during Linux, Network Devices, and VMware discovery.

Enhancements

• Earlier, users could configure SAML only for the Primary server. From now on, the users can configure SAML for the Secondary server also and access it when the Primary server is down/unavailable.
• The Dropbox SDK has been updated from 3.0.3 to 5.0.0. And, a short-lived access token will be utilized from now on.
• We have enhanced our security checks against Path Traversal, Local File Inclusion, Stored XSS, Reflected XSS, and DOM XSS vulnerabilities.
• PAM360 now communicates with agents using TLS 1.2 protocol, in addition to TLS 1.1 protocol.

New Query Reports:

• The new query report 'Personal Passwords Encryption' shows the encryption type of personal passwords and lets admins and admin privileged users know the encryption type (PAM360 key, Own key with storage, Own key without storage) used by different users.
• The new query report 'All Admin Users', in addition to the administrator user details, holds the details of custom user roles with administrator privileges.

Bug Fix

From build 5400, administrators were unable to import users through AD. The issue has been fixed.

Enhancements

• To validate the authenticity of the upgrade pack downloaded from our website, we have implemented a patch integrity verification, which will henceforth require importing an SSL certificate (available as a downloadable file) whenever the product is upgraded using the PPM file. It is only a one-time operation.
• From now on, PAM360 administrators can add filtered domain or service accounts into Windows Domain resources using the Windows Domain agent. Account filtering is achieved through regex patterns. For example, if you have a few service accounts in the AD with the name "sqlservice," the regex pattern of this account can be provided in the format: '*^sqlservice.' This operation will filter and import only the accounts with the name "sqlservice" into PAM360.
• Henceforth, if an administrator restricts the users from setting up the encryption passphrase for their personal passwords (under 'Admin >> General Settings'), the users can set up an 'encryption key' for their personal passwords from the 'Personal' tab. They are also free to choose between whether to store or not store the encryption key or use PAM360's encryption key.
• It is now possible to move the RESTAPI users to the client, wherein the RestAPI users can manage resources and accounts in all client organizations with complete access. Please note that this feature is applicable only for the MSP edition.
• The six system-created audit schedules - 'Resource Audit Purge Schedule', 'Resource Audit Digest Schedule', 'UserAudit Purge Schedule', 'UserAudit Digest Schedule', 'TaskAudit Purge Schedule', and 'TaskAudit Digest Schedule' have been merged into a single schedule - 'Audit Purge and Digest' Schedule.
• The system-created scheduled task 'Audit Update Schedule' has been renamed as 'Dashboard Chart Activity Schedule'. It is available under 'Admin >> Manage >> Scheduled Tasks.'
• Previously, when the 'Purge Audit Records' option was enabled, all the audit records older than the specified number of days were purged. From build 5400 onwards, users can choose to retain or delete audit records based on the operation type.
• From now on, MSP admins will be able to replicate audit operation type settings and audit purge settings across all client organizations.
• This release comes with a new set of RESTAPI functionalities as listed below:
  1. Associate a resource to a resource group.
  2. Dissociate a resource from a resource group.
  3. Fetch resource groups associated with a resource.
  4. Delete a resource group.
  5. Fetch ResourceGroupID.
  6. Reset Two-Factor Authentication.
• The database password for the HA setup, previously stored as plain text in the 'pmp_rr.conf' file, is now stored in an encrypted format.
• From now on, users can choose to disable the display of security-related notifications within the product. This can be done by administrators in the PAM360 interface under 'Admin >> General Settings.'
• While creating a custom report, users can now choose 'Previous Month' as a duration from which PAM360 must collect audit records.
• Earlier, in the Download File API, Resource ID and Account ID were passed as parameters via the URL. From now on, they can be passed in the input data.
• From this version onwards, DISABLEPASSWORDRESET can be added as a parameter in the 'Edit Account' API to disable the password reset option for accounts.
• From PAM360 build 5400 onwards, for additional security during self-service privilege elevation, the added applications/files will be verified using SHA256SUM.
  Also, we have separated the list of applications/files allowed for self-service privilege elevation under 'Admin >> Manage >> Allowed Apps/Scripts'.

Upgrades

• The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and improve overall security.
• The bundled PostgreSQL server has been upgraded from version 9.5.21 to 10.18.
• The Apache Tomcat server has been upgraded from version 8.5.32 to 9.0.54.
• The Rubyrep tool used for PostgreSQL replication has been upgraded from version 1.2.0 to 2.0.1.
• The Java platform used by PAM360 has now migrated from Oracle to the OpenJDK platform version 1.8 .0_252.
  In addition to supporting the JTDS JDBC driver to connect to the SQL server, PAM360 now supports the Microsoft JDBC driver, version 8.4.1.
• Apache Log4j has been upgraded to the latest version 2.17.2.

Bug Fixes

• From build 5200, when proxy server configuration was enabled, users using the latest version of Duo TFA experienced a premature authentication time-out during the second-factor authentication. This issue has been fixed.
• Earlier, users were unable to import empty user groups as both main and subgroups from the Active Directory (AD) and add AD sync schedules. This issue has been fixed.
• Earlier, during an active RDP session, when a user tried to drag and move the Ctrl+Alt+Del button within the RDP window, the Ctrl+Alt+Del command was executed. This issue has been fixed.
• Earlier, when file transfer during an RDP session was disabled, the folder drag arrow was visible in the RDP session window. This issue has been fixed now.
• Earlier, when a resource or an account is shared to a user, their username was printed as N/A in the syslog records. From now on, the syslog records will include the username of the user to whom the account or resource has been shared.
• Earlier, Azure AD users were unable to change the interface language when choosing Japanese as the default user language. This issue has been fixed.
• Earlier, users were unable to perform key rotation in the MSSQL database when the database backup path was set to any location other than the default backup location. This issue has been fixed.
• Earlier, a copy of the MSSQL database backup got saved in the default backup location, in addition to the backup file saved in the folder path specified by the user. This issue has been fixed.
• From build 5306, the 'Record SSH/Telnet Sessions' checkbox was not available for the 'Windows Domain' sync type. This issue has been fixed now.
• From build 5306, the 'SSH Port For Auto Logon' option was not visible in the 'Edit Resource' wizard for Network resource types such as Fortigate, VMware Vcenter, and Brocade. This issue has been fixed now.
• From build 5306, when the 'Windows Remote Desktop' option was disabled under 'Auto Logon Helper' for a particular resource type, the 'Record RDP Sessions' checkbox did not appear in the 'Add/Edit Account' wizard even when the 'RDP Console Session' option was enabled for that resource type. This issue has been fixed.

Behavior Change

The API handling code which earlier responded to the V1 API format of ServiceDesk Plus MSP will henceforth respond to their V3 API format.

New Features

• On-Demand Renewal of Certificates
  A 'Renew' option has been newly added under 'Certificates >> Certificates' that allows users to initiate the renewal of Self Signed, Root Signed, Microsoft CA Signed, and Agent-signed certificates, and also the certificates issued by third-party CAs. The renewed certificates will automatically inherit the deployed servers and their credentials.
• Certificate Discovery from UNC Shared Path for Windows, Linux, and Mac OS
  PAM360 now supports SSL certificate discovery from UNC (Universal Naming Convention) shared paths for Windows, Linux, and Mac OS machines. This feature allows users to discover SSL certificates stored in a folder path within a server, accessible by PAM360. After the discovery, PAM360 will consolidate the newly-discovered SSL certificates in its certificate repository. This option is also available during scheduled certificate discovery.
• Certificate Discovery in DMZ Machines using the KMP Agent
  It is now possible to discover the SSL certificates from directories in remote machines that are not directly accessible by PAM360—all through the KMP Agent. This option is also available during scheduled certificate discovery.
• Browser Deployment of Certificates
  From now on, deploying SSL certificates in browsers is possible from PAM360 for the following server types: Windows, Linux, and MacOS.
• SSH Key Association using "Elevate to root user" Option
  The new "Elevate to root user" option allows restricting users from directly accessing root users by disabling the root user login as a security measure. Enabling this option elevates a user login from a non-root user to a root user and associates keys to all other users on the server.
• New REST API
  The new REST API 'Deploy Certificate' has been added.
• SSL Certificate Rediscovery
  PAM360 now allows users to rediscover SSL certificates from the same source using the server details entered during the previous discovery operation.
• Integration with Buypass Go SSL and ZeroSSL
  PAM360 now integrates with Buypass Go SSL and ZeroSSL— two certificate authorities that use the Automatic Certificate Management Environment (ACME) protocol to provide free, secure SSL certificates. Users can now request, acquire, create, deploy, renew, and automate the end-to-end management of SSL/TLS certificates issued by Buypass Go SSL and ZeroSSL, all directly from the PAM360 web interface.
• Integration with ManageEngine Mobile Device Manager (MDM) Plus
  PAM360 now integrates with ManageEngine Mobile Device Manager (MDM) Plus to discover and deploy SSL certificates to and from the mobile devices managed by your MDM server, all using ManageEngine MDM APIs. PAM360 then lets you filter the discovered SSL certificates based on the OS type such as iOS, Android, Windows, Chrome OS, Mac OS, and Apple tvOS. It is also possible to export reports of the MDM certificates managed in the PAM360 repository within a selected period. Additionally, you can schedule periodic generation of MDM certificate reports.
• PAM360 allows you to globally modify the access level of the shared certificates.
• New REST API's, 'Share SSL Certificate to User', 'Share SSL Certificate to User Group', 'Share SSL Certificate Group to User', 'Share SSL Certificate Group to User Group', 'Revoke SSL Certificate from User', 'Revoke SSL Certificate from User Group', 'Revoke SSL Certificate Group from User', 'Revoke SSL Certificate Group from User Group', 'Create SSL Certificate Group', 'Delete SSL Certificate Group', 'Edit SSL Certificate Group', 'Generate an Agent Install Key', have been added.

Enhancements

• MSCA Discovery with KMP Agent using Multiple Templates
  Users can now select up to five certificate templates while performing agent-based certificate discovery of local CA certificates. Before using this enhancement, please ensure the KMP Agent is upgraded to version 5300.
• Search-Enabled Custom Columns
  From build 5300 onwards, PAM360 allows you to search within custom columns for SSL Certificates and SSH keys.
• Multiple Servers List
  Now you can include multiple servers for certificates in SSL certificate expiry notifications.
• GoDaddy Certificates Import
  From now on, users can directly import the existing certificates from their GoDaddy account into the PAM360 repository.
• Local Disassociation of Keys
  It is now possible to dissociate keys locally if remote dissociation fails for users whose access has been discontinued.
• APIs - Serial Number as the Mandatory Field
  Earlier, the Serial Number field, which was optional in the below APIs, has now been made mandatory; To get a certificate, To get certificate keystore, and To delete a certificate.
• Serial Number in the getCertificateDetails Rest API
  In the getCertificateDetails Rest API, Serial Number has been added as an optional field; filling it fetches the details of that particular certificate alone.
• Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of the agent listed under 'Certificates >> Certificates >> Windows Agents'.
• Now, users can discover certificates issued by a particular Microsoft Certificate Authority just by entering the MSCA name in the text box provided, during discovery. Remember, this additional option will be available for PAM360 installations in Windows server machines only.
• Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a registered base-domain.
• Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields followed a fixed format. Now, the customization settings configured for notification emails in 'Admin >> SSH/SSL Config >> Notification Settings' will be applied to the emails sent via email addresses in the additional fields as well.
• PAM360 now supports scheduled SSL discovery and MS Certificate Store Discovery tasks with the KMP agent.
• Previously, the certificates due for expiry in 10 days or less got automatically renewed. Now, users will be able to customize the number of days to auto-renew the certificates before they expire.
• From now on, during CSR signing of SSL certificates using the KMP agent, it is possible to specify the Agent timeout value, in seconds.
• Henceforth, users will be able to select specific Certificates or Certificate Groups while generating the 'SSL Certificates Report' Schedule type (under 'Admin >> SSH/SSL Config >> Schedules >> Add Schedule').
• Users will now be able to add and edit the deployed servers list under 'Certificates >> Certificates >> Multiple Servers (icon)'. Newly added servers will be mapped with the latest certificate version in the certificate repository.
• PAM360 now supports IP range discovery for MS Certificate store discovery ('Certificates >> Discovery >> MS Certificate Store') using the PMP service with the domain Admin account. This allows administrators to discover certificates across networks.
• PAM360 now supports 'Load Balancer' Certificates discovery for Citrix devices. From build 5300 onwards, PAM360 also supports scheduled certificate discovery from Linux-based load balancers such as BIG-IP F5, Nginx, and Citrix.
• Certificates and CSR generation pages have been enhanced with the Random Password generation feature.
• Users can now select up to five certificate templates while performing template-based SSL certificate discovery.
• Users can now bypass proxy server settings while performing SSL certificate discovery. If this option is selected, PAM360 will bypass the proxy server and directly perform online certificate discovery. This option is also available during scheduled certificate discovery.
• Earlier, after certificate renewal, users will have to deploy MSCA/-self-signed certificates manually. Now, it is possible to deploy these certificates automatically if the user credentials are available.
• Users will now be able to choose the 'Certificate type' [CER/DER/P7B/CRT] and 'Keystore type' [JKS/PKCS/PEM/KEY] while deploying certificates to Windows and Linux machines and while exporting certificates.
• Now, it is possible to renew MSCA type Certificates with a new private key if a private key not available already.
• Support for ClouDNS to complete domain control validation while acquiring certificates from public Certificate Authorities.
• Support for AES256-encrypted PKCS12 Keystores while adding certificate Keystores.
• Henceforth, the SSL certificates can be manually mapped with deployed servers list to any server directly from Certificates >> Certificates >> More >> Add Deployed Server'.
• From now on, certificates/CSRs/certificate groups will have an email field to which the SSL expiry email notifications can be sent, where the expiry notification email address can be provided while creating the Certificate and CSR.
• A new option - Deploy to Microsoft certificate store user account, has been added, which facilitates the deployment of the Microsoft Store deployed certificates to the respective user accounts, besides deploying to the computer accounts.
• The SSL Certificate Expiry notification, set up under 'Admin >> SSH/SSL Config >> Notifications Settings >> Expiry', will now include Issuer, FingerPrint, and Serial Number fields in the Certificate Expiry email.
• From build 5300, the 'Certificates Audits' tab will be available under the 'Audits' tab, where, all the certificates audit related to all the users will be displayed. New REST APIs 'Get Password Policies' and 'Get Resource Types' have been added.

Behavior Change

From now on, all certificates with unique serial numbers will be listed under the 'Certificates' tab. However, the existing users can manage their already added certificates from the History section, which has now been moved under the 'Column Chooser'.

Bug Fixes

• The KMP agent got duplicated when re-installed from a different IP address. This issue has been fixed.
• The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been fixed.
• The issue in MSCA auto-renewal with the EC key has been fixed.
• Get Templates issues that existed with the non - English languages have been fixed.
• Under 'Admin >> SSL Certificates >> IIS Binding', binding list retrieval failed for bindings with a protocol other than HTTP/HTTPs. This issue has been fixed.
• Earlier during Digicert import, PAM360 failed to import client/personal certificates into PAM360. This issue is now fixed.
• Earlier, the date format had the month as a part of the value, due to which sorting did not work. Now, this issue has been resolved by modifying the date format in the CSV file to be the standard date format.
• Earlier, while discovering certificates using a load balancer, there were problems with commands other than the standard Linux commands. This issue has been fixed.
• Get templates issue has been fixed for CA name-based fetch.
• Previously, the proxy configuration was not supported in GlobalSign integration, due to which users with proxy were unable to use the integration. This issue has been fixed now.
• Earlier, it was possible to add or modify IISBinding only by giving the 'hostname'. This issue has been fixed, and now 'hostname' is not mandatory to create or update IISBinding.
• Earlier, MSCA templates showed the OID instead of the template name. This issue is fixed.
• During SSL discovery, discovery from servers with mutual authentication failed. This issue has been fixed now.
• MSCA discovery, when carried out using an agent without any filter, failed. This issue is fixed now.
• There was an issue in exporting the certificates as password-protected zips when password protection for exports was enabled under 'Privacy Settings'. This issue has been fixed now.
• There was a failure in Linux deployment from the ServiceDesk Plus request. This issue has been fixed now.
• Earlier, when the custom settings option 'View Support Information' was enabled for a custom user role, the users with that role were unable to access the 'Support' option from the profile drop-down. This issue is fixed now.
• Earlier, when a new category was created from the 'Personal' tab with an existing category name, the product did not display an error message. This issue is fixed now.
• Earlier, if the category name seen from the 'Personal' tab contained the special character '&', the category details were not shown in the display area. This issue is fixed now.
• Earlier, when a new resource was created using the 'Create Resource' API, and the 'Resource URL' field was left blank, users could not edit the resource attributes in the PAM360 UI. This issue is fixed.

Security Fixes

• An XSS vulnerability (ZVE-2021-0956) that occurred during Load Balancer discovery has been fixed.
• A SQL injection vulnerability identified in the PostgreSQL password reset functionality is fixed.
• A path traversal vulnerability identified in the role report section is fixed by adding proper validation steps for the download file path of the report.
• Earlier, users could reopen a closed remote SSH session window from the browser history page and reinitiate the remote connection without requesting for the password of the resource again. This issue is fixed.

Enhancements

• Password Reset - From Multiple Wizards
  Users will hereafter be able to reset passwords, both individually and in bulk, from 'Resources >> Password Explorer >> Admin Actions'; Expired Passwords, Conflicting Passwords, and Policy Violations.
• SAML SSO configuration for Client organizations
  The SAML SSO configuration, which was earlier available for MSP organizations alone, is now available for Client organizations as well, thereby allowing client organizations to build their own SAML setups.
• New Authentication mode of Azure AD user import
  Previously, during the 'User Access Token' method of Azure AD user import, the 'Oauth' token could not be fetched when TFA was enabled. As a resolution to this, we have introduced a new Authentication mode of Azure AD user import - 'App-Only Access Token'.
• Enhanced Password Policy
  The existing password policy has been enhanced by introducing new constraints and additional features, such as improved default attributes for Strong and Medium password policies, the introduction of password limit, the addition of new attributes, such as password similarity and sequences, the ability for Admins to add and manage up to 5 dictionaries, Dictionary word check, Obvious Substitution (LEET) word check, Password Strength Meter, Sample Password Generator, New Password Generator, etc. These would be of great help to administrators in setting highly secure password policies.
• Access Control & Domain Account Restrictions
  Earlier, a user with access to a domain account can log into any resource shared with them using the domain account. Henceforth, Domain account restrictions can be implemented for target resources, i.e., Windows domain account users can be granted access to specific resources alone, which they originally want to access, instead of all resources shared with them. Also, please note, from this release, we have blocked the Password Request API for domain accounts alone.
• Portuguese Language Support
  PAM360 is now available in the Portuguese language.
• Duo-TFA SDK Update
  The third-party Two-Factor Authentication software Duo Security is now upgraded from v2 to v4. Once PAM360 is upgraded to build 5200, the Duo Security update will be applied automatically to the existing integration.
• Additional Query Reports
  Two new default query reports for users having access to the browser extension and users who don't have access to the browser extension have been added.
• New Resource Type
  A resource type, Cisco Nexus OS, has been introduced in this release.

Behavior Changes

• The API handling code which earlier responded to the V1 API format of ServiceDesk Plus On- Premises and ServiceDesk Plus Cloud will henceforth respond to their V3 API format.
• The Authentication mechanism of ServiceDesk Plus Cloud has been updated from the older Authtoken based method to OAuth 2.0. Additionally, hereafter, the entries in the ticketing system columns can be validated against the entries in PAM360 to check for any inconsistencies. Earlier, it was possible to check the entries in PAM360 only.

Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you save a backup of the advanced configurations in the form of screenshots for reference.

Bug Fixes

• In build 5000, when the Admin users from the MSP org scheduled reports in the Client org, they received Zero bytes reports. This issue has been fixed now.
• From build 5000, Additional fields were missing from the Bulk edit page of resources. This issue has been fixed now.
• From build 5000, users with the Password Administrator role were unable to perform 'change role' or 'delete user' operation - to change to a Password user or a Password Auditor, even when no resources or accounts were present under 'Transfer Approver privileges. This issue has been fixed now.
• Earlier, in schedules, created for AD groups during resource or user discovery, groups with an ampersand (&) in their names could not be edited. This issue has been fixed.
• In earlier builds, the PAM360 dashboard froze and the server ran out of memory due to the overload of audit data. This issue has been fixed.
• In build 5000, in the 'Account Addition' password field, the character & was displayed as &. This issue has been fixed.
• From build 5000, users could not create the Password reset Listener. This issue has been fixed now.
• Earlier, users faced an issue with the mouse scroll during RDP and VNC remote sessions initiated through Google Chrome version 89. This issue has been fixed.
• Earlier, when password synchronization was enabled for any organization (MSP or a Client ORG), PAM360 executed the task only for the organizations under MSP. This issue has been fixed now.
• Earlier, users were unable to use the operators >= and <= in the LDAP search filter queries during user import from an LDAP domain. This issue has been fixed.
• When the PAM360 and KMP agents were installed in the same machine, the data used for the agents' authentication was stored in the same place in the registry, causing the overwriting of the agents' data, thereby making the agents non-functional. This issue has been fixed.
• The automated scheduled task introduced for dashboard optimization caused the database connections to become unavailable, for some time, for a few users. This issue has been fixed now.
• When Two-Factor Authentication was enabled, the legal banner and the privacy policy banner links in the Login page (enabled from the 'Rebrand' wizard) did not show up/work. We have resolved this issue.
• Earlier, for some users, after configuring Duo TFA, the requests that were supposed to be sent to the PAM360 access URL were directly sent to the PAM360 server. This issue has been fixed now.
• Earlier, the 'Edit User' action did not work for certain users. We have resolved this issue.
• Previously, the password entered in 'Importing users from AD wizard >> specify the user name and password manually' did not get saved due to a password encoding issue. This issue has been fixed.
• Earlier, users were able to export offline passwords even when the export password was disabled using the export URL. This issue has been fixed now.

Security Fixes

• When users configured X-Forward-For in PAM360, there was a possibility to bypass web access restriction by setting the X-Forward-For header manually. This issue has been fixed now.
• A Cross-Site Scripting (XSS) issue found in the edit LDAP server details page has been fixed.
• There existed a vulnerability from version 4.0.0 that permitted the retrieval of masked non-website resource type passwords as clear-text, by capturing the API call of the PAM360 browser extension and replacing the password ID of website account passwords. This vulnerability occurred under any or all of the following circumstances; with the user type roles only, with the password masking option enabled by the Admin under 'General Settings', and only to the shared passwords. This issue reported by Sandeep Saxena (CVE-2021-31857), has been fixed.
• A user enumeration issue has been fixed.
• Users with access to the PAM360 server, running in a machine with a few policies configured, were able to view the IIS web.config passwords as cleartext in the event log.

Enhancements

• We have introduced four new RESTAPIs: Fetch UserGroupID, Configure Remote Password Reset for Linux resources, Share Resource and Share account to User Group.
• Henceforth, remote connections initiated using SSH key-based authentication, and remote authentication using the domain account or using the 'Currently Logged in AD account' option will work with the new SSH terminal.
• Previously, it was possible to initiate remote connections using the Auto Logon Gateway feature to Windows, Windows Domain, Linux, and Cisco resources only. From build 5100 onwards, it is possible to initiate remote connections to all SSH-based resources.
• In earlier builds, the upload file size limit for SSH File Transfer Protocol-based (SFTP) file transfer was 300 MB, which was inadequate. Now, the file size limit has been upgraded to 6 GB.

Bug Fixes

• When Two-Factor Authentication was enabled, the legal banner and the privacy policy banner links (enabled from the 'Rebrand' wizard) in the Login page did not show up/work. This issue has been fixed.
• The SSH terminal page was unresponsive when ALT+Tab keys were used to switch to Windows and return to the Terminal. This issue has been fixed now.
• When a user with Administrator or Connection user privileges tried to initiate an RDP session to a Windows resource, or an account is shared with them at the resource group level, the system threw a password inaccessible error, which has been resolved.
• Shared resources and accounts, with 'Manage' level permission, viewable from the Resources and the old Connections views, were not visible from the new Connections tab. We have fixed this.

New Features

• Connection Settings
  PAM360 now offers advanced configuration settings for remote connections added to the product, which are customizable for SSH, RDP, and VNC connections, thereby improving the overall user experience while initiating connections from PAM360 to the respective remote resources. Some of the advanced settings include changing the SSH terminal type, modifying the desktop composition for RDP connections, changing the encoding type of VNC connections, etc.
• Secure File Transfer
  PAM360 now allows bi-directional file transfer between two systems through the SSH File Transfer Protocol (SFTP). Users can accomplish this by installing the SFTP server in the target remote systems. There is no proposed size limit for file transfer through the secure file transfer mechanism, therefore allowing PAM360 to authenticate the connection and transfer large files without the risk of security breaches. Besides file transfer, PAM360 permits bi-directional upload and download of files between the user's machine and the remote connection they have established, without the need for a remote session. This upload and download mechanism is made possible through the Secure Copy Protocol (SCP).
• Enhanced Connections
  This release comes with a more polished 'Connections' tab that serves as a one-stop platform to view all the added Connections, Favorites, and Connection Groups. The tab holds some useful options, such as a new secure file transfer option, and a new search filter that facilitates the search of resources within the tab using Name, DNS name, or type of OS. All the connections have the following quick access control buttons; Connect, Request, Checkin, Checkout, Remote App, and Upload/Download files.
• Remote App
  PAM360 now allows you to connect to specific applications, already configured as 'Remote Apps', in target systems. Adding Remote Apps to RDP connections increases accessibility and ease of use when connecting to remote machines. Remote Apps are of great utility to IT admins in making the privileged sessions easier to control, as they limit users' access to selected applications.
• Gateway Settings
  From this release, users can customize 'Gateway settings' in PAM360, under 'Admin >> Connections'. Users can edit and control the cipher suites used for SSL communication, set up a different port, choose SSL protocols to be used for securing remote connections initiated from the product, customize HTTP header log settings, etc.
• New SSH Terminal
  From this release, users can avail of a new lag-free SSH Terminal that uses the WebSocket API and is faster and more responsive.
• Landing Server for Windows
  Provision to launch secure, one-click RDP access to remote devices in data centers with complete password management. Administrators can now configure landing servers and their login credentials and associate them with the resources managed by PAM360. They can then launch one-click connections with the remote resources, without worrying about the intermediate hop, thus providing them the same experience as the direct connection.
• Azure MSSQL Support
  PAM360 now supports Azure MSSQL as the backend database. It also allows PostgreSQL to Azure MSSQL instance migration.
• New Certificate Format - PEM
  A new certificate format, Privacy Enhanced Mail (PEM), has been added, in addition to the already available certificate export formats, Keystore and PFX, where the PEM format is used for digital certificates and keys, deployed in web server platforms (e.g., Apache).
• Support for GoDaddy DNS
  PAM360 now supports GoDaddy DNS to complete the domain control validation procedure while acquiring certificates from public Certificate Authorities, along with the already available DNS support types, Azure DNS, Cloudflare DNS, Amazon route 53, and RFC2136 Update. Using GoDaddy DNS, users can update the DNS record for GoDaddy domain validation from the PAM360 portal itself.

Enhancements

• Previously, it was possible to configure access control settings at the resource level only, which were applicable for all the accounts under the resource. Now, it is possible to set password access control independently for each account under a resource, without affecting the access control configurations of other accounts in the resource. This ability to set unique configurations for each account helps users maintain unparalleled security levels for each account, based on requirements. Remember, the account-level access control configuration takes higher precedence over the resource-level access control configuration.
• This release comes with an exclusive page for 'Windows Agents', accessible from the SSL tab, from where users will be able to perform all agent-specific operations such as SSL Discovery using agent, deployment of SSL certificates in certificate groups using agent and CSR Signing with MSCA agent.
• Certificate deployment in multiple servers has now been made simpler by using an agent, provided the agent is running in the server to be deployed, and both the agent name and the server DNS name are the same.
• Now, auto-renewal of certificates is possible for the 'MSCA using agent' sign type as well, from 'Settings >> SSL >> Certificate Renewal'.
• The 'Certificate Sign Report' comes with the following MSCA/Third party CA signing details; Certificate Authority, Certificate Template, Sign Type column.
• The 'Certificate Renewal report' comes with the 'Renewed By' column relevant to MSCA and 3rdPartyCA renewal details.
• A new option 'Reissue Certificate' has been added under 'SSL >> GlobalSign' that allows users to request GlobalSign to reissue an SSL certificate.
• The new 'GlobalSign Orders Report' allows the GlobalSign orders to be added as individual reports, which provide a detailed view of certificate orders requested from the GlobalSign CA
• From now on, users can add a "Key Comment' while importing a new SSH key and editing an existing key from the repository. Also, users can avail the checkbox "Update comment in associated users" to update the Key comment to the associated end servers automatically.
• Now, it is possible to add additional properties to a certificate while creating it, by using the 'Advanced Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties, and add them to the new certificate. Examples for the Key Usage properties include; Digital Signature, Decipher Only, Encipher Only, and Certificate Sign.
• The DigiCert CA page has been enhanced with a new menu 'Show' that has four options, Expired, Revoked, Rejected, and Others, used to filter the DigiCert CA list view.
• Now, while adding or modifying the Certificate Groups, it is possible to set 'additional fields' also as one of the 'By Criteria' filters for certificates.
• While creating an additional field, users are allowed to choose if it is applicable for SSH/SSL/both. The 'Additional fields' option is now available under 'Settings'.
• New REST APIs 'GET CSR list' and 'Sign CSR' have been added.
• The 'Expiry Notification' has been enhanced with the custom mail content, 'Title' and 'Signature'.
• The 'Certificate Renewal Report' page under the 'Reports' tab now comes with a column chooser.
• Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of the agent listed under 'SSL >> Windows Agents'.
• Now, users can tailor schedules by adding custom email content and a unique signature.
• Now, users can discover certificates issued by a particular 'Microsoft Certificate Authority' just by entering the MSCA name in the relevant text box during discovery. Remember, this additional option will be available in PAM360 installations running in Windows machines only.
• Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a registered base-domain.
• Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields followed a fixed format. Now, the customization settings configured for notification emails in 'Notification' and 'Schedule' tabs will be applied to the emails sent via email addresses in the additional fields as well.

Bug Fixes

• An issue in Download file API has been fixed.
• Server certificate update failed in case of Key Store with multiple alias names. This has been fixed.
• The root and intermediate certificates of PEM format got added as separate entries in the certificates repository. This has been fixed now.
• Agent got duplicated when re-installed from a different IP address. This has been fixed.
• The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been fixed.
• The issue in MSCA auto-renewal with the EC key has been fixed.
• Get Templates issues that existed with the non - English languages have been fixed.

Security Fixes

• A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the Resource name while masking password, theme type, skin color, Category name of the Personal tab, web app connections, and user sessions of the Audit tab has been fixed.
• The TLS of the SSL agent in PAM360 has been upgraded to version 1.2 and is configurable in 'Agent.conf '.
• Earlier, during API calls, the Authentication token was passed as a request parameter. Hereafter, each API call made to the application requires the Authentication token to be passed in the request header.
• Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain optimal security.
• A local File Intrusion issue that occurred during the MS store discovery has been fixed.

New Features

• Expiry Notifications for SSL Certificates
  PAM360 now enables users to discover, import, and configure expiry notifications for SSL certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM).
• Self-signed Certificates Auto Renewal
  PAM360 now supports automated renewal of self-signed certificates along with Microsoft CA certificate renewal.
• SSL Certificate Deployment and Binding - IIS Server
  From now on, you can both deploy a certificate to the IIS server and also bind it to the desired website in the IIS, all from the PAM360 interface itself, without the need to access the IIS server separately. Also, an option has been provided to automatically restart the IIS server for the deployment and binding to take effect, thereby eliminating the need for the manual restart from the IIS end.
• Additional Fields PAM360 now brings you the 'Additional Fields' feature, configured from 'Admin >> SSH/SSL' that is used to include any additional information about SSH keys and SSL certificates, stored in the repository. There are four different categories to add the additional fields: character, numeric, date and email. Users can choose to add or remove the additional fields from SSH and SSL views.
• Column Chooser
  This version of PAM360 comes with the 'Column Chooser' feature that allows users to show or hide columns at runtime, and also rearrange the columns from the current view via drag-and-drop.
• Pretty Good Privacy (PGP) Keys
  PGP encryption is used to enhance cryptographic privacy and authentication for online communication by encrypting and decrypting texts, emails, files, etc. It uses a combination of data compression, hashing, and public-key cryptography to boost confidentiality. Now, PAM360 brings you this PGP functionality in the form of PGP key generation, where the keys are used to encrypt the data like emails, texts, etc. Create, store and manage PGP keys under 'Admin >> SSH/SSL'. Modify the key description anytime, export private/public keys, export keys to multiple email ids, and generate, view, and schedule reports. You can also send expiry notification emails to admins. This feature allows you to share and collaborate information securely among your trusted groups of users and businesses.
• GlobalSign
  PAM360 now supports integration with GlobalSign SSL—a trusted Certificate Authority and a leading cloud-based PKI solutions provider. This integration enables users to request, acquire, import, deploy, renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued by GlobalSign, directly from the PAM360 web interface.
• Certificate Deployment using Agent
  PAM360 can already deploy and bind certificates to IIS servers belonging to the domain, where PAM360 also resides. Now, PAM360 can also deploy certificates to IIS servers in demilitarized zones and also bind them to websites in IIS, all using an agent. This makes PAM360 more scalable, as it can deploy and bind certificates in IIS servers, irrespective of whether they are in the same or different domain.
• CSR Signing using Agent
  In addition to the already available two sign types, namely, 'MS Certificate Authority' and 'Sign with Root', used to sign certificates from PAM360, a third sign type 'MS Certificate Authority with Agent' has been introduced. This new sign type is mainly used to sign certificates originating from a distinct domain, i.e., other than the domain to which PAM360 belongs.
• Integrating with Ticketing Systems
  PAM360 now integrates with enterprise ticketing systems namely ServiceDesk Plus (on-premise) and ServiceNow. This integration ensures that automatic service requests are created in the ticketing environment to notify administrators of SSL certificates that are at the risk of expiring and certificates that are deemed vulnerable after a vulnerability scan in PAM360. Users can set notification policies to govern the frequency of service request creation for expiring and vulnerable tickets.

Enhancements

• PAM360 now provides additional insights on agent activity such as heartbeat interval, latest response time and operation performed.
• For scheduled SSL expiry tasks, users now have the option to choose whether or not, to receive email notifications when no certificates in that particular schedule are nearing expiration.
• PAM360 offers automatic bundling of individual private key (.key) files and certificate files (.cer/.pem) into 'JKS' and 'PKCS' keystore file formats and provides export option for the same.
• Two extra categories have been added to the criteria-based certificate group creation: AWS service and Certificate template.
• Now, it is possible to use the PAM360 service account credentials for authentication while deploying certificates in Windows servers.
• Henceforth, while creating a certificate, users can provide ephemeral access (validity in hours and minutes) to the certificates created, after which the certificate auto-expires. This eliminates the need for compulsory permanent access credentials to access target systems and also explicit access repeal.
• It is now possible to perform SNI-based SSL discovery using the Common Name and IP Address combination.
• The option to filter certificates based on the key length and signature algorithm within specific expiry days has been added to the 'getAllSSLCertificates' Rest API.
• It is now possible to customize notifications and their intervals. Users can now choose not to receive notifications regarding the expired certificates, and send a separate email and customized subject per certificate, from 'Admin >> SSH/SSL >> Notification Settings'. The same actions can be done while creating new schedules under 'SSH/SSL >> Schedules >> Add Schedule', where you have to select the Schedule Type as 'SSL Expiry'.
• Earlier, PAM360 allowed signing and deployment of certificates only from Windows systems. Now, it is possible to perform certificate signing and deployment to Windows systems from Linux installations through agents.
• It is now possible to provide customized subjects in 'Schedules'.
• In RestAPI, the fetch details format is modified is such a way that the "details" attribute holds all the data. The following is the modified API list; GetCertificateDetails, getallsslcertificates, getAllSSLCertsExpiryDate, sslCertSingleDiscovery, sslCertRangeDiscovery, getallsshkeys, GetSSHKey, GetSSHKeysForUser and GetAllAssociatedUsers.

Bug Fixes

• Previously, certificate deployment failed if the field "Store Password" contained a space character while creating certificates from 'Certificates → Create'. This has now been fixed.
• Previously, when performing bulk operations, the "Create and Deploy" action failed when executed on SSH user groups, for RSA and DSA signature algorithms. This has now been fixed.
• Previously, when there was a "space" character present in a certificate group name, attempting to fetch the SSL certificates report pertaining to that group from the Reports tab threw the following error: "Invalid field format". This has now been fixed.
• Previously, even after the certificate private key was imported and attached to a certificate in PAM360' certificate repository, the "Export Keystore/PFX" was still disabled. This has now been fixed.
• During all AD-related operations performed from the PAM360 interface, the 'Connection Mode' got saved as 'No SSL' only, even if the 'SSL' mode was chosen. This issue has been fixed now.
• Earlier, MSCA signing supported 'java keytool' CSR only. Now, from this release, all CSRs will be supported by MSCA signing. During certificate creation, all values entered in the SAN field were all together categorized as 'DNS' only. Now, the values are segregated as 'DNS' and 'IP Address' categories.
• When a set of resources is shared with a user(s) with varying access permissions, and when different access permission is granted for one of those resources, the access permission of all the other resources also got changed. This issue has been fixed now.

Security Fixes

• A SQL injection vulnerability identified in 'Audit Reports' has been fixed.
• A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the user input has been fixed.
• Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain optimal security.

New Features

• AWS EC2 Discovery
  This build comes with the option to discover AWS EC2 instances and their associated privileged accounts, in addition to the already available Windows, Linux, VMware and Network device discovery. Discover the AWS EC2 instances by providing the access key and secret key of AWS IAM users. Discover the privileged accounts associated with each AWS EC2 instance by providing the SSH private key (.pem) of the relevant instance at the time of discovery. You can also discover AWS EC2 instances from multiple regions.
• Integration with the Automation Anywhere RPA Tool
  ManageEngine PAM360 integrates with Automation Anywhere, Robotic Process Automation (RPA)-powered platform that automates software processes using bots. PAM360 renders a bot that helps you automatically fetch passwords from the PAM360 secure vault without manual intervention. This bot is capable of working in combination with other bots in Automation Anywhere to create a complete endpoint management workflow.

Enhancement

• Periodic Password Integrity Check
  For resource groups, an option is already available to check if the passwords stored in the PAM360 database are in sync with the passwords in the target devices. Now, a new option 'Periodic Integrity Check' is added that allows you to schedule tasks to run on a specific day/time, or at regular intervals of the specified day(s), or on a specific day of a month. The password integrity check will happen periodically based on the schedule set. Unlike the former option, you can use the new option to check the integrity of the passwords in the desired groups at your convenient schedules.

Bug Fixes

• During RDP sessions, it was not possible to copy texts using the keyboard shortcut 'Ctrl+C'. This was due to a breakage in the content security policy header enabled in PAM360 build 4000. This issue has been fixed.
• From build 4000, while updating LDAP details, LDAP users alone got removed from the user group. This issue is fixed now.
• From build 4000, SSH sessions did not get recorded when the option 'Enable splitting of SSH and Telnet session recordings into multiple files' was enabled under 'General Settings--> Miscellaneous'. This issue occurred in FQDN servers or when the DNS name contained IP address. This issue has been fixed.