When the CSP Compliance Manager node is restarted after connecting KeySafe5 agent from CSP Vault, it may take up to 15 minutes for the KeySafe5 services to access the GUI. During that time, if you attempt to access the KeySafe5 GUI you will see a service unavailable error.
When you upgrade Cryptographic Security Platform Compliance Manager you might see an issue where a data source (vault) is listed as connected in the Cryptographic Security Platform Compliance Manager, but listed as disconnected in Cryptographic Security Platform Vault.
To fix this issue, disconnect the data source and then reconnect it from the Cryptographic Security Platform Compliance Manager webGUI Collections page.
When connected to the Cryptographic Security Platform Certificate Manager as a data source, you may see a cryptographic asset count mismatch between the Cryptographic Security Platform Certificate Manager and the Cryptographic Security Platform Compliance Manager. This is because the Certificate Manager does not count or show archived certificates, and the Cryptographic Security Platform Compliance Manager counts all certificates in the data source.
Compliance operation parameter values are not currently validated while the operation is being configured. Administrators are responsible for ensuring that parameter values are configured correctly as required for each operation.
When deploying on Azure, ensure that you select the correct size for your instance. If you select a smaller size, the Cryptographic Security Platform Compliance Manager may not function correctly. For more information on sizing, see the Deploying a Cryptographic Security Platform Compliance Manager Node in Azure section in the Installation and Upgrade Guide.
When you create a connection between Cryptographic Security Platform Compliance Manager and Cryptographic Security Platform Vault, a single node in the Cryptographic Security Platform Compliance Manager receives the data from the entire Cryptographic Security Platform Vault cluster. If that single node in the Cryptographic Security Platform Compliance Manager is removed or destroyed, you would need to create a new connection to reconnect to Cryptographic Security Platform Vault.
Cryptographic Security Platform Compliance Manager requires a CPU with AVX (Advanced Vector Extensions) support for the MongoDB database that is installed with our product. If you are using an older CPU, please check that it includes the AVX instruction set. For more information, see https://en.wikipedia.org/wiki/Advanced_Vector_Extensions#CPUs_with_AVX.
Note: If you are using VMware EVC (Enhanced vMotion Compatibility), you must ensure that the EVC mode that you selected supports the AVX instruction set.
Please ensure that port 443 is opened to allow communication from Cryptographic Security Platform Vault to Cryptographic Security Platform Compliance Manager.
Cryptographic Security Platform Compliance Manager can not validate that the Client ID and Client Secret are correct when you configure OIDC using IDaaS. If these values are incorrect, you will not be able to log in to Cryptographic Security Platform Compliance Manager. Please ensure that these values are correct before you save the configuration. We recommend that you copy and paste the values from the provider's page to avoid typos.
If you have a 3-node cluster with 2 nodes with a status of offline or unavailable, attempting to remove one of the nodes will fail with a server error. If this happens, please click the Multi-Select checkbox at the top right of the window, select both nodes, and then select Actions > Remove to remove them together.
For this release, we support up to 25 tenants.
- If you want to use KeySafe5 behind a load balancer, the CSP Compliance Manager node IP addresses must be accessible from the KeySafe5 client.
- Restoring a backup of CSP Compliance Manager to a new VM does not work without using Startup Authentication.
Note: This issue only happens when you want to restore to a new VM. It does not affect scheduled backups that you use to restore to an existing node in the cluster.
To backup to a new server:- Log into the CSP Compliance Manager as secroot and click Switch to Appliance Management.
- In the top menu bar, click Cluster.
- Select Actions > Startup Authentication.
- Select Enable, enter a password, and then click Apply.
- Create a backup.
After the backup is completed, you can disable Startup Authentication. - Restore the backup to your new VM. You will be prompted for the password that you set for the original VM.
- After upgrading to 10.5.1, you may see an issue where KeySafe5 does not run correctly.
To fix this issue:- Log into the CSP Compliance Manager as secroot.
- Configure the Default tenant and ensure that the Discovery data source is visible on the Data Sources page.
Note: If you had only one tenant when you upgraded, that tenant will automatically become the Default tenant. If you had more than one tenant, then the last tenant created will automatically become the Default tenant. - Log in to the CSP Compliance Manager System Console as
htadmin. - In the System Console, select Manage Cryptographic Security Platform Compliance Manager Node and then Recover Cryptographic Security Platform Compliance Manager Cluster.
- Select Yes to reset the cluster.
Note: This can take around 30 minutes. - After the operation has completed successfully, return to the CSP Compliance Manager webGUI.
- Navigate to https://CSP-Compliance-Manager-Master-Node-IP-Address/keysafe5 and validate that you can log in using the Default tenant credentials.
- After upgrading CSP Compliance Manager from 10.4.7 to 10.5.1, running "Rescue Tenant" on an upgraded tenant causes the rescued admin user to lose the following roles:
- Keysafe5 admin
- Discovery admin
- Appliance admin
These roles must be manually reassigned to the rescued user. Any users invited after the rescue and granted those roles will retain them as expected.
- When you view the Cryptographic Assets page for the Discovery Source Vault, the PQ Status is not displayed for assets discovered using the Azure Key Vault plugin.
- After upgrading CSP Compliance Manager to 10.5.1, the Certificate Manager policies will not run correctly until you manually sync the data source. To do so, log into your Certificate Manager, navigate to the Compliance Manager connection page, and then click Sync Now.
- KeySafe5 is not supported for Cloud installations, such as AWS, Azure, or GCP.
- When deploying CSP Compliance Manager in a VMWare environment, we recommend that you disable the Memory Balloon driver. This is done by setting the Sched.Mem.MaxMemCtl parameter to 0 for this specific virtual machine. For more information, see https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-resource-management-8-0/advanced-attributes/set-advanced-virtual-machine-attributes.html.
- Because the CSP Compliance Manager uses the name "secroot" for the system login, you cannot create any other users with the name "secroot".
- There is currently no licensing entitlement for nShield HSM.
- The following Single Sign-On use cases are not implemented in 10.5.1:
- When navigating between Tenant Management and Appliance Management, you will need to reauthenticate by entering your credentials. This applies to all users except the "secroot" user.
- You cannot use Single Sign-On across multiple browser tabs. Each tab requires its own authentication.