Password Manager Pro Release Notes

Enhancements

• Besides retrieving passwords from the Read-Only servers, Password Manager Pro now supports launching remote connections to the target resources using RDP, SSH, and VNC protocols. This enhancement allows administrators to monitor, track, and audit remote session activities, also allowing recorded session playback stored in the designated network path.
• From now onwards, the special character '_' can be included when generating passwords, offering greater flexibility in password creation.

Behavioral Change

From build 13100 onwards, the jTDS driver will no longer be supported in Password Manager Pro, and the JDBC driver will act as the default driver for database connections. If you have configured jTDS as the database driver earlier, follow the steps mentioned here.

Upgrades

• Tomcat version has been upgraded from 9.0.78 to 9.0.97.
• PostgreSQL server has been upgraded from version 14.7 to 15.7.
• The JavaScript library - moment.js has been upgraded from version 2.13.0 to 2.18.1.
• Bootstrap framework has been upgraded from version 3.3.2 to 3.4.1.
• The JavaScript library - jQuery UI used in Password Manager Pro has now been updated to version 1.13.0.

Bug Fixes

• From build 13000 onwards, when editing the dynamic resource group, the criteria column displayed the default value 'contains' in the dropdown. This issue has now been fixed.
• An issue that enabled the 'Remote Connection to Machines' privilege upon selecting any 'Password Reset' privileges for a custom role has been fixed.
• Previously, the file transfer feature in RDP sessions was meant to be exclusive to the Password Manager Pro Enterprise edition. However, users with Premium and Standard editions were able to upload files to remote resources by using drag-and-drop actions within the RDP session. This issue has now been resolved.

Security Fix

An issue that allowed the one-time password sent through email for Two-Factor Authentication to remain valid even after its default duration has been found and fixed.

New Features

• Periodic Password Integrity Check

  Password Manager Pro now introduces Periodic Password Integrity Check for resource groups. This feature enables administrators to schedule password integrity checks on a specific day/time, at regular intervals of the specified day(s), or on a particular day of a month. The password integrity check will run periodically based on the schedule configured. Unlike the existing on-demand check for password integrity, this new option enables administrators to automate and customize password verification for a group of resources at convenient schedules.

• Certificates Synchronization Status Check

  From now on, Password Manager Pro allows you to perform regular checks on the synchronization status of SSL certificates deployed to multiple servers directly. Additionally, you can schedule the synchronization check and generate a 'Certificate Sync Status' report based on the results.

• Certificate Tools

  Password Manager Pro now comes with the 'Certificate Tools' feature under 'SSL Certificates' that will allow users to independently perform certificate conversion, SSL/CSR parsing, and vulnerability scanning without adding certificates into the Password Manager Pro repository.

  • CSR and SSL Parser - Upload certificates or their contents directly to the interface and sort the attributes into a readable format.

  • Certificate Format Converter - Convert different certificate formats in a single click (for example, PEM to PKCS7, CER to PEM, PEM to DER, etc).

  • Scan Vulnerabilities - Scan any domain for vulnerabilities by entering the domain name and port directly. Unlike the SSL Vulnerability scan, this tool checks for vulnerabilities in any domain, without adding the certificate to the repository.

  • Create CSR - Create certificate signing requests (CSR) with ease.

  • Create Certificate - Create self-signed certificates and add them to the Password Manager Pro repository.

• Integration with AWS Certificate Manager

  Password Manager Pro now supports integration with AWS Certificate Manager (ACM) - a trusted certificate authority and certificate manager. This integration enables users to request, acquire and deploy certificates from Password Manager Pro to AWS ACM and renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued and managed by ACM directly from the Password Manager Pro web interface.

• Managing MSCA Certificates

  Password Manager Pro users with administrative privilege can now manage the entire lifecycle of the Microsoft Certificate Authority (MSCA) certificates directly from the Password Manager Pro web interface. By leveraging the MSCA feature, administrators can perform the operations including, certificate request, discovery, renewal, export, revoke, and delete.

• Password Manager Pro - Azure Key Vault Integration

  Password Manager Pro now supports integration with Microsoft Azure Key Vault - an SSL certificate management service offered by Microsoft. Through this integration, users can request, renew, and manage the entire lifecycle of SSL/TLS certificates stored in the Azure Key Vault by importing them into the Password Manager Pro repository.

• Integration with Sectigo Certificate Manager

  Password Manager Pro now integrates with Sectigo Certificate Manager - a PKI management platform built to manage SSL/TLS certificates, SSH keys, and other digital identities. The integration facilitates users to request, acquire, import, deploy, and renew certificates issued by Sectigo and automate their end-to-end lifecycle management of SSL/TLS certificates directly from the Password Manager Pro web interface.

• Importing Certificate Details

  Besides adding certificate objects in different formats, Password Manager Pro now allows users to add certificate details into the Password Manager Pro repository manually and manage them along with other certificate objects. This feature is beneficial when a user has the details of an SSL certificate that resides in a demilitarized zone and therefore, cannot be added to Password Manager Pro as an object through discovery. In this case, users can create a CSV file with the specified certificate details and upload them to Password Manager Pro. Furthermore, users can also set up expiry notifications for certificate details.

• Certificate Deployment to Citrix ADC Load Balancer

  Users will now be able to deploy SSL certificates to the Citrix ADC load balancer directly from the Password Manager Pro interface. Users can add and manage multiple Citrix accounts and deploy certificates to them individually.
  

  Notes: If you are already using an SSL agent for SSH/SSL-related operations, it's required to reinstall the agent for these new integrations to work seamlessly.

Enhancements

• From build 13000 onwards, the Password Manager Pro agent will get installed in the 'systemd' software suite for utilizing the parallel processing of agent installation and other agent capabilities.
• From this build onwards, after certificate renewal, the expired certificate's details can be sent via email. Configure the required setting under 'Admin >> SSL Certificates >> Certificate Renewal'.
• Starting from build 13000, Password Manager Pro will display the hosted SSL certificate's CommonName, Serial number, and SyncStatus with the managed servers and include them in the 'Deployed Servers' report.
• Previously, scheduled tasks were performed only during the scheduled time. From build 13000, scheduled tasks can be performed anytime by using the 'Execute Now' button available under the 'Schedules' tab.
• From build 13000, Password Manager Pro allows you to check the SyncStatus using SSL Agent. For this to work, the SSL agent should also be updated to version 13000.
• Earlier, certificates were managed based on their Serial Number. Now, certificates having the same common name and different serial numbers can be grouped by enabling it under 'Manage Certificate History' under 'Admin >> SSL Certificates >> Certificate History'.
• From now on, the old certificate will be listed under 'Certificate History' after the certificate renewal.
• From now on, Password Manager Pro allows you to add additional properties to CSR while signing with root by using the 'Advanced Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties and add them to the new certificate. Examples of the Key Usage properties include; Digital Signature, Decipher Only, Encipher Only, and Certificate Sign.
• It is now possible to import PGP keys created using third-party tools in Password Manager Pro.
• Earlier, during certificate deployment using IIS Binding, users could deploy it to a single server or agent only. From now on, users will be able to deploy certificates to multiple servers as well.
• Henceforth, users will be able to export the private key from the Microsoft Certificate store after certificate deployment.
• From now on, besides deploying to the computer account, Password Manager Pro allows you to deploy certificates to the Microsoft certificate store user account using the SSL agent. The latest version of the SSL agent should run in the user account to which the certificates are to be deployed.
• 'Organization' and 'Organization Unit' have been added to the 'Column Chooser' on the 'SSL Certificates Report' page.
• From now onwards, users can choose to exclude automatically renewed certificate(s) from email notifications.
• Users can now bypass proxy server settings while performing Citrix Load Balancer certificate discovery using the 'Use REST API (By default Password Manager Pro uses CLI commands for discovery and fetching certificates)' option available in the UI. Using this option, Password Manager Pro can bypass the proxy server and directly perform online certificate discovery. This option is also available during scheduled certificate discovery.
• Password Manager Pro now provides an option to import issuer certificates into the repository and form a complete certificate chain. Users can store and export the complete certificate package in JKS, PKCS, and PEM formats.
• In addition to server certificates, Password Manager Pro now allows users to import client certificates from DigiCert and manage them in the Password Manager Pro repository.
• Users can now create a scheduled task for AWS certificate discovery.
• Password Manager Pro now comes with an option that mandates users to include 'Server Name Indication' while configuring and updating IIS Binding.
• Users can now rediscover the expired and about-to-expire certificates from the 'Certificate Expiry' widget in the Keys Dashboard.
• Password Manager Pro will allow users to import the keys created using OpenSSL version 3.0 onwards.
• Users can now import WebSphere certificates into the Password Manager Pro repository.
• Password Manager Pro now allows users to group their certificates based on the 'Expiry Notifications Email' while creating a certificate group.
• From now on, under Multiple Servers in SSL Certificates, the users will be able to reassign the Primary server from the list of available servers while attempting to delete the existing Primary server.
• A new RestAPI to 'fetch PGP keys' has been added.
• From now on, while configuring ServiceDesk Plus as the ticketing system under 'Admin >> SSH/SSL Config >> Tickets' in Password Manager Pro, users can retrieve pre-existing templates from ServiceDesk Plus and utilize them to create tickets that will be displayed in ServiceDesk Plus.
• Henceforth, users will be able to associate columns from ServiceNow with the columns from the Certificates tab to add additional information to the tickets.
• Earlier, DigiCert users were able to add only one API key to Password Manager Pro. Henceforward, they can add multiple API keys to Password Manager Pro.
• Two new RestAPIs to 'To get Certificate in different file formats' and 'To Export an SSH Key in a specific Key Type' have been added.
• Password Manager Pro now supports file-based certificate discovery for the Microsoft Certificate Store. This feature allows you to import a text file with a select list of hostnames/IP addresses that are accessible to Password Manager Pro, using which the remote machines are scanned and certificates are discovered. After a successful discovery, Password Manager Pro will consolidate the newly-discovered SSL certificates in its certificate repository. In addition, the scheduled discovery of Microsoft Certificate Store certificates now comes with two new options: discovery using IP range and via a text file.

Behavior Changes

• Users can now maintain the following certificates at a count of five in the Password Manager Pro's centralized SSL repository without affecting the available number of keys in the license:
  • Server certificate used to secure the communication of the Password Manager Pro server
  • Certificates that are internally used in Password Manager Pro
• From build 13000 onwards, schedules in Password Manager Pro will no longer be automatically deleted during license downgrade or expiry. Instead, they will be disabled and automatically re-enabled upon license renewal or upgrade, ensuring continuity of schedules.
• Two-Factor Authentication methods supported by Password Manager Pro are now available for all editions, thus eliminating restrictions based on edition type and providing enhanced flexibility for secure authentication.

Bug Fixes

• Earlier, certificate order creation for GoDaddy's 100 UCC SAN SSL certificates was failing. This issue has now been fixed.
• Previously, while importing SSL certificates from the GoDaddy portal, Password Manager Pro failed to import some of the certificates. This issue has now been fixed.
• In prior versions of Password Manager Pro, when an MSCA certificate was discovered from a different domain, the 'MSCA' type certificate was changed to the type 'Domain', which caused the auto-renewal process to fail. This issue has now been fixed.
• Previously, ServiceDesk Plus (SDP) ticket creation failed due to the API rate limit set by SDP. This issue has now been fixed.
• Earlier, the root certificate-based signing failed if the 'SAN' field contained a wildcard. This issue has now been fixed.
• Previously, while discovering certificates using MSCA, certificate discovery failed if the language of the templates was not English. This issue has now been fixed.
• Previously, Load Balancer discovery failed when the certificates were discovered using the 'Discover certificate list' page. This issue has now been fixed.
• In Linux installations, the certificate discovery failed while discovering certificates from Shared Path using the certificate list. This issue has now been fixed.
• Operator users were unable to view the details of the certificates that were part of a certificate group created using additional fields as the grouping criteria. This issue has now been fixed.
• Administrator users were unable to edit the value of additional fields for certificates that are a part of certificate group created using any criteria. This issue has now been fixed.
• Earlier, the users were unable to edit the wildcard certificate details after navigating to the Certificate Details page. This issue has now been fixed.
• Earlier, when a certificate that was part of a certificate group expired, the expiry notification email was sent to all groups in Password Manager Pro instead of to only the groups to which the certificate belonged. This issue has now been fixed.
• Load Balancer discovery and Shared Path discovery did not work for some users. This issue has now been fixed.
• Bulk certificate sync with ServiceDesk Plus failed for some certificates. This issue has now been fixed.
• Previously, when users tried to add a new SSL certificate with the same common name as another certificate that was already available in Password Manager Pro, the new certificate was not added to the repository. This issue has now been fixed.
• An issue that led the Aruba ATP and ASA Firewall password reset to fail has been found and fixed.
• Previously, the auto logon operation performed using the generated ticket ID failed. This issue has now been fixed.
• For users who migrated from PostgreSQL to MS SQL database, the drop-down filter on the resource audit, user audit, and task audit pages has not functioned as intended. This issue has now been fixed.
• Email notifications configured for the operations in the resource audit configuration page were undelivered to the associated users and user groups. This issue has now been resolved.
• When the LDAP users' last name contains more than 250 characters, a synchronization issue occurs between the LDAP user group and the imported LDAP users. This issue has now been fixed.
• Email notifications configured for password-related operations via the Configure Notifications settings on the resource groups page were undelivered to the associated users. This issue has now been resolved.
• Earlier, in the Japanese version of Password Manager Pro, the placeholders in the Resource Ownership Transfer and Resource Group Ownership Transfer email templates had issues in converting to actual values. This issue has now been fixed.

Security Enhancement

We have enhanced our security checks against Path Traversal, Local File Inclusion, Stored XSS, Reflected XSS, Denial of Service, Usage of Static Variables, and other few vulnerabilities.

Security Fixes

• A stored XSS vulnerability caused by HTML tags in certificate attributes during SSL certificate import, CSR import, and SSL and CSR parse operations has been fixed.
• Path Traversal Vulnerability, Remote Code Execution (RCE), and SSL validation vulnerabilities have been found and fixed.

Upgrade

The PostgreSQL server has been upgraded from version 10.18 to 14.7.

Bug Fixes

• Previously, when the administrator set a requirement for providing a reason when retrieving a password for an account containing special characters, there was a discrepancy with the old password copied from the Password History section. This issue has been fixed.
• Earlier, the remote password reset for the Microsoft Azure accounts failed under the circumstance when the UPN suffix (cyberninja.com) of a user account and the DNS of a resource differed. This issue has now been fixed.
• Previously, in the Auto Approval scenario for access control, the password was not checked-in automatically after the specified time. This issue has been fixed.
• Previously, the ticketing system configurations on the Resource Group level could not be saved. This issue has been fixed.
• Earlier, the edited descriptions in Edit Group Attributes could not be saved when the user group name contains special characters in it. This issue has been fixed.

Security Fixes

• An issue that allowed users with the password auditor privilege to terminate the user sessions has been found and fixed.
• A Cross-Site Scripting (XSS) issue that occurred in the following areas of Password Manager Pro web console has been found and fixed:
  • Lock User dialog box
  • Connections tab
  • Edit Web Account dialog box
  • Edit Accounts dialog box

New Features

• Read-Only Server for PostgreSQL
  Intending to provide uninterrupted access to passwords, we have introduced another functionality - the Read-Only (RO) server for the PostgreSQL database. Unlike a High Availability set up, where there is one Primary and Secondary server each, the RO server can be configured in multiple numbers. The RO servers function as mirror servers, synchronizing all of the Primary server's operations. In the event of the Primary server failure, administrators can convert any RO server into the Primary server and reconfigure all other RO servers to point to the new Primary server. You can configure RO Server from 'Admin >> Configurations >> RO Server.'
• Integration with Entrust nShield Hardware Security Module (HSM)
  Password Manager Pro now offers a new data encryption method—Entrust nShield HSM. Through this integration, users can switch from Password Manager Pro's native encryption method to Entrust nShield's hardware-based data encryption for the privileged identities and the personal passwords stored in Password Manager Pro. Users can secure their data encryption key within the HSM to safeguard it locally in their environment.
• Folders
  We have introduced - Folders in Password Manager Pro, which allows the users to organize the resource accounts stored in Password Manager Pro under various custom folders. The 'Folders' option is available for the Resources and Connections tabs. Administrators can enable or disable the Folders' option from 'Admin >> Settings >> General Settings >> Miscellaneous'. This system of organizing the accounts based on personal preferences will allow users to manage them effortlessly.

Enhancements

• From this build, administrators can reset Multi-Factor Authentication (MFA) and also provide access to other users to reset MFA.
• Password Manager Pro will now display the list of agents mapped to the resources under 'Admin >> PMP Agents >> Manage Agents'. Resource owners can view, associate, disassociate, and delete their respective agents from the 'Manage Agents' page. Also, if an existing resource is deleted accidentally, the administrator can remap an agent to the resource with the same DNS name as the agent.
• Earlier, Password Manager Pro allowed the administrators to execute the scripts post password reset in agentless mode only. Now, the administrators can execute the scripts both with and without the agent before and after the password reset. Also, administrators can use the pre or post-password reset action in agent mode to run the scripts using the agent in the agent-installed resource. The existing password reset listeners will be called the 'Agentless Post Password Reset Listeners.'

Upgrade

The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and bolster overall security.

Bug Fixes

• In Linux machines, when users tried to discover accounts using the root user account when direct login access was disabled, the account discovery failed. This issue has been fixed.
• From build 12200 onwards, when users tried to set a custom RDP port while creating a new resource, the value changed back to the default port 3389. This issue has been fixed.
• From build 12100, if the option to execute 'pwdadm' command was enabled for resources of the IBM AIX resource type, then password reset failed for the accounts in the selected resource. This issue has been fixed.
• From build 12200 onwards, during a remote MS SQL session, users were unable to switch the connection to a different database. This issue has been fixed now.
• From build 12200 onwards, users were unable to execute the Insert, Update, and Delete queries during a remote session launched to any SQL database. This issue has been fixed now.
• Earlier, the PMP Windows Domain agent failed to verify the domain account passwords through the password verification feature.
• We have removed the outdated MySQL code present in the HAsetup.sh and HAsetup.bat files.

New Features

• Additional Two-Factor Authentication Support
  In addition to the already available authenticators, the following new Two-Factor Authentication services are available to integrate with Password Manager Pro, for application login:
  1. Zoho OneAuth Authenticator
  2. Oracle Authenticator
• SAML SSO Support for Standard and Premium editions
  We have introduced SAML SSO support for Standard and Premium editions of Password Manager Pro. With this feature, users who have deployed SAML identity providers, such as Okta, Azure Active Directory, and G Suite, can configure SAML SSO with Password Manager Pro and log in to the product via the corresponding identity provider's GUI without providing the Password Manager Pro credentials.

Enhancements

• Password Manager Pro is now available for download and use in the following languages - Russian, Italian, and Dutch.
• Earlier, users could not reset the Personal Passphrases set up by them earlier from the Personal tab. Henceforth, users will be able to reset their Personal Passphrases, but also the action will permanently remove all the passwords stored in the Personal tab.
• This version of Password Manager Pro comes with two new default query reports under the 'Resource Group' and 'User Group' categories:
  1. Static resource groups and their resources
  2. User groups and their users.

Upgrade

We have upgraded a third-party framework used by HTML5-based RDP and SSH gateway features.

Bug Fixes

• From build 12100 onwards, administrators could not delete a user profile if the user had created any type of resource discovery task. Also, if the user owned a discovery schedule, administrators were unable to transfer the schedule ownership to another user from 'Discovery >> Schedule.'This issue has been fixed.
• Users could not view the Private Key Passphrase for the user accounts whose name contained special characters. This issue has been fixed.
• Earlier, from the Resources tab, users could not take remote connections to resources that did not contain any user account using domain credentials. This issue has been fixed.
• From build 12121, administrators could not save the edited email templates if the message contained a hyperlink tag. This issue has been fixed.
• From build 12121, administrators could not save the edited Access Control templates. This issue has been fixed.
• From build 12100, when modifying the domain information in the Active Directory Synchronization schedule, the 'Domain Details' window did not load if a resource name with a special character was chosen. This issue has been fixed.
• While creating an Active Directory Synchronization Schedule, when the Synchronization Interval was set to 0, all the other existing schedules were deleted. This issue has been fixed.
• Earlier, administrators could not integrate Password Manager Pro with Service Desk Plus Cloud due to an internal upgrade. This issue has been fixed.
• In some customer environments, when administrators performed password reset for domain accounts, the passwords got updated in the Active Directory, but the changes did not reflect in the Password Manager Pro database. This issue has been fixed.

New Feature

Password Manager Pro now supports creating schedules for automatically discovering the new privileged accounts during Linux, Network Devices, and VMware discovery.

Enhancements

• Earlier, the users could only configure SAML for the Primary server as the service provider. From now on, the Secondary server can be set up as a separate service provider, allowing users to log in to the Secondary server using SAML when the Primary server is down/unavailable.
• The API handling code is enhanced to support the V3 API format of ServiceDesk Plus MSP.
• Dropbox SDK has been updated from version 3.0.3 to version 5.0.0. From now on, a short-lived access token will be used.
• Administrators can now enable and set up a customizable welcome message once a session commences. In addition, they can enable the session recording status in the session window.
• Earlier, Password Manager Pro did not have any approval process for VNC passwords. Hereafter, Password Manager Pro will allow validations, such as Access Control and Helpdesk for VNC passwords.
  Note: After upgrading to 12100, all VNC resource passwords will be added to an account - "_VNCACCOUNT_" under their respective resources. Users can take VNC connections directly from this account for the respective resources.
• From build 12100, the Password Manager Pro administrators can modify the messages in access control workflow dialog using message templates.
• Earlier, users could auto-logon to resources using the logged-in AD account alone. From now on, auto-logon is possible through the logged-in LDAP and Azure AD user accounts as well.
• MFA Reset Option for Privileged Administrators
  From build 12100, administrators can reset Multi-Factor Authentication (MFA) for the users, and the users will also be able to reset MFA for themselves.
• SAML Single Logout
  Password Manager Pro now supports SAML Single Logout, which automatically terminates all related sessions established using SAML SSO once the user logs out from the PMP UI.
• New REST API
  A new REST API, 'Reset Two-Factor Authentication', has been added. It is of ideal use for REST API users with an admin role or a custom role with admin operation to automatically reset the Two-Factor Authentication configured for the end-users by supplying their username - for example, when a user loses their phone configured with Password Manager Pro MFA.
• In addition to TLS 1.1 protocol, Password Manager Pro now communicates to agents through TLS 1.2 protocol.

Behavior Changes

• Before the upgrade, if the browser 'Autofill' option was enabled, it is possible for the saved passwords from the browser to get auto-populated in the 'VNC Passwords' field. After the 12100 upgrade, all the VNC resource passwords will be added to an account called '_VNCACCOUNT_' under their respective resources.
  Attention: When the users take VNC connections directly from the '_VNCACCOUNT_' of the respective resources, with the browser autofill option, the VNC passwords of the resources may be visible to users along with their shared resources. Therefore, we highly recommend you verify the VNC passwords field in Windows resources before upgrading to this build.
• From now on, users can launch VNC connections through their respective VNC accounts from the Resources tab only.

Bug Fix

From build 11103, when proxy server configuration was enabled in Password Manager Pro, users using the latest version of Duo TFA experienced a premature authentication time-out. This issue has been fixed.

Enhancements

• The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and improve overall security.
• The PostgreSQL server has been upgraded from version 9.5.21 to 10.18.
• The Apache Tomcat server has been upgraded from version 8.5.32 to 9.0.54.
• The Rubyrep tool has been upgraded from version 1.2.0 to 2.0.1.
• Password Manager Pro has now migrated to the OpenJDK platform, version 1.8 .0_252.
• In addition to supporting the JTDS JDBC driver to connect to the SQL server, Password Manager Pro now supports Microsoft JDBC driver, version 8.4.1.
• We have implemented a patch integrity verification, which will henceforth require importing an SSL certificate (available as a downloadable file) whenever the product is upgraded using the PPM file. It is only a one-time operation. For the upgrade instructions and PPM download links, click here.
• Password Manager Pro allows users to add accounts via the Windows Domain agent when the account filter is provided using regex patterns.
• Henceforth, if an administrator restricts a user from setting up the encryption passphrase for their personal passwords (under 'General Settings'), the user can set up an 'encryption key' for their personal passwords from the 'Personal' tab. They are also free to choose between whether to store or not store the encryption key or use Password Manager Pro's encryption key.
• It is now possible to move the RESTAPI users to the client, and the supported client organizations with complete access can manage resources and accounts.
• The six system-created audit schedules - 'Resource Audit Purge Schedule', 'Resource Audit Digest Schedule', 'UserAudit Purge Schedule', 'UserAudit Digest Schedule', 'TaskAudit Purge Schedule', and 'TaskAudit Digest Schedule' have been merged into a single schedule - 'Audit Purge and Digest' Schedule.
• The system-created scheduled task 'Audit Update Schedule' has been renamed as 'Dashboard Chart Activity Schedule'. It is available under 'Admin >> Manage >> Scheduled Tasks'.
• Previously, when the 'Purge Audit Records' option was enabled, all the audit records older than the specified number of days were purged. From build 12000 onwards, users can choose to retain or delete audit records based on the operation type.
• From now on, MSP admins will be able to replicate audit operation type settings and audit purge settings across all client organizations.
• New REST APIs
  This release comes with a bunch of new REST APIs for the following operations: Associate a resource to a resource group, Dissociate a resource from a resource group, Fetch resource groups associated with a resource, Delete a resource group, and Fetch ResourceGroupID.

New Features

• Renewal of Certificates
  A 'Renew' option has been newly added under 'Certificates >> Certificates' that allows users to initiate the renewal of Self Signed, Root Signed, Microsoft CA Signed, and Agent-signed certificates, and also the certificates issued by the third-party CAs. Upon renewal, the renewed certificates will automatically inherit the deployed servers and their credentials.
• Discovery from UNC Shared Path for Windows, Linux, and Mac OS
  Password Manager Pro now supports SSL certificate discovery from UNC (Universal Naming Convention) shared paths for Windows, Linux, and Mac OS machines. Use this feature to discover SSL certificates stored in a folder path within a server that is accessible by Password Manager Pro. After the discovery, Password Manager Pro will consolidate the newly-discovered SSL certificates in its certificate repository. This option is available during scheduled certificate discovery as well.
• Certificate Discovery in DMZ Machines using the KMP Agent
  It is now possible to discover the SSL certificates from directories in remote machines that are not directly accessible by Password Manager Pro—all through the KMP Agent. This option is available during scheduled certificate discovery as well.
• Browser Deployment of Certificates
  Users will now be able to deploy SSL certificates in browsers from Password Manager Pro for the following server types: Windows, Linux, and MacOS.
• SSH Key Association using "Elevate to root user" Option
  This release comes with a new "Elevate to root user" option. Now, as a security measure, it is possible to restrict users from directly accessing root users by disabling the root user login. Enabling this option elevates a user login from a non-root user to a root user and associates keys to all other users on the server.
• RestApi
  The new REST API, 'Deploy Certificate', has been added.
• SSL Certificate Rediscovery
  Password Manager Pro now allows you to rediscover SSL certificates from the same source using the server details entered during the previous discovery operation.
• Integration with Buypass Go SSL and ZeroSSL
  Password Manager Pro now integrates with Buypass Go SSL and ZeroSSL—two certificate authorities that use the Automatic Certificate Management Environment (ACME) protocol to provide free, secure SSL certificates. Users can now request, acquire, create, deploy, renew, and automate the end-to-end management of SSL/TLS certificates issued by Buypass Go SSL and ZeroSSL, all directly from the Password Manager Pro web interface.
• Integration with ManageEngine Mobile Device Manager (MDM) Plus
  Password Manager Pro now integrates with ManageEngine Mobile Device Manager (MDM) Plus. This integration uses ManageEngine MDM APIs to discover and deploy SSL certificates to and from the mobile devices managed by your MDM server. Password Manager Pro then lets you filter the discovered SSL certificates based on the OS type such as iOS, Android, Windows, Chrome OS, Mac OS, and Apple tvOS. It is also possible to export reports of the MDM certificates managed in the Password Manager Pro repository within a selected period. Additionally, you can schedule periodic generation of MDM certificate reports.
• Manager Pro allows you to globally modify the access level of the shared certificates.
• New REST API's, 'Share SSL Certificate to User', 'Share SSL Certificate to User Group', 'Share SSL Certificate Group to User', 'Share SSL Certificate Group to User Group', 'Revoke SSL Certificate from User', 'Revoke SSL Certificate from User Group', 'Revoke SSL Certificate Group from User', 'Revoke SSL Certificate Group from User Group', 'Create SSL Certificate Group', 'Delete SSL Certificate Group', 'Edit SSL Certificate Group', 'Generate an Agent Install Key', have been added.

Enhancements

• Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of the agent listed under Certificates >> Certificates >> Windows Agents'.
• Now, users can discover certificates issued by a particular 'Microsoft Certificate Authority' just by entering the MSCA name in the text box provided, during discovery. Remember, this additional option will be available for Password Manager Pro installations in Windows server machines only.
• Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a registered base-domain.
• Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields followed a fixed format. Now, the customization settings configured for notification emails in 'Admin >> SSH/SSL Config >> Notification Settings' will be applied to the emails sent via email addresses in the additional fields as well.
• Password Manager Pro now supports scheduled SSL discovery and MS Certificate Store Discovery tasks with the KMP agent.
• Previously, the certificates due for expiry in 10 days or less got automatically renewed. Now, users will be able to customize the number of days to auto-renew the certificates before they expire.
• From now on, during CSR signing of SSL certificates using the KMP agent, it is possible to specify the Agent timeout value, in seconds.
• Henceforth, users will be able to select specific Certificates or Certificate Groups while generating the 'SSL Certificates Report' Schedule type (under 'Admin >> SSH/SSL Config >> Schedules >> Add Schedule').
• Users will now be able to add and edit the deployed servers list under 'Certificates >> Certificates >> Multiple Servers (icon)'. Newly added servers will be mapped with the latest certificate version in the certificate repository.
• Password Manager Pro now supports IP range discovery for MS Certificate store discovery ('Certificates >> Discovery >> MS Certificate Store') using the PMP service with the domain Admin account. This allows administrators to discover certificates across networks.
• Password Manager Pro now supports 'Load Balancer' Certificates discovery for Citrix devices. From build 11300 onwards, Password Manager Pro also supports scheduled certificate discovery from Linux-based load balancers such as BIG-IP F5, Nginx, and Citrix.
• Certificates and CSR generation pages have been enhanced with the Random Password generation feature.
• Users can now select up to five certificate templates while performing template-based SSL certificate discovery.
• Users can now bypass proxy server settings while performing SSL certificate discovery. If this option is selected, Password Manager Pro will bypass the proxy server and directly perform online certificate discovery. This option is available during scheduled certificate discovery also.
• Earlier, after certificate renewal, users will have to deploy MSCA/-self-signed certificates manually. Now, it is possible to deploy these certificates automatically if the user credentials are available.
• Users will now be able to choose the 'Certificate type' [CER/DER/P7B/CRT] and 'Keystore type' [JKS/PKCS/PEM/KEY] while deploying certificates to Windows and Linux machines and while exporting certificates.
• Now, it is possible to renew MSCA type Certificates with a new private key if a private key not available already.
• From now on, Password Manager Pro supports ClouDNS to complete domain control validation while acquiring certificates from public Certificate Authorities.
• Support for AES256-encrypted PKCS12 Keystores while adding certificate Keystores.
• MSCA Discovery with KMP Agent using Multiple Templates
  Users can now select up to five certificate templates while performing agent-based certificate discovery of local CA certificates. Before using this enhancement, please ensure the KMP Agent is upgraded to version 11300.
• Search-Enabled Custom Columns
  From build 11300 onwards, Password Manager Pro allows you to search within custom columns for SSL Certificates and SSH keys.
• Multiple Servers List
  Now you can include multiple servers for certificates in SSL certificate expiry notifications.
• GoDaddy Certificates Import
  From now on, users can directly import the existing certificates from their GoDaddy account into the Password Manager Pro repository.
• Local Disassociation of Keys
  It is now possible to dissociate keys locally if remote dissociation fails for users whose access has been discontinued.
• APIs - Serial Number as the Mandatory Field
  Earlier, the Serial Number field, which was optional in the below APIs, has now been made mandatory; To get a certificate, To get certificate keystore, and To delete a certificate.
• Serial Number in the getCertificateDetails Rest API
  In the getCertificateDetails Rest API, Serial Number has been added as an optional field; filling it fetches the details of that particular certificate alone.
• Henceforth, the SSL certificates can be manually mapped with deployed servers list to any server directly from Certificates >> Certificates >> More >> Add Deployed Server'.
• From now on, certificates/CSRs/certificate groups will have an email field to which the SSL expiry email notifications can be sent, where the expiry notification email address can be provided while creating the Certificate and CSR.
• A new option - Deploy to Microsoft certificate store user account, has been added, which facilitates the deployment of the Microsoft Store deployed certificates to the respective user accounts, besides deploying to the computer accounts.
• The SSL Certificate Expiry notification, set up under 'Admin >> SSH/SSL Config >> Notifications Settings >> Expiry', will now include Issuer, FingerPrint, and Serial Number fields in the Certificate Expiry email.
• From build 11300, the 'Certificates Audits' tab will be available under the 'Audits' tab, where, all the certificates audit related to all the users will be displayed.
• New REST APIs 'Get Password Policies' and 'Get Resource Types' have been added.

Bug Fixes

• The KMP agent got duplicated when re-installed from a different IP address. This has been fixed.
• The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been fixed.
• The issue in MSCA auto-renewal with the EC key has been fixed.
• Get Templates issues that existed with the non - English languages have been fixed.
• Under 'Admin >> SSL Certificates >> IIS Binding', binding list retrieval failed for bindings with a protocol other than HTTP/HTTPs. This issue has been fixed.
• Earlier during Digicert import, Password Manager Pro failed to import client/personal certificates into Password Manager Pro. This issue is now fixed.
• Earlier, the date format had the month as a part of the value, due to which sorting did not work. Now, this issue has been resolved by modifying the date format in the CSV file to be the standard date format.
• Earlier, while discovering certificates using a load balancer, there were problems with commands other than the standard Linux commands. This issue has been fixed.
• Get templates issue has been fixed for CA name-based fetch.
• Previously, the proxy configuration was not supported in GlobalSign integration, due to which users with proxy were unable to use the integration. This issue has been fixed now.
• Earlier, it was possible to add or modify IISBinding only by giving the 'hostname'. This issue has been fixed, and now 'hostname' is not mandatory to create or update IISBinding.
• Earlier, MSCA templates showed the OID instead of the template name. This issue is fixed.
• During SSL discovery, discovery from servers with mutual authentication failed. This issue has been fixed now.
• MSCA discovery, when carried out using an agent without any filter, failed. This issue is fixed now.
• There was an issue in exporting the certificates as password-protected zips when password protection for exports was enabled under 'Privacy Settings'. This issue has been fixed now.
• There was a failure in Linux deployment from the ServiceDesk Plus request. This issue has been fixed now.
• Earlier, when the custom settings option 'View Support Information' was enabled for a custom user role, the users with that role were unable to access the 'Support' option from the profile drop-down. This issue is fixed now.
• Earlier, when a new category was created with the same name as an existing one from the 'Personal' tab, the product did not display an error message. This issue is fixed now.
• Earlier, if the name of a category seen from the 'Personal' tab contained the special character '&', the contents of the category were not visible in the display area. This issue is fixed now.
• Earlier, when a new resource was created using the 'Create Resource' API, and the 'Resource URL' field was left blank, users could not edit the resource attributes in the Password Manager Pro UI. This issue is fixed.

Behavior Change

From now on, all certificates with unique serial numbers will be listed under the 'Certificates' tab. However, the existing users can manage their already added certificates from the History section, which has now been moved under the 'Column Chooser'.

Security Fixes

• An XSS vulnerability (ZVE-2021-0956) that occurred during Load Balancer discovery has been fixed.
• A SQL injection vulnerability identified in the PostgreSQL password reset functionality is fixed.
• A path traversal vulnerability identified in the role report section is fixed by adding proper validation steps for the download file path of the report.
• Earlier, users could reopen a closed remote SSH session window from the browser history page and reinitiate the remote connection without requesting for the password of the resource again. This issue is fixed.

Enhancements

• New Query Reports
  Two new default query reports for users having access to the browser extension and users who don't have access to the browser extension have been added.
• New Resource Type
  We have introduced a resource type, Cisco Nexus OS.
• New Rest APIs
  This release comes with a bunch of new RESTAPIs: Fetch UserGroupID, Configure Remote Password Reset for Linux resources, Share Resource and Share account to User Group.

Behavior Changes

• The API handling code which earlier responded to the V1 API format of ServiceDesk Plus On- Premises and ServiceDesk Plus Cloud will henceforth respond to their V3 API format.
• The Authentication mechanism of ServiceDesk Plus Cloud has been updated from the older Authtoken based method to OAuth 2.0. In addition, from now on, it is possible to validate entries in the ticketing system columns against the entries in Password Manager Pro to check for any mismatches. Earlier, it was possible to check the entries in Password Manager Pro alone.

Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you have a backup of the advanced configurations in the form of screenshots for reference purposes.

Bug Fixes

• When the PMP and KMP agents were installed in the same machine, the data used for the agents' authentication was stored in the same place in the registry, causing the overwriting of the agents' data, thereby making the agents non-functional. This issue has been fixed.
• The automated scheduled task introduced for dashboard optimization caused the database connections to become unavailable, for some time, for a few users. This issue has been fixed now.
• When Two-Factor Authentication was enabled, the legal banner and the privacy policy banner links in the Login page (enabled from the 'Rebrand' wizard) did not show up/work. We have resolved this issue.
• Earlier, for some users, after configuring Duo TFA, the requests that were supposed to be sent to the PMP access URL were directly sent to the Password Manager Pro server. This issue has been fixed now.
• Earlier, the 'Edit User' action did not work for certain users. We have resolved this issue.
• Previously, the password entered in 'Importing users from AD wizard >> specify the user name and password manually' did not get saved due to a password encoding issue. This issue has been fixed.
• Earlier, users were able to export offline passwords even when the export password was disabled using the export URL. This issue has been fixed now.

Security Fix

• A user enumeration issue has been fixed (CVE-2021-33617).
• Users with access to the Password Manager Pro server, running in a machine with a few policies configured, were able to view the IIS web.config passwords as cleartext in the event log (ZVE-2021-1797).

Enhancements

• Enhanced Password Policy
  Enhancements have been made to the existing password policy by introducing new constraints and additional features which include; improved default attributes for Strong and Medium password policies, the introduction of password limit, the addition of new attributes, such as password similarity and sequences, ability for Admins to add and manage up to 5 dictionaries, Dictionary word check, Obvious Substitution (LEET) word check, Password Strength Meter, Sample Password Generator, New Password Generator, etc. These would be of great help to administrators in setting highly secure password policies.
• Access Control & Domain Account Restrictions
  Earlier, a user with access to a domain account can log into any resource shared with them using the domain account. Henceforth, it is possible to implement Domain account restrictions for target resources, i.e., Windows domain account users can be granted access to specific resources alone, which they actually want to access, instead of all resources shared with them. Please note that from this release, the Password Request API for domain accounts alone has been blocked.

Bug Fixes

• In build 11002, when the Admin users from the MSP org scheduled reports in the Client org, they received Zero bytes reports. This issue has been fixed now.
• From build 11002, Additional fields were missing from the Bulk edit page of resources. This issue has been fixed now.
• From build 10500, users with the Password Administrator role were unable to perform 'change role' or 'delete user' operation - to change to a Password user or a Password Auditor, even when no resources or accounts were present under 'Transfer Approver privileges. This issue has been fixed now.
• In build 11004, while generating a custom report, say, a report containing all the resources present under a Dynamic resource Group, no results or a blank page was displayed. This issue has been fixed.

Security Fix

• When users configured X-Forward-For in Password Manager Pro, there was a possibility to bypass web access restriction by setting the X-Forward-For header manually. This issue has been fixed now.

New Features

• Expiry Notifications for SSL Certificates
  Now, use Password Manager Pro to discover, import, and configure expiry notifications for SSL certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM).
• Self-signed Certificates Auto Renewal
  Password Manager Pro now supports automated renewal of self-signed certificates along with Microsoft CA certificate renewal.
• SSL Certificate Deployment and Binding - IIS Server
  From now on, you can both deploy a certificate to the IIS server and also bind it to the desired website in the IIS, all from the Password Manager Pro interface itself, without the need to access the IIS server separately. Also, an option has been provided to automatically restart the IIS server for the deployment and binding to take effect, thereby eliminating the need for the manual restart from the IIS end.
• Additional Fields
  Password Manager Pro now brings you the 'Additional Fields' feature, configured from 'Admin >> SSH/SSL Config', and used to include any additional information about SSH keys and SSL certificates stored in the repository. There are four different categories of Additional Fields: character, numeric, date, and email. Users can choose to add or remove the Additional fields from SSH and SSL views. While creating an Additional field, users can choose whether it is applicable for SSH/SSL/both, and also customize the emails mentioned in it.
• Column Chooser
  This version of Password Manager Pro comes with the 'Column Chooser' feature that allows users to show or hide columns at runtime, and also rearrange the columns from the current view via drag-and-drop.
• Pretty Good Privacy (PGP) Keys
  PGP encryption is used to enhance cryptographic privacy and authentication for online communication by encrypting and decrypting texts, emails, files, etc. It uses a combination of data compression, hashing, and public-key cryptography to boost confidentiality. Now, Password Manager Pro brings you this PGP functionality in the form of PGP key generation, where the keys are used to encrypt the data like emails, texts, etc. Create, store and manage PGP keys under 'Admin >> SSH/SSL'. Modify the key description anytime, export private/public keys, export keys to multiple email ids, and generate, view, and schedule reports. You can also send expiry notification emails to admins. This feature allows you to share and collaborate information securely among your trusted groups of users and businesses.
• GlobalSign
  Password Manager Pro now supports integration with GlobalSign SSL a trusted Certificate Authority and a leading cloud-based PKI solutions provider. This integration enables users to request, acquire, import, deploy, renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued by GlobalSign, directly from the Password Manager Pro web interface.
• Certificate Deployment using Agent
  Password Manager Pro can already deploy and bind certificates to IIS servers belonging to the domain, where Password Manager Pro also resides. Now, Password Manager Pro can also deploy certificates to IIS servers in demilitarized zones and also bind them to websites in IIS, all using an agent. This makes Password Manager Pro more scalable, as it can deploy and bind certificates in IIS servers, irrespective of whether they are in the same or different domain.
• CSR Signing using Agent
  In addition to the already available two sign types, namely, 'MS Certificate Authority' and 'Sign with Root', used to sign certificates from Password Manager Pro, a third sign type 'MS Certificate Authority with Agent' has been introduced. This new sign type is mainly used to sign certificates originating from a distinct domain, i.e., other than the domain to which Password Manager Pro belongs.
• Integrating with Ticketing Systems
  Password Manager Pro now integrates with enterprise ticketing systems namely ServiceDesk Plus (on-premise) and ServiceNow. This integration ensures that automatic service requests are created in the ticketing environment to notify administrators of SSL certificates that are at the risk of expiring and certificates that are deemed vulnerable after a vulnerability scan in Password Manager Pro. Users can set notification policies to govern the frequency of service request creation for expiring and vulnerable tickets.
• New Certificate Format - PEM A new certificate format, Privacy Enhanced Mail (PEM), has been added, in addition to the already available certificate export formats, Keystore and PFX, where the PEM format is used for digital certificates and keys, deployed in web server platforms (e.g., Apache).
• Support for GoDaddy DNS
  Password Manager Pro now supports GoDaddy DNS to complete the domain control validation procedure while acquiring certificates from public Certificate Authorities, along with the already available DNS support types, Azure DNS, Cloudflare DNS, Amazon route 53, and RFC2136 Update. Using GoDaddy DNS, users can update the DNS record for GoDaddy domain validation from the Password Manager portal itself.

Enhancements

• Password Manager Pro now provides additional insights on agent activity such as heartbeat interval, latest response time and operation performed.
• For scheduled SSL expiry tasks, users now have the option to choose whether or not, to receive email notifications when no certificates in that particular schedule are nearing expiration.
• Password Manager Pro offers automatic bundling of individual private key (.key) files and certificate files (.cer/.pem) into 'JKS' and 'PKCS' keystore file formats and provides export option for the same.
• Two extra categories have been added to the criteria-based certificate group creation: AWS service and Certificate template.
• Now, it is possible to use the Password Manager Pro service account credentials for authentication while deploying certificates in Windows servers.
• Henceforth, while creating a certificate, users can provide ephemeral access (validity in hours and minutes) to the certificates created, after which the certificate auto-expires. This eliminates the need for compulsory permanent access credentials to access target systems and also explicit access repeal.
• It is now possible to perform SNI-based SSL discovery using the Common Name and IP Address combination.
• The option to filter certificates based on the key length and signature algorithm within specific expiry days has been added to the 'getAllSSLCertificates' Rest API.
• It is now possible to customize notifications and their intervals. Users can now choose not to receive notifications regarding the expired certificates, and send a separate email and customized subject per certificate, from 'Admin >> SSH/SSL >> Notification Settings'. The same actions can be done while creating new schedules under 'SSH/SSL >> Schedules >> Add Schedule', where you have to select the Schedule Type as 'SSL Expiry'.
• Earlier, Password Manager Pro allowed signing and deployment of certificates only from Windows systems. Now, it is possible to perform certificate signing and deployment to Windows systems from Linux installations through agents.
• It is now possible to provide customized subjects in 'Schedules'. Also, users can tailor schedules by adding custom email content and a unique signature.
• In RestAPI, the fetch details format is modified in such a way that the "details" attribute holds all the data. The following is the modified API list; GetCertificateDetails, getallsslcertificates, getAllSSLCertsExpiryDate, sslCertSingleDiscovery, sslCertRangeDiscovery, getallsshkeys, GetSSHKey, GetSSHKeysForUser and GetAllAssociatedUsers.
• This release comes with an exclusive page for 'Windows Agents', accessible from the 'Certifcates' tab, from where users will be able to perform all agent-specific operations such as SSL Discovery using agent, deployment of SSL certificates in certificate groups using agent and CSR Signing with MSCA agent.
• Certificate deployment in multiple servers has now been made simpler by using an agent, provided the agent is running in the server to be deployed, and both the agent name and the server DNS name are the same.
• Now, auto-renewal of certificates is possible for the 'MSCA using agent' sign type as well, from 'Admin >> SSL Certificates >> Certificate Renewal'.
• The 'Certificate Sign Report' comes with the following MSCA/Third party CA signing details; Certificate Authority, Certificate Template, Sign Type column.
• The 'Certificate Renewal report' comes with the 'Renewed By' column relevant to MSCA and 3rdPartyCA renewal details.
• A new option 'Reissue Certificate' has been added under 'Certificates >> GlobalSign' that allows users to request GlobalSign to reissue an SSL certificate.
• The new 'GlobalSign Orders Report' allows the GlobalSign orders to be added as individual reports, which provide a detailed view of certificate orders requested from the GlobalSign CA.
• From now on, users can add a "Key Comment' while importing a new SSH key and editing an existing key from the repository. Also, users can avail the checkbox "Update comment in associated users" to update the Key comment to the associated end servers automatically.
• Now, it is possible to add additional properties to a certificate while creating it, by using the 'Advanced Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties, and add them to the new certificate. Examples for the Key Usage properties include; Digital Signature, Decipher Only, Encipher Only, and Certificate Sign.
• The DigiCert CA page has been enhanced with a new menu 'Show' that has four options, Expired, Revoked, Rejected, and Others, used to filter the DigiCert CA list view.
• Now, while adding or modifying the Certificate Groups, it is possible to set 'additional fields' also as one of the 'By Criteria' filters for certificates.
• New REST APIs 'GET CSR list' and 'Sign CSR' have been added.
• The 'Expiry Notification' has been enhanced with the custom mail content, 'Title' and 'Signature'.
• The 'Certificate Renewal Report' page under 'Reports >> Certificate Reports' now comes with a column chooser.
• Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of the agent listed under 'Certificates >> Windows Agents'.
• It is now possible to discover certificates issued by a particular 'Microsoft Certificate Authority' just by entering the MSCA name in the text box provided, during discovery. Remember, this additional option will be available for Password Manager installations in Windows server machines only.
• Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a registered base-domain.
• Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields followed a fixed format. Now, the customization settings configured for notification emails in 'Notifications' and 'Schedules' will be applied to the emails sent via email addresses in the additional fields as well.

Bug Fixes

• Previously, certificate deployment failed if the field "Store Password" contained a space character while creating certificates from 'Certificates ? Create'. This issue has now been fixed.
• Previously, when there was a "space" character present in a certificate group name, attempting to fetch the SSL certificates report pertaining to that group from the Reports tab threw the following error: "Invalid field format". This has now been fixed.
• Previously, even after the certificate private key was imported and attached to a certificate in the Password Manager Pro's certificate repository, the "Export Keystore/PFX" was still disabled. This has now been fixed.
• During AD User certificate discovery and Root certificate signing performed from the Password Manager Pro interface, the 'Connection Mode' got saved as 'No SSL' only, even if the 'SSL' mode was chosen. This issue has been fixed now.
• Earlier, MSCA signing supported 'java keytool' CSR only. Now, from this release, all CSRs will be supported by MSCA signing.
• During certificate creation, all values entered in the SAN field were all together categorized as 'DNS' only. Now, the values are segregated as 'DNS' and 'IP Address' categories.
• Earlier, during Digicert integration, import of code signing and client/personal certificates got failed. This issue has been fixed now.

Security Fix

• Earlier, for SSH and SSL related API calls, the Authentication token was passed as a request parameter. From 11000, all SSH and SSL related API calls require the Authentication token to be passed in the request header only.

Enhancement

Previously, it was possible to configure access control settings at the resource level only, and the same settings were applicable for all the accounts under the resource. Now, it is possible to set password access control independently for each account under a resource, without affecting the access control configurations of other accounts in the resource. This ability to set unique configurations for each account helps users maintain unparalleled security levels for each account, based on requirements. Remember, the account-level access control configuration takes higher precedence over the resource-level access control configuration.

Security Fix

• A Cross-Site Scripting (XSS) issue that occurred due to the absence of output encoding in the Resource name while masking password, theme type, skin color, Category name of the Personal tab, web app connections, and user sessions of the Audit tab, has been fixed.
• A local File Intrusion issue that occured during the MS store discovery has been fixed.

New Features

• Integration with DigiCert SSL
  Password Manager Pro integrates with DigiCert a leading TLS/SSL, IoT and various other PKI solutions provider. Users can request, acquire, create, deploy, renew and automate the end-to-end management of SSL/TLS certificates issued by DigiCert, all directly from the Password Manager Pro portal.
• CSR Templates
  It is now possible to create and use predefined templates for CSR (Certificate Signing Request) generation.
• Option to Exclude Certificates
  Users can now choose to ignore certain certificates during the SSL discovery or manual addition of certificates into the Password Manager Pro repository. A new option is added under 'Admin >> SSH/SSL >> Exclude Certificate', which you can utilize to add the certificates to be excluded, by specifying their Common Name and Serial Number.
• Support for RFC2136 DNS Updates
  Password Manager Pro now supports RFC2136 DNS updates to complete domain control validation while acquiring certificates from public certificate authorities (CAs). Option to modify the email id of the Let's Encrypt account, used by Let's Encrypt to send email alerts of expiring certificates.

Enhancements

• Earlier, it was possible to associate a SSH key with a user account only when the target system was reachable from the Password Manager Pro server. This was troublesome when the target system was inaccessible. Now, from the Password Manager Pro build 10400, an option is provided for Linux resource types that users can opt to force map SSH keys to user accounts, even if the target systems are not reachable.
• Users can now use Password Manager Pro to sign CSRs (either using your internal Microsoft CA or a root certificate) as and when they are generated.
• Password Manager Pro now supports file-based discovery for scheduled SSH and SSL discovery tasks.
• A new dashboard widget to provide data about SSL configuration vulnerabilities has been added.
• Support is enabled for the discovery of SSH keys with ECDSA and ED25519 signature algorithms.
• A new REST API to view the private key passphrase of SSL certificates has been added.

Bug Fixes

• During OpenLDAP and Novell Directory import, new users' domain names were not updated properly, which caused login exception. This has been fixed now.
• AzureAD did not work when the proxy server was configured in Password Manager Pro. This has been fixed now.

New Features

Password Manager Pro Plugins for Chef and Puppet
Introducing new plugins for Chef and Puppet CI/CD platform, in addition to Jenkins and Ansible. Both Chef and Puppet use the Master-Slave architecture, where communication happens via an SSL-based secure encrypted channel. Dedicated external app plugins are provided for both the plugins, so that the code pulls the passwords directly from Password Manager Pro during run time, instead of storing them as plain texts within script files. This combats security threats to resources, enhances the security of passwords and eliminates the need for users to modify the code when passwords are changed. The plugins thereby improve the overall security in organizations' DevOps pipeline and also impose consistent rotation and automatic update of the new passwords in the respective remote devices.

Enhancements

• Bulk Resource/Account/Resource Group Sharing
  Previously, it was possible to share only a single resource, or an account, or a resource group, with user(s) or user group(s). Now, users with proper permission can share resources, accounts and resource groups, in bulk, with user(s) or user group(s).
• Access Control Enhancements
  
  • Earlier, it was possible to set only two admins as approvers for password request under Resource Actions >> Configure Access Control >> Miscellaneous Settings. From now on, Admins can set 'n' number of admins (5 by default and 10 as maximum) as approvers for password request. The default approver count can be altered under General Settings.
  • Admins can now configure auto-approval for different days with different time configurations (Maximum of 3 different time configurations per day), under Resource Actions >> Configure Access Control >> Auto Approval. It is possible to configure the same time for every day and also different time configurations for different days.
• New API Added
  A new API to generate passwords using existing policies in Password Manager Pro is added.

New Features

• SSL Discovery

  • Agent-based Discovery
    Password Manager Pro now supports agent-based SSL discovery that allows administrators to discover and import certificates present across a network by installing one or more instances of agent software on target systems. The agent, which is available as a compressed package with all the necessary configurations in password Manager Pro interface, once installed in the required end servers, performs certificate discovery and updates the certificate database.
  
  
  • Load Balancer Certificate Discovery
    Password Manager Pro now allows administrator users to discover and consolidate SSL certificates deployed to Linux based load balancers such as Nginx and F5 through a process tunnelled via SSH.
  
  
  • Option to Login to Certificate Store and Microsoft CA using Service Accounts
    A dedicated option is provided for the Administrators to make use of the Password Manager Pro service account credentials to log in to target systems, while performing Certificate Store and Microsoft CA discovery, without having to manually enter them.

• SSH and SSL Discovery

  • Subnet Discovery
    Password Manager Pro now provides subnet discovery option for SSL certificates, allowing administrators to discover the certificates from specific subnetworks within an IP range.
  • Option to Exclude IP addresses
    Users can now choose to exclude specific IP addresses when performing bulk discovery from an IP address range.
• Key-based Authentication for Certificate Deployment
  Password Manager Pro now provides an additional key-based authentication functionality (apart from the conventional password authentication), which users can leverage to deploy certificates to password-less Linux end servers.
• Support for Amazon Route 53 DNS
  In addition to Azure and Cloudflare DNS, Password Manager Pro now supports Amazon Route 53 DNS to complete the domain control validation process when acquiring certificates from public CAs.
• New SSH Key Types Added
  From now on, two additional SSH key types - ECDSA and ED25519 will be available for selection while creating new SSH keys, out of which, rotation is possible for the key type ED25519.
• Option to Use Existing Password Manager Pro Account during Certificate Deployment
  While deploying certificates to target web servers, a dedicated option is provided for the users to use an existing Password Manager Pro account, instead of entering the credentials.
• New Rest APIs Added
  Two new REST APIs are newly added; REST API to add certificates to Password Manager Pro certificate repository and REST API to delete ssh keys.

Bug Fixes

• Earlier, when a certificate was deployed to two servers, and if one of the deployed servers was deleted, the "Multiple Servers" icon was still shown. This has now been fixed.
• Formerly, when multiple certificates were discovered from a single resource, and when the DNS name of one of the certificates was changed, the DNS names of all the other certificates also got changed. This has now been fixed.
• Earlier, when the scheduled discovery operations for SSH and SSL failed, there were a few instances, where the audit records were not updated properly. This has now been fixed.
• Previously, during the following processes Microsoft Certificate Store discovery, server certificate upload, and Radius server configuration (server secret field), if a password, containing special characters, was entered, a "harmful content" error was thrown. This has been fixed.
• Earlier, certificates without an original common name (with the SAN name as the common name, by default) failed to update, after running a scheduled discovery. This issue has now been fixed.
• Previously, the 'Days' filter in the SSL Expiry Report failed to render correct results. This has now been fixed.

New Feature

• Integration with public Certificate Authorities (CAs)
  Password Manager Pro facilitates end-to-end life cycle management of certificates obtained from trusted certificate authorities (CAs), enabling users to request, consolidate, deploy, renew and track certificates issued by multiple commercial CAs, all from a single interface. This functionality, powered through a seamless API integration with The SSL Store one of the largest platinum partners of world's leading CAs, provides the users with the option to acquire the certificates from the following third-party CAs and manage them directly from Password Manager Pro's web interface: Sectigo (formerly Comodo), Symantec, Thawte, Geotrust, and RapidSSL.

Enhancement

• Unlike the earlier versions of Password Manager Pro, the "Search" field under the "Users" tab has now been enhanced to search for usernames using both the First and the Last Names.

Bug Fixes

• Earlier, when accounts were added through API, the "Password" field did not support the special characters; < > [ ]. Henceforth, the users will be able to create passwords using the above mentioned special characters, while adding accounts through API.
• Previously, the DNS-based domain control validation procedure was unsuccessful for Let's Encrypt sub-domain certificate requests. This issue is fixed now.
• Earlier, CSR/Certificate creation was failing, if comma separated values were provided for the Organization or the Organization Unit. This issue is fixed now.

New Features

• Linux Resource Discovery using SSH
  Earlier, Password Manager Pro supported Telnet-based discovery alone for Linux endpoints. Now it supports SSH protocol as well for resource discovery. By providing SSH login credentials, the Admins will be able to discover the Linux endpoints using an IP Address / IP Range.
  Note: Telnet-based discovery will eventually be deprecated as it is not a secured protocol.


• "Let's Encrypt" Wildcard SSL Certificate Management Support
  Password Manager Pro already supports SSL certificates signing by "Let's Encrypt" Certificate Authority. Recently, they have upgraded their protocols to enable support for wild card certificate signing as well. Hence, from now on, the PMP users will be able to get their wildcard SSL certificates signed by "Let's Encrypt" CA and manage the same.


• SSL Certificate Discovery from SMTP servers
  Password Manager Pro already allows discovery of SSL certificates from Certificate Stores, Microsoft CA and Active Directory. In addition to this, the SSL certificates can now be discovered from SMTP servers as well.


• SSL Certificate Discovery as a Scheduled Operation
  Earlier, importing of SSL certificates from the Microsoft Certificate Store was an on-demand operation. Now, it is possible for Admins to create scheduled tasks (under Admin >> SSH/SSL >> Schedule >> Add Schedule) to automatically discover and import the certificates from Microsoft Certificate Store and certificates issued by Microsoft Certificate Authority.


• Import Certificate Signing Requests (CSRs)
  Though it was earlier possible to import a key or a certificate inside Password Manager Pro, the Certificate Signing Requests (CSRs) had to be generated inside the application only. Now, PMP allows importing (under "Certificates >> Create CSR >> Import") and managing of CSR files, generated externally, by forwarding them to trusted certificate authorities and tracking their status.

Enhancements

• Crumbling of SSH Session Recordings
  Formerly, the SSH session recordings were stored as encoded, individual files. This might cause performance issues when the SSH session time is stretched, as the file gets constantly updated in real-time. From now on, the recordings out of extended SSH sessions will be stored as multiple files and rolled over. This should provide a smooth SSH session experience and also a zero buffer time during the session playback.


• Remote Password Reset for Weblogic Server
  Apart from the endpoints listed here, Password Manager Pro can now reset, verify and manage the passwords of Weblogic application servers as well. It is possible to manage the passwords of all the Weblogic server versions, as the password reset is performed with the help of JMX service.


• RDP Gateway Enhancements
  Password Manager Pro employs "SparkGateway" from Remote Spark for establishing RDP Gateway sessions. The bundled version of SparkGateway, updated in this version, comes with enhanced file transfer functionalities. This allows users to leverage file transfer improvements while opening RDP connections using PMP.


• Option to Retain SSH Keys in Target End-points while Deleting the same from Password Manager Pro vault
  Heretofore, when an SSH key was deleted from the Password Manager Pro vault, the same was removed from the associated Unix/Linux endpoints as well. From this version, Admins have the option (in the SSH key delete confirmation window) to choose whether to remove a key from the endpoint, while deleting it from inside the vault.

Bug Fixes

• While using Internet Explorer, the RDP sessions had intermittent freezing issues and lag, especially when the sessions were idle for 10-15 mins.
• Due to an encoding issue, the SSH sessions did not work, when the users whose AD username begins with the character 'u' logged into the Password Manager Pro.
• When the option "Generate unique password for every account(Recommended)" was selected under "Groups >> Actions >> Periodic Password Reset", new passwords generated were based on the resource group password policy, instead of account password policy. This has been fixed now.
• From version 9000, the "User Authentication Failed" report under "Dashboard >> User Dashboard >> User Activity" displayed 'No audits found' message due to a filter issue. This has been fixed now to show the valid data.
• Earlier, a new web app connection always replaces an existing connection (when launched through the "Connections" tab). This is fixed now, and each connection launches in new tabs.
• Password Manager Pro uses SCP protocol for deploying SSH keys in target end-points. Previously, only the "To" file information was sent along the SCP request which worked fine. But in the recent SCP versions, the "From" file information has also been made mandatory. So now, Password Manager Pro sends both "To" and "From" information of the SSH key files, thus ensuring proper completion of file deployment.
• In earlier versions of Password Manager Pro, while deploying SSL certificates in Microsoft Internet Information Services (IIS) server, the private keys exported along with the certificates were corrupted. This is fixed now.
• Previously, while signing a certificate using custom Root CA, a security error was thrown when the "SAN" field was blank. This is now fixed, and the certificates can be signed, even when the SAN field is left empty.

Security Fix

We have renovated the security framework of Password Manager Pro. The following are some of the major changes and enhancements:

• In earlier versions, Password Manager Pro primarily relied on "Blacklisting" for securing the product URLs from Injection and other script attacks. With this release, the security framework has been updated to use "Whitelisting" of the necessary URLs, which maximizes product security.
• The validation of JSON array parameters has been intensified for optimal security.
• A few checks with respect to file uploads (e.g., limit and size) are included to keep load attacks at bay.

This release introduces DevOps support in Password Manager Pro with new plugins for Jenkins and Ansible pipelines. Additionally, provisions to perform password resets for SSH-based resources through custom command inputs have also been added amid other new features and enhancements.

New Features & Enhancements

• Plugins for DevOps Containers - Jenkins and Ansible
  The Password Manager Pro plugins developed for credential management in Jenkins and Ansible help improve security in organizations' DevOps pipeline. The plugins ensure that required credentials are retrieved securely from Password Manager Pro's vault every time when an automation schedule is run through the tools, instead of being embedded in plain text within script files. Moreover, with the credentials stored in Password Manager Pro, you can also enforce regular rotation and automatic update of the new password in the respective remote device.
  
  
• Build Password Reset Workflows with SSH Commands
  Now extend Password Manager Pro's reset provisions to support remote password changes for SSH-based resources in your environment without the need for a CLI terminal. Quickly build command workflows using built-in or customized SSH sets and map them to respective SSH device accounts to execute password resets in a simple and effective manner. This new addition to Password Manager Pro's reset capabilities enables you to enforce automatic password updates for resource types that are not supported out-of-the-box by the application.
  
  
• Two-factor Authentication Support
  From v9900 onwards, Password Manager Pro readily integrates with the following services to provide two-factor authentication support for application login.
  1. Microsoft Authenticator
  2. Okta Verify
• RESTful API Updates
  1. New API to get audit details.
  2. Resource and account creation APIs enhanced to include password policy association.
  3. Resource and account edit APIs enhanced to include password policy association.

Bug Fixes

• From v9200 till v9803, passwords checked out under a time-sensitive access request did not get checked back in automatically upon access expiration if a Password Manager Pro server restart took place in between. This has been fixed.
• From v9802 till v9803, users could not raise password access requests when they and the environment in which Password Manager Pro server was installed were in different time zones. This has been fixed.
• [MSP Edition] From v9802 till v9803, while configuring access control for a resource in a particular client organization, the user groups list in the configuration window also displayed the user groups that belonged to other client organizations. This has been fixed.

This release brings forth integration support for HSM data encryption and YubiKey two-factor authentication as well as the provision to extend remote password capabilities beyond supported platforms via custom plugins.

New Features & Enhancements

• Data encryption and protection with SafeNet HSM

  Password Manager Pro (PMP) now provides out-of-the-box support for SafeNet Luna PCIe HSM which gives administrators the option to enable hardware-based data encryption for the application. This update helps administrators ensure increased data security levels by leveraging the integration to securely store PMP's encryption key in the SafeNet HSM appliance available in their environment.

• Password Reset Plugin: Provision to add custom plugins to remotely reset passwords for unsupported resource types

  Password Manager Pro (PMP) now allows manual addition of custom reset plugins (created in the form of an implementation class) that can be invoked from PMP server to carry out remote password resets for platforms that are not supported out-of-the-box, such as legacy resource types, in-house applications, etc. Administrators can leverage this update to also configure access control for unsupported resources and enforce automatic reset of their passwords instantly upon usage.

• Integration support for YubiKey two-factor authentication

  From v9800 onwards, Password Manager Pro readily integrates with YubiKey a physical key made by Yubico, which ensures secure and strong user authentication, to provide two-factor authentication support for application login.

• Root-based certificate signing

  Password Manager Pro now enables administrators to sign and issue SSL certificates to end-servers within the network environment, based on a root certificate that is trusted within the network.

• Website domain expiry notification:

  Administrators can now track upcoming public domain expirations in Password Manager Pro, facilitated via 'Whois Lookup'. They can also opt to receive periodic email notifications regarding the same.

• New RESTful APIS

  • To delete users with their usernames
  • To add users to user groups
  • To lock/unlock users
  • To import SSH keys
  • To associate/dissociate SSH keys
• The REST API to create a new resource now additionally supports inclusion of "Domain Name" for the resource being created. Also, the REST API to get a user's ID now supports special characters in the passed username.
• Henceforth, REST API calls to the PMP server will have a threshold policy. When a specific 'API' call reaches the threshold number of 150 calls/IP address within a span of one minute, that API will be locked for a minute. However, this policy is not applicable to the 'GET' calls.
• Users imported from Active Directory (AD) to Password Manager Pro will hereafter be provided the option to launch an RDP connection to Windows resources using their AD credentials even during cases when other authentication methods (such as SAML SSO, local authentication) are used by the user in addition to AD authentication.
• Password Manager Pro now expedites domain validation for Let's Encrypt certificate renewal through automated verification of DNS-01 challenges (for Azure and Cloudflare DNS).
• Password Manager Pro now includes provisions to import certificate files to keystore by automatically pinning its corresponding private key with the acquired certificate.
• Audit logs for bulk password resets triggered at resource group level and modification of dynamic resource groups have been revised to include more information. The bulk password reset log now also captures the name of the resource group for which the reset action has been triggered, either on-demand or scheduled. The second log now thoroughly captures the criteria value changes carried out for the selected dynamic resource group.
• The "Transfer Ownership" option under the Users tab now lists the available PMP users in an alphabetical order to help expedite the operation.

Bug Fixes

• From v9600 till v9702, both on-demand and scheduled remote password resets for Oracle resources failed due to server-side issues. This has been fixed.
• From v9700 till v9701, when the MSP administrator imported an organization from a CSV file that also included information for Account Manager, the detail was not added to PMP during the import. As a result, operations like manage organization, edit, and delete organizations could not be performed for the imported organization. This has been fixed.
• From v9500 till v9702, if the user conducted a custom search in the Resource Audit section, cleared the results, and then tried to carry out a PDF export of all the audit logs in that section, the action did not work and instead a new tab with a blank white screen opened. This has been fixed.
• From v9600 till v9702, the search options in both User and Resource trash did not work. This has been fixed.
• Earlier, if a user had checked out the password of an access controlled resource for a specified duration and the PMP server is restarted within that duration, the condition was automatically revoked and the user was able to continue using the password beyond the given time. This has been fixed.
• Earlier, when an administrator created a new API user and saved the details in Password Manager Pro, the saved host name was automatically changed to that user's IP address which led to connection issues during API calls. This has been fixed.
• Earlier, Linux resources added to PMP via REST API were not displayed in the list of available resources for "Public Key Association" in the SSH Keys tab. This has been fixed.
• Earlier, while trying to fetch the IDs of a resource and its account via REST API by providing the resource and account names, resource names containing special characters were not allowed. This has been fixed.

Security Fix

• Earlier, a Remote File Inclusion (RFI) vulnerability in Password Manager Pro's landing server configuration tab allowed the administrator to upload any file to any location in PMP server via the image file upload field. This has now been restricted to only image files, which can be saved only in the predestined location.

This release introduces strong controls in Password Manager Pro for protecting personal data stored and processed in the product, in compliance with privacy regulations.

New Features & Enhancements

Additional protection in web GUI while displaying personal data

Form fields that contain personal data such as Username, DNS Name, Email ID, Server Name and more will henceforth be masked at all times to enhance protection. Additionally, when a specific user unmasks and views any of the masked data fields, the action captured in the audit trails with a timestamp and the IP address of the machine from which the user viewed the data.

Canned report to demonstrate GDPR compliance stature

Password Manager Pro now comes with a canned report that tells you the stature of your compliance with specific requirements listed in Chapter 3 of the General Data Protection Regulation (GDPR), in terms of how users' personal data is handled within the product. This report, apart from providing a holistic view of how personal data is handled, will also prove useful while preparing for privacy audits.

Provision to authorize selective administrators with privacy administration privileges

From v9700 onwards, a new "Authorized Administrators" option will appear under Admin >> Settings. This option can be used to authorize only the desired administrators with the privilege to view, access, and modify the following Password Manager Pro settings:

• Privacy Settings
• IP Restrictions
• Emergency Measures

Note:
When you upgrade to v9700 from earlier versions, users with the following roles will be automatically assigned as authorized administrators:

• Default "Administrator" role
• Custom role with permission to access and modify "PMP Server Settings" under PMP Settings category.

Password protected exports

Administrators can now include an additional layer of password protection for export operations across Password Manager Pro. This applies to,

• Resource and resource group exports (XLS file)
• Audit exports (PDF and CSV files)
• Report exports (XLS and PDF files)

The authorized administrator can either set a global passphrase which will be uniformly used for the aforementioned export operations or allow the users to define their own passphrase for their exported files.

Mandating administrator acknowledgement of data transfer while setting up integration with third party applications

Henceforth, when the Password Manager Pro administrator sets up integration with the services mentioned below, the administrator will be required to acknowledge the data transfer from Password Manager Pro server for each respective integration.

• Cloud Storage - Dropbox, Box, and Amazon S3
• Two-factor Authentication - PhoneFactor, RSA SecurID, RADIUS Authenticator, and Duo Security.

Support for Encryption at Rest (EAR) while using MS SQL server as the backend database

For Password Manager Pro installations that function with a MS SQL server as the backend database, Transparent Data Encryption (TDE) is supported henceforth to achieve EAR. TDE encrypts all the data and log files stored in the SQL server and the key used to encrypt the database is also secured further with a certificate to enhance protection.

Backup file encryption

Database backup (.zip) files in Password Manager Pro-both on-demand and scheduled, will hereafter be encrypted with the Password Manager Pro master encryption key and stored in the destination directory securely. In case of Password Manager Pro installation running a remote MS SQL server database, the backup file will be encrypted only if the specified backup destination is within the server in which Password Manager Pro is installed and not the remote machine.

Privacy controls for canned reports

Password Manager Pro now allows authorized administrators to configure privacy settings for canned reports. Administrators can choose from an exhaustive list of personal data, deciding whether each input in the list should be completely omitted from the reports or included as masked information.

IP restrictions

IP-based restrictions are now supported to limit inbound connections and minimize unwanted traffic to Password Manager Pro server. Restrictions can be configured for web access, API calls, communication from native mobile applications, browser extensions, and Password Manager Pro agents deployed on target machines. The IP restrictions can be set at various levels and combinations, such as defined IP ranges or individual IP addresses. The authorized administrator can either whitelist or blacklist the set of desired IP addresses.

Trash can for delete operations

Users and resources in Password Manager Pro can now also be moved to trash alternatively instead of permanent deletion, along with the option to restore from trash when needed. The trashed users and resources will be retained by Password Manager Pro only until the next rotation schedule is carried out for the master encryption key.

Purging selective session recordings

Earlier, session recordings and chat logs could only be purged in bulk by configuring to delete recordings that are older than a specified number of days. From v9700 onwards, session recordings can also be individually selected under Audit >> Recorded Sessions and purged. Additionally, chat logs for a specific session recording can also be deleted while retaining the recording itself and vice versa.

Managing unidentified email addresses in Password Manager Pro

A new provision has been added to enable administrators to track and remove unidentified email addresses in Password Manager Pro which do not belong to any of the users in the application. This provision currently allows management of unidentified email addresses which are captured in "User Sessions" audit as well as those that are configured as notification email recipients for scheduled tasks' completion statuses and license expiry alerts.

Emergency Measures

In the rare scenario that a suspicious activity is sensed within Password Manager Pro but has not yet been identified, a set of recommended best practices that can be carried out have been added under Admin >> Manage >> Emergency Measures. The illustrative list of incident response actions give the administrator a head start on stopping all inward and outward communication to and from Password Manager Pro server respectively, such as stopping API calls, blocking agent communication, and stopping the SSHD server.

• Under rebranding, Password Manager Pro now provides an additional option to configure and display a customizable privacy policy banner in the login page.
• Earlier, the "Total Passwords" count displayed in the dashboard did not include resources of the type File Store, Key Store, and License Store. From v9700 onwards, the count will include the aforementioned resources as well.
• While setting up user import from LDAP directories, Password Manager Pro administrators now have the choice to also define the corresponding attribute labels for department and location as used in the LDAP directories.
• A new option has been added to Password Manager Pro MSP version under Admin >> General Settings >> User Management, which can be used to display the organization names of the client orgs in the organization drop down list (at the top right corner) instead of the orgs' display names.
• The option to delete client organizations has been added to Password Manager Pro MSP version. When a client organization is deleted, all the resources and users added under it will also be deleted.

Bug Fixes

• In v9600 and v9601, due to an issue in Windows resource discovery, when the administrator tried to import OU A, OU B was wrongly imported. This has been fixed.
• From v9000 till v9601, the password expiry date for accounts in the Passwords section was wrongly displayed in the quick info beside each account. For instance, if the expiry date for account's password was May 25, it was shown as June 25 even though it did not affect the password from expiring on May 25. This has been fixed.
• From v9000 till v9601, the owner of a criteria resource group was sometimes unable to view the password of an account associated with a member resource in that resource group. This happened when the specific resource is owned by another user who's a member of a user group with which the criteria resource group has been shared and the former owner is not a member of that user group. This has been fixed.
• From v8700 till v9601, if the administrator had disabled the default roles, Password Administrator and Password User using Role Filter in their instance, the disabled roles were automatically enabled when their Password Manager Pro server was restarted.
• Earlier, user import from Active Directory groups did not work if Password Manager Pro secondary server was up instead of primary server. This has been fixed.
• Earlier, when an additional password field was added and used as an account attribute, the option to copy the password to clipboard for that additional field was not available in the resource and account details windows as well as in the Passcard screen. This has been fixed.
• Earlier, "Change Password" option was shown in the My Profile drop down menu for AD, Azure AD, and LDAP users even though it was not applicable to them. The option has now been removed.

Security Fix

• Earlier, PostgreSQL database password as well as the keystore password for HTTPS connections from the web server were stored in the configuration files as plain text. They have now been encrypted with AES-256 algorithm for enhanced security.

New Features & Enhancements

SQL and SSH Remote Terminal Sessions with Windows Domain accounts

• From v9600 onwards, users can launch SSH connections to Linux resources using Windows Domain accounts stored in Password Manager Pro's database. Remote password reset actions for Linux resources can also be configured by using a Windows Domain account for remote login to the Linux resources.
• Provision to remotely connect to a MS SQL server using a Windows Domain account has also been added.

Secure Cloud Storage Options for Anytime, Anywhere Access to Passwords

• Provision to export and automatically synchronize the password-protected, encrypted HTML files to authorized users' Amazon S3 and Box accounts.
• Administrators can configure automatic deletion of the exported files in the users' Amazon S3 or Box accounts after a set time period and also trigger password resets for all the resources contained in the file.

Active Directory - Synchronization Enhancements

Version 9600 introduces a revamp to the 'Synchronization Schedules' screen under Active Directory (AD) configuration. The screen now includes a sidebar navigation tab that lists the AD domains that have synchronization schedules configured and also offers a separate view of synchronization schedules configured for users and resources respectively. The enhancements include:

• Provision to schedule separate synchronization intervals for import of users and resources respectively, for any given domain.
• Provision to schedule separate synchronization intervals for multiple groups in a domain, for import of users and resources.
• Provision to schedule separate synchronization intervals for multiple organizational units (OUs) in a domain, for import of users and resources.
• Provision to set a custom display name for groups/OUs imported from AD domains. The original AD names of the groups/OUs will also be retained.

Microsoft CA Certificate Signing

Password Manager Pro now allows users to get certificate requests signed from Microsoft Certificate Authority, thereby facilitating complete life cycle management for certificates issued by Microsoft Certificate Authority.

CMDB Integration for SSL Certificates Synchronization

Administrators can now sync SSL certificates stored in Password Manager Pro's repository with ManageEngine ServiceDesk Plus CMDB and map certificates to specific servers / applications in the CMDB. This allows them to monitor their usage and expiration from ServiceDesk Plus' CMDB.

SSL Certificate Groups

This enhancement allows users to organize SSL certificates into logical groups based on various criteria and execute actions in bulk for the groups.

Localization Support for Turkish

Introducing localization support for Turkish in Password Manager Pro's multi-language editions, in addition to Chinese, Japanese, Spanish, German, French, and Polish languages.

Disable Password Resets for Privileged Accounts

This enhancement to account creation and edit actions under Resources tab allows administrators to disable both local and remote password resets for all or a specific set of accounts associated with a resource.

• Administrators can now set a non-administrative role-either system-owned or custom made, as the default user role in their Password Manager Pro installation. The default role will also be assigned automatically to users imported from CSV files/AD/Azure AD/LDAP, unless manually specified otherwise by the administrator.
• Earlier, when the Password Manager Pro server (PMP) had a firewall or load balancing configuration, the PMP audit trails showed the IP address of the firewall/load balancer instead of the IP address of the user's machine. From v9600 onwards, PMP will log the IP address of the machine, from which it was accessed, in the audit trails instead of the firewall/load balancer IP address.
• For Password Manager Pro's MSP editions, the audit trails under Resource, User, and Task Audit tabs now also display the name of the respective MSP or client organization associated with the related operation.
• Date based discovery filter for Microsoft Certificate Authority certificate discovery introduced.
• Option to separately track and manage various versions of the same SSL certificate (with the same common name).
• Option to import and map a private key to certificate.

Bug Fixes

• From v9200 till v9502, when a resource had access controls enabled and multiple users later requested access to that resource with different timeframes for password checkout, the timeframe of the last logged request alone was recognized and every user could get access to that resource only during that timeframe. This has been fixed.
• From v9200 till v9502, when a resource has access controls enabled for a particular user group, the access controls did not apply to any new user(s) added to that user group later. Similarly, the access controls still applied to a user even after they had been removed from that user group. This has been fixed.
• From v9000 till v9502, when users who were either Password Users or Password Auditors launched an SSH or a SQL session, the option to initiate a chat with the administrator monitoring the session was not displayed in the session terminal window for the aforementioned users. This has been fixed.
• From v8700 till v9502, under custom roles, the permission to add resources to a resource group in Password Manager Pro was attached to the operation 'Add Resource Group'. This has been changed; the permission is now attached to the operation 'Edit Resource Group.'
• From v9000 till v9502, under any sections of the Audit tab such as Resource Audit, User Audit etc., when the user runs a filter or keyword search for a specific set of audit trails and later tries to export the obtained results alone, the exported PDF or CSV file instead contained all the audit trails. This has been fixed.
• From v9000 till v9502, if the users were enforced to provide a reason for password retrieval under General Settings, the users could submit a blank space in the reason field and still retrieve the password. This has been fixed.
• Earlier, remote password reset did not work for Oracle user accounts if the respective accounts' names began with a number or a special character. This has been fixed.
• Earlier, if a resource's DNS name contained more than a hundred characters, the corresponding Resource Actions icon did not work under the Resources tab. This has been fixed.
• Earlier, when users tried to manually change the password for an existing account of any resource, they were able to set a password that did not comply with the password policy defined for that resource if password visibility is set to 'Show' under 'Show/hide Password'. This has been fixed.
• Earlier, when generating certificate signing requests with SAN names, the SAN names were not updated. This has been fixed.
• Earlier, there were issues with fetching the system locale on Microsoft CA discovery. This has been fixed.

Security Fix

• Password Manager Pro's master encryption key generation process, which was identified as being weak and vulnerable due to relatively less entropy, has now been made stronger with the inclusion of a higher entropy rate. This addresses and fixes the said vulnerability-the ability to roughly identify the character pattern used to generate the master encryption key (provided that one has direct physical access to the server in which PMP is installed).

Feature Enhancements

• User Sessions
  This enhancement allows administrators and auditors to view the list of user sessions for a specified time period. A user session includes all actions performed by a user, between a specific login and logout. The view also indicates currently active sessions with the option for administrators to forcefully terminate. This feature is an addition under the Audit tab and helps administrators with fine grained monitoring and control of user activity.
• Key Manager Plus Integration - Now available for all editions
  From v9500 onward, all Password Manager Pro editions (Standard, Premium, and Enterprise) support Key Manager Plus integration to help enterprises take complete control of their SSH and SSL environments in addition to passwords.
• Replication of Password Policies Across Client Organizations (MSP Edition)
  This latest enhancement to the replication feature allows MSP administrators to quickly replicate MSP organization's custom password policies across the client organizations.

Bug & Security Fixes

• From v8700 till v9402, during Windows resource import from Active Directory (AD) via discovery function, password administrators were unable to view and set up AD Synchronization in the Windows Discovery Tasks page, although they had the permission. This has been fixed.
• From v9000 till v9402, while moving accounts between resources, the search box provided within the destination drop down menu did not work. This has been fixed.
• Earlier, during user import from an LDAP domain, the user groups in the domain were also wrongly identified as individual user objects and listed under Password Manager Pro's 'Users' tab. This has been fixed.
• Earlier, with regard to LDAP authentication, users who were moved from one OU to another in their Active Directory (AD) domain could later not log into Password Manager Pro using their AD credentials. This has been fixed.
• The VBScript scripts used for the following functions in Password Manager Pro (PMP) have been made obsolete and replaced by equivalent .NET API calls made from within the PMP application. This is to ensure the passwords never leave the PMP application space, even to Windows Task Manager or Process Explorer.
  1. Local and service accounts enumeration during Windows discovery.
  2. Fetching of service accounts and scheduled tasks for Windows and Windows Domain resources.
  3. Password change and verification as well as associated service restarts for Windows resources.
  4. Service accounts and scheduled tasks password resets for Windows Domain resources.

New Feature

Key Manager Plus Integration

The tight integration brings all features of Key Manager Plus right inside Password Manager Pro to provide a complete Privileged Identity Management solution.This help enterprises centrally manage, monitor, control and audit the entire life cycle of privileged passwords, SSH keys and certificates from a single user interface.

Security fix:

• From v9000 till v9300, there were reflected XSS issues in the URLs 'SearchResult.ec and BulkAccessControlView.ec'. This reflected XSS issue has been fixed now.

Bug fixes

• From v9000 till v9300, 'Export Passwords' option was listed under 'Resource Actions' even when "Export/Offline Access - Allow admins and users to export password information to plain-text spread-sheet (.xlsx)" was disabled. This has been fixed now.
• From v8700 till v9300, Users, assigned with custom roles created with the privileges of a password user, were not able to invoke the 'Join Active Sessions' action under Audit -> Remote Sessions.This has been fixed now.

New Feature

• File Transfers Over Remote Desktop Sessions
  Henceforth, in real-time Windows RDP sessions launched via Password Manager Pro's session gateway, users can securely transfer files from local machine to remote target machine, and vice versa.

Enhancements & Bug Fixes

• Password Manager Pro now uses captcha services during application login to enhance security. The users will be required to resolve a captcha when they enter an invalid username/password for five continuous login attempts.
• Earlier, out of the remote sessions (RDP, SSH, and SQL) launched via Password Manager Pro's session gateway, one or more of the sessions at random still continued to show under the 'Active Privileged Sessions' tab even when those sessions had already been terminated by respective users. This has been fixed.
• Earlier, the results for 'Find Out of Sync Passwords' action executed for a resource group showed that all passwords were in sync even when passwords for one or all of the Windows resources in that group were not in sync. The wrong results were captured in the audit records as well. This has been fixed.
• Earlier, when a user clicked on the 'Forgot Password?' link in the Password Manager Pro (PMP) login screen to set a new password via email, the email could not be validated if the recipient's email address contained an apostrophe. This has been fixed.
• From v8600 till v9200, in Azure AD user/user groups import, only a maximum of 100 users/user groups could be imported. This has been fixed to allow users/user groups import without any count limitation.
• From v8700 till v9200, users faced blank page issues when the custom role assigned to them did not allow specific actions in that page. For instance, under dashboard provisions, if a user is allowed to access only the user dashboard and not the password dashboard, clicking on the 'Dashboard' button in the left navigation pane displayed a blank white screen upon loading. This has been fixed.
• From v9000 till v9200, under 'Resources' tab, the users faced specific search and page navigation issues after they had accessed a resource group displayed in the 'Password Explorer' tree view. The following bugs have been fixed:
  • In case of search, when a user used the in-line search option available for 'All My Passwords' (or any other tab under 'Resources'), then navigated to a resource group via the tree view and returned back to 'All My Passwords' page, the typed-in search term and the respective results were still retained and displayed.
  • When a user navigated between pages under tabs such as 'Passwords' or 'Favorites', then clicked on a resource group via the tree view and returned back to the tab accessed earlier, the page number (2 or above) that had been selected previously was launched instead of the first page.
• From v9000 till v9200, the global search option in the top pane did not work properly when the search term contained the ampersand sign ( '&' ). For instance, if the search term was 'AT&T', search results were returned only for 'AT', i.e. only for the characters before the sign. This has been fixed.
• From v9000 till v9200, when the account name of a resource contained more than 140 characters, the corresponding Account Actions and Resource Actions icons did not work for that account. This has been fixed.
• From v9000 till v9200, when the URL length of a resource was more than 700 characters, the corresponding Resource Actions icon did not work. This has been fixed.

New feature

IIS Web.config discovery

Password Manager Pro can now identify the domain accounts which are used in the connection string of IIS web.config files that are stored in PMP. While changing the password of the domain accounts stored in Password Manager Pro, it can automatically update the password in the IIS web.config files.

Enhancements and fixes

1. Password Access Control Workflow has been upgraded. With this update:
   • One or more user groups can be designated to approve password access requests.
   • Earlier, some users can be excluded from access control. Now, you have an option to exclude both users and user groups from access control.
   • Users can specify when they want to access the password - now or later, while making a request and can also send a reminder mail before the access time.
   • Similarly, administrator can specify when the user can access the password - now or later, while processing the request.
   • In addition, users can be enforced to provide reason for password retrieval.
   • Reminder e-mail can be sent to the administrator to approve the password request before the stipulated time.
   • A grace time of upto 60 minutes can be provided to the user when the access time ends.
   • Auto check-in time can be specified when the request is approved by the administrator.
   • Maximum time period can be specified after which the pending access request becomes void.
2. Password Manager Pro now integrates with ManageEngine ServiceDesk Plus by validating change request in addition to the ticket ID entered by the user in the ticketing system. And validated occurs only when the change ID provided is approved in ManageEngine ServiceDesk Plus.
3. Password Manager Pro enables recording of RDP remote session launched from the product and you can trace the recorded RDP remote session through the resource name, user who launched the session, time at which the session was launched. In addition, start and stop audit for RDP remote session has been enhanced now.
4. In v9000 and above, the mail notification sent to the users about the access permission shared or revoked contained blank values. This has been fixed now.
5. In v9000 and above, 'resource actions' icon was not listed for user with custom role 'edit resource'. This has been fixed now.
6. From v9200 and above, a resource can also be searched in the search column by providing the resource URL. Earlier, a resource can be searched only by providing the resource name, description or resource type.
7. In v9000 and above, configure access control deactivation for resources in bulk was not working. This has been fixed now.
8. In v9100 and above, when enabling two factor authentication - Duo security, the screen hangs at 'Initializing web client'. This has been fixed now.
9. In v8704 and above, Secondary DNS field in WindowsDomain resource type was removed. This has been fixed now.
10. Earlier, already existing resource type can be added again with change in alphabet case (lower case or upper case). This has been fixed now.
11. Earlier, addon failed to auto-fill passwords to the websites in client org. This has been fixed now.
12. Earlier, Access Snapshot was not working upon clicking 'View per page' to 50 / 75 / 100 resources. This has been fixed now.
13. Earlier, Windows discovery fails when the username / password contained angular brackets and the harmful content audit has the actual password in clear text. This has been fixed now.

New Features

• JIRA Service Desk Integration
  Out-of-the-box support for Password Manager Pro to readily integrate with JIRA Service Desk integration to automatically validate service requests related to privileged access.
• Salesforce - New Resource Type Support for Remote Password Synchronization
  Support for remote password reset and verification of Salesforce resources.

Enhancements & Fixes

• Replication of Additional Attributes for Default Resource Types Across Client Organizations (MSP Edition)
  Earlier, MSP admins could only replicate the custom resource types in MSP org across all client organizations. Now, MSP admins can also replicate any additional resource and account attributes added to the default resource types also across the client orgs.
• In v8000 and above, Mac account discovery for Linux resources did not work properly and only root account were discovered instead of all user accounts. This has been fixed now.
• Earlier, while retrieving the list of resources that are owned/shared to an API user with RESTful API, only those resources with at least one account associated under them were retrieved. This API has now been enhanced to also retrieve resources without any associated accounts.

New Features, Enhancements, Changes & Fixes

• New User Interface
  
  From build 9000 onwards, Password Manager Pro will switch to a new user interface (UI) in order to improve user experience. The rich, modern look of the new UI embraces the flat design, and includes enhancements to the speed and usability of the application. Users will be able to navigate between tabs quicker than before and access data without multiple page reloads, thereby equipping admins to get their jobs done faster. This simple and responsive design is optimized across both mobile and web platforms to provide a wholesome experience to the user.
  
  
• Important Change in the Design of Criteria-based Dynamic Resource Groups
  
  From build 9000 onwards, for criteria-based dynamic resource groups, criteria will be applied only on the resources owned by the group owner and on the resources owned by the administrators who have manage permission to the group. Criteria will not be applied on the shared resources. This represents a significant change from the existing design. At present, criteria gets applied on all resources that are owned by the user who is creating the group and on the ones shared with "Manage" permission. Shared resources are being excluded in the new version. Once you move to the latest version, some resources that were part of a criteria-based dynamic group created by you would have been removed from the group due to this change.
  
  In the new design too, administrators who have access to a dynamic group with "Manage" permission (henceforth known as "Full Access" permission) shall be able to add the resources owned by them to that group. That means, the resources owned by them shall become part of the dynamic group upon satisfying the criteria.
  
  Note: This change was introduced in PMP 8.0 for those who installed the full version afresh. That means, for customers who have directly installed builds 8000 and above, this behavior remains the same. The above change will be felt only by customers who have been using Password Manager Pro before the 8000 build was released.


• MIB Update for SNMP Trap Settings
  
  This version includes an update to the MIB (MANAGEENGINE-PMP-MIB), which is integral to SNMP trap configuration in Password Manager Pro. As part of the update, the OIDs used to identify the VarBinds have been revised.
• In v7000 and above, while retrieving passwords, if the user was enforced to provide a reason as configured by the admin, the user was able to retrieve passwords from "Pass Cards" and "All My Passwords" UI by adding just a space in the reason field. This has been fixed.
• In v8600 and above, when Azure Active Directory (AAD) authentication was configured and enabled for users, users from only one specific AAD tenant were able to log in to Password Manager Pro using their AAD credentials while users in other tenants faced login errors. This has been fixed now, by updating the value of the endpoint to which the sign-in requests are sent from Password Manager Pro.
• In v8700 and above, role summary report could not be generated for a role if the respective role name comprised Japanese characters. This has been fixed.
• In v8700 and above, admins using Password Manager Pro's Premium edition were unable to create API users even though XML-RPC API/SSH CLI access and related operations were allowed in the premium edition. This has been fixed.
• In v8700 and above, if an admin disables the "Personal" tab for users by unchecking the respective option under General Settings, the option itself disappeared from view the next time when the admin accessed General Settings. This has been fixed.
• Earlier, in MSP editions, client organizations that had been marked as favorite by respective users were not displayed at the top of the list as they should be. Instead, the client org that one user had most recently marked as their favorite was globally displayed at the top for all users. This has been fixed.
• Earlier, while importing users from AD/Azure AD, when the admin specifies the users to be imported as comma separated values, the action resulted in error if there was spacing after the commas. This has been fixed.
• Earlier, when users share their resource group with other users, the former faced resource group duplication issues in their UI dashboard whenever the latter added a new resource to that shared resource group. This has been fixed.
• Earlier, while adding an account under a resource, the account could not be saved if the user had earlier enabled a custom password field under "Account Additional Fields" and entered a password containing specific special characters including Greater Than/Less Than ( "<", ">" ) symbols in that field. This has been fixed.
• Earlier, during manual resource addition operation, the user was able to add two different accounts under the same name but different casing. However, while saving the added accounts, the second account's user-provided password was automatically replaced with the first account's password. This has been fixed.
• Customers who upgraded to 8700 from any of the older versions faced an issue with the "Personal" tab, i.e. if they had earlier disabled the Personal tab for users, the provision was automatically enabled for users after the upgrade. This has been fixed.