conpal LAN Crypt 4.00.0
Administration release notes
Please note the LAN
Crypt 4.00.0 Client release notes.
conpal LAN Crypt is the
successor of SafeGuard LAN Crypt.
conpal LAN Crypt 3.97
Administration was the initial release of conpal for the Administration. It
contained fixes and hotfixes of the previous SafeGuard LAN Crypt 3.90
Administration, but almost no functional enhancements. In sense of operating
systems and databases additional versions were supported and support for some
operating systems and databases have been dropped.
conpal LAN Crypt 4.00
Administration is a significant rework of the Administration, focused on
improvements in operational speed and laying the ground for a complete
replacement of the API functionality by a faster and more modern approach. It
is reworked bottom up, including the cryptographic base.
Some new functions, like SHA2 support for LAN Crypt generated certificates,
have been added.
Novell and Windows 7 support has been dropped, Oracle support for more current
databases has been added. Current operating systems are supported.
In addition new client capabilities can be managed.
Please note that we have
invested considerable effort in the continuity of the product. A migration of
3.9x databases requires minimal effort.
Mixed environments of older and current clients are supported (please refer to
section operation).
Manuals, documentation and support
At https://support.conpal.de registered customers
with active maintenance contracts get access to downloads,documentation
and knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_400_ahdeu.pdf
in German language, at
https://docs.lancrypt.com/en/admin/lc_400_aheng.pdf
in English language and at
https://docs.lancrypt.com/fr/admin/lc_400_ahfra.pdf
in French language.
Updates for the
context-sensitive help are made available via our support portal if necessary.
Requirements
The below listed platforms are
officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case of occurring issues.
Platforms supported
|
32-bit
|
64-bit
|
Windows 10 Build 1803, 1809, 1903, 1909, 2004 Pro/Enterprise
|
No
|
Yes
|
Windows Server 2012
|
No
|
Yes
|
Windows Server 2012 R2
|
No
|
Yes
|
Windows Server 2016
|
No
|
Yes
|
Windows Server 2019
|
No
|
Yes
|
Microsoft SQL
Server 2012 SP4
Microsoft SQL Server 2016 SP2
Microsoft SQL Server 2017
Microsoft SQL Server 2019
Azure SQL has been verified to be functional with LAN Crypt administration 3.97
and 4.0 LAN Crypt 4.0 provides the ability to logon using the active directory
interactive authentication. LAN Crypt 3.97 does not support this type of
authentication.
Oracle 12 and Oracle 19 are supported, whereas SQL Server remains LAN Crypt’s
preferred database.
A LAN Crypt database
created under LAN Crypt 3.90 or 3.97 must be updated in advance using
"CreateTables.exe %ODBCName% m u" for use
under LAN Crypt 4.00 Administration. The createtables
tool provides a help message for specifics regarding e.g. Oracle.
Upgrade
For an upgrade-installation
you can find additional information in the user manual.
An upgrade installation of the administration is supported from conpal LAN
Crypt 3.97 (recommended) and SafeGuard LAN Crypt 3.90.
Migration of older versions is not supported, but technically possible, we
recommend to make use of Professional services in such cases.
New in conpal LAN Crypt Administration release 4.00.0
- Windows Server 2019 is now supported
- Microsoft SQL Server 2019 is now supported
- Oracle 19 and Oracle 12 are supported, whereas SQL Server remains
LAN Crypt’s preferred database
- Support for policies for Removables, Opticals, Local Volumes, Boot Volume and Network
Shares - to be executed on v4 Clients
- Integration of earlier patches for LAN Crypt
- SHA2 support for LAN Crypt generated certificates (*SO, User)
Operation of LAN Crypt 4.00 administrative
environments
A mixed operation of LAN Crypt v4 Admin and LAN Crypt
v3.x Admin is not supported.
It is possible to run a v3.97 Admin with v4 Clients
and v3 Clients.
It is possible to run a v4.00 Admin with v4 Clients
and v3 Clients.
XML is the only supported policy file format of v4.00
Admin and v4.00 Clients.
New profile files are created by v4.00, with sections
for v3 and v4 Clients.
The new encryption rules for Removables,
Opticals etc are transported in the new section.
Once new rules have been created with v4.00, it is no
longer possible to create profiles with a v3 Admin. Doing so would potentially
have negative effects on the client.
Changes
- Integration of new cryptographic libraries in Admin and Client (for
security reasons)
- Renewal of 3rd party libraries (for security reasons)
- Integration of a new random number generator (for security reasons)
- Significant improvement of administrative tasks in large
installations
- All in all, the optimizations carried out are clearly noticeable
in many areas. This concerns both the API and the management program.
Since central points have been optimized, the overall system has become
faster. Individual areas with optimizations have become dramatically
faster.
- Reduction of database accesses: In many functions the access to
the database has been drastically reduced.
- Improvement SQL Indexes:
- New indices were added specifically when a clearly measurable
improvement in performance was achieved.
- Improvement in processing algorithms:
- Internally, functions have been structurally revised to achieve
better throughput. In particular, double reading of identical data
records has been removed in many places.
- In order to use parallelization optimally, at least 4 cores
should be available on the computer. More cores do not provide much
performance improvement at the moment.
- When creating certificates for large groups, more cores are also
used well and up to 12 cores are advantageous. Based on our measurements
and configurations we recommend 6-8 cores.
- Beginning with V4.00.0, the functions that process many individual
orders in one order are parallelized. Examples are the creation of
certificates and profiles.
- Examples for the parallelisation of certificate creation are
reading the database, creating keys, and writing the certificates. Here,
these steps function as in a pipeline, so to speak. Another example is
the creation of profiles. Here, too, the tasks are treated like a
pipeline with the substeps reading the
database information, preparing the XML profile, signing profiles,
compressing, and writing profiles. The subareas are well separated and
the runtime for larger groups has been approximately halved in our test
environments.
- Optimization of memory management:
At
central points, the memory handling was improved and optimized. These
optimizations were clearly measurable, but only lead to small improvements in
relation to database accesses.
- Optimization of functions:
Many functions have been technically revised internally for better
maintainability and performance.
- SQL Express is no longer supplied with the distribution. It can be
downloaded directly from the Microsoft site.
- Due to security improvements in LAN Crypt 4.00 a warning appears,
when weak algorithms are selected (XOR, DES, 3DES, IDEA). (LC-957, LC-958,
LC-1056)
For
continuity reasons (e.g. backup) such algorithms are not prohibited.
For
the selection of XOR this is reinforced, and the SO must also have the right to
define GUIDs for new keys to be able to select this algorithm.
- Certificates are generated with SHA2 instead of SHA1 (LC-336)
- XTS-AES is the default encryption algorithm in LAN Crypt 4.00
- Support for other databases and operating systems than the ones
mentioned has been dropped
- The usage of the Client API must be configured in the Administration
and – in case the minifilter is used on
client-side - the included script to enable permissions for specific
applications has to be adopted and executed on the client-side
- Changed behaviour regarding client API permissions for security
improvement:
Long
path names are now default for client API configuration. For convenience
reasons short names are internally completed by searching some protected paths, when program names are
configured without path information. The client will search in the following
directories:
LAN
Crypt Install Dir\Shared\ (non-recursive)
CSIDL_SYSTEM
(typical C:\Windows\System32, non-recursive)
CSIDL_WINDOWS
(typical C:\Windows, non-recursive)
CSIDL_PROGRAM_FILES
(typical C:\Program Files, recursive)
If an
EXE file with the specified name is found, the full path will be internally
added.
Other
pathes are now untrusted for short file names.
(LC-690)
- Group policy configuration is also possible with administrative templates.
The support for adm has been dropped. The admx template files are located in the config folder
of the product package. Please see http://msdn.microsoft.com/en-us/library/bb530196.aspx
for information on how the files have to be installed.
- Import from a Novell directory has not been supported since v3.90.
Other Novell functionality is now as well not supported and will not be
functional in the administration.
- Additional API functions have been added
- The EULA has been updated (for German, English and French)
- The 3rd parties’ inventory has been consolidated and
updated
- Admin does not start with "Selected users and certificates”
anymore (but this behaviour can be configured. (LC-844)
Bugfixes
- Recovery key handling fixed.
(LC-434)
- Password file: missing carriage return (LC-247)
- Preselected button and
triggered action on <Enter> don't match while creating groups
(LC-213)
- Wrong error message when trying to build profiles with expired
certificates (LC-194)
Known issues
- The detailed description text in the admin log for the action
Create profile is erroneously truncated after the first character
(LC-1227)
- Explicit rules for file extensions are not executed correctly by
the minifilter. The Minifilter does not execute
rules like *.ext correctly for encryption and
ignore rules. As a workaround, we recommend to add an additional rule like
*\*.ext. Having both rules, *.ext and *\*.ext active, works as well for V3.9x and V4.0 clients
- MSO smart card login fails on WS2012 R2 (LC-1120):
In
Windows Server 2012 R2, SO logon with certificate on smart card is not
possible. According to our tests, this is the only supported operating system
with this limitation.
- Deleting nested groups requires a relatively large amount of memory
and can lead to instability. Therefore, we recommend not to nest more than
200 groups into each other. (LC-527)
- Network errors:
If the network connection to the SQL server, or to a LDAP source, is
broken during LAN Crypt administration, the LAN Crypt Administration must
be closed and restarted (after the network problem is fixed).
- Entering very long data into LAN Crypt dialogues (e.g. configuring
trusted applications or virus-scanners) might lead to crashes of the
administration console. In addition these data is not are not saved in the
configuration database (LC-570)
- Simultaneous administration:
If more than one SO is working with the LAN Crypt database at the same
time, problems can occur. We recommend a regular manual refresh in that
case.
- admx
do not recognize new placeholders for unhandled devices (LC-1201)
- If the new placeholders for Unhandled Devices are selected in the
LAN Crypt node of the gpme, they are not
displayed in the administrative template and therefore cannot be managed
there.
- LDAP import and synchronization:
- If objects are imported from a domain, you must specify the domain
name and not the computer name in the server configuration!
When configuring server logon data in central settings you should either
only enter the domain name as server name or add the domain name as an
alias.
- On the root level (e.g. domain), only 999 objects are displayed
and imported.
- Page controls have to be enabled on the LDAP server.
- Certificate store:
LAN Crypt only supports certificates in one of the user certificate
stores. It does not support certificates in machine stores.
- Installation on 64-bit operating systems:
LAN Crypt Administration is installed on 64-bit operating systems,
therefore the following has to be considered:
- ODBC administration:
The ODBC connection used by LAN Crypt Administration has to be configured
using the 32-bit ODBC Data Source Administrator
(%WINDIR%\SysWOW64\odbcad32.exe or use the shortcut in the start menu).
Remark: The shortcut in the LAN Crypt start menu is not displayed on
Windows Server 2012. Please use the shortcut ODBC Data Sources (32-bit) available in
Administrative Tools
instead.
- Group policy plugin:
The group policy plugin to administer LAN Crypt is not shown in the
Windows group policy editor. To administer the LAN Crypt policies, the
32-bit Group Policy Editor has to be used (%WINDIR%\SysWOW64\gpedit.msc for local policies or %WINDIR%\SysWOW64\gpme.msc for Active Directory policies or use the
shortcut in the start menu).
As an alternative the administrative templates can be used which are
stored in the config folder of the product package.
- Scripting API:
The scripting API is only available for 32-bit applications. If a Visual
Basic-Script is started which uses the LAN Crypt scripting API, it has to
be started from the 32-bit Windows Scripting Host
(%WINDIR%\SysWOW64\cscript.exe or %WINDIR%\SysWOW64\wscript.exe).
- Firewall settings:
If the Microsoft SQL Server database is located on another machine, please
ensure that the firewall is configured correctly. Additional information
can be found here: http://msdn.microsoft.com/en-us/library/cc646023.aspx.
- To operate LAN Crypt clients as a service, additional configuration
steps are needed. Please contact support for further details.
- For performance (testing) in VMware VMs, it is recommended not to
configure more CPUs than the host has available. Scaling should be done by
the number of cores (i.e. not 2 CPU & 2 cores, better 1 CPU & 4
cores if only 1 host CPU is available).
- GPO context sensitive help:
For the operation of the Group Policies (GPO settings) there is
documentation available in the side panel of the console. There is also a
context sensitive help (sglcconfig040x.chm.) available. In version
4.00.0, the old version without
rebranding was erroneously integrated into the setup. This version is
technically almost correct but may still contain incorrect references to
SafeGuard or outdated license information. If necessary, an updated
version can be obtained from Support a few days after release and will be
included in later deliveries. To update, this must then be copied to
%\Windows\Help (LC-1236).
- The rebranding of Sophos SafeGuard to conpal is comprehensive but
may inadvertently be incomplete.