Security Management Center

Release Notes
Version: 5.0 Build 1643
Release Notes Issue Date: April 10, 2012

Product Description
SMC is the network management software for the SafeNet High Speed Encryptor product line.
SMC is essentially an always-on Web server and a database, installed on commodity server
hardware.

Users interact with SMC via a Web-based user interface. Users add their SafeNet High Speed
Encryptors to SMC’s database, then click to open the devices’ configurations in the user-friendly
user interface. Users can view, edit, back up, and restore device configurations, and can issue
management commands to devices through SMC.

In addition to configuration, SMC logs SNMP traps from the devices to its database, and
provides a rich event browser to view and search those traps. SMC also facilitates remote,
network-wide firmware upgrades, and produces reports on network inventory and
configuration.

SMC supports SafeNet's current family of high speed network encryptors:

SafeNet Ethernet Encryptor (SEE) – versions 4.1 & prior

SafeNet Ethernet Encryptor Branch Office (SEE BO) – versions 2.1 & prior

SafeNet SONET Encryptor (SSE) – versions 3.5.0 & prior

SafeNet ATM Encryptor II (SAEII) – versions 3.0.4 & prior

SafeNet Link Encryptor (SLE)

 NRZ – 4.01.15 & prior

 Dial-Up – 4.01.15 & prior

 E1 – 1.33 & prior

 T1 – 4.01.15 & prior

 HSSI – 4.01.14 & prior

 T3 – 4.01.13 & prior

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 1 of 14

 Version Summary
This version is released for general distribution. Please refer to the Advisory Notes and Known
Issues and Workarounds sections for limitations and restrictions.

Release Description
SMC 5.0 is a feature enhancement release to version 4.1C and prior releases. This release
includes:
Solaris Version: 5.0 build 1643
Windows Version: 5.0 build 1643

Released Components
SMC 5.0 for Solaris 10 installation: smcSetup.bin
SMC 5.0 for Windows Server 2003 and Windows Server 2008 installation: smcSetup.exe
SMC User’s Guide (English): Web-based Help
SMC Companion User’s Guide: 007-012002-001_SMC_V5.0_Companion_User_Guide.pdf
SMC Installation Guide: 007-012003-001_SMC_V5.0_Installation_Guide.pdf
SMC Data Replication Setup Guide: 007-012004-001_SMC_V5.0_Replication_Guide.pdf
SMC Luna SA Integration Quick Start Guide: 007-012005-001_SMC_Luna_Integration.pdf
SMC Customer Release Notes: 007-011540-001_SMC_v5.0_CRN.pdf

Supported Environments
Server Systems:
Supported Operating Systems:
Solaris™ 10 SPARC platform
Windows Server® 2008 R2
Windows Server® 2008 SP2 (32-bit and 64-bit)
Windows Server® 2003 R2 (32-bit only)
Windows 7® Enterprise (32-bit and 64-bit)
Windows Vista® Business (32-bit and 64-bit)
Windows XP® Professional (32-bit only)

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 2 of 14

 Hardware Requirements:
*Minimum:
Server: Sun SPARC™ Enterprise Server (single CPU or more), 2 GB RAM
Intel Pentium 4 processor, 2 GB RAM

Network Performance:
*Minimum:
Server: 10/100 Mbps throughput
Recommended:
Server: 100 Mbps throughput

*Note: Minimum requirements are for small SafeNet managed networks. No more than
50 managed encryptors are recommended.

Client Systems:
Supported Operating Systems:
Solaris 10
Windows 7, XP, Vista, 2003, and 2008 Server
Supported Browsers:
Mozilla Firefox 3.5 and higher
Internet Explorer 8

Virtualization:
Solaris Zones
VMware

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 3 of 14

 New Features and Enhancements
The following features are new in SMC 5.0C. For feature details, refer to the documentation on
the installation CD — specifically, 007-012002-001_SMC_V5.0_Companion_User_Guide.pdf.
Device Firmware Support for SEE v4.1 and SEE Branch Office v2.1
Basic copy and paste method of certification to External CA
OCSP server configuration
CRL server configuration
NTP server configuration
Syslog server configuration
Forward SMC Audit Log entries to RADIUS server — Forward SMC Audit log entries to
RADIUS Accounting server when this option is enabled.

SEE Connection Reports — Generate reports of MAC and VLAN connections table for all
SEE encryptors.

Device Setup Wizard — SafeNet encryptors can be activated and certified with the
device Setup Wizard.

Device configuration backup schedulable job — SSE/SEE Configuration Backup job is

useful for taking a backup of the SSE/SEE device configuration at a scheduled time, one
time, or periodically.

Download SMC server logs from client — SMC server logs can be download onto the
client machine from the browser.

Database Backup job — The SMC database can be periodically backed up for data
recovery.

MySQL binary logging enabled by default — With the binary log, data can be recovered
up to the last update.

Better responsiveness to DMK edit pages — Improved the responsiveness of the DMK
edit pages by avoiding unnecessary immediate field validations.
Discontinued Features
The following features are no longer supported beginning in SMC 5.0.
SafeNet Conversion Encryptor (SCE)
SafeNet HighAssurance Remote (HARemote) – Devices using IPSec to secure the
management communication cannot be managed.
MySQL Clustering

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 4 of 14

 Advisory Notes
Client Browser Settings
After installing SMC, JavaScript must be enabled in the browser running the SMC client
software.

The 'binary and script behavior' option must be enabled in Internet Explorer (IE 8). This
allows the status bar to appear against a transparent background, rather than a grayed
out, opaque background.

The address bar in Internet Explorer displays 'Certificate Error' and highlights the Web
address in red, until the self-signed SafeNet SMC is installed in the Trusted Root
Certification Authorities Store of the machine.
Windows Server 2008
Before installing SMC on Windows Server 2008, refer to the SMC Installation Guide for a
list of firewall port exceptions that need to be configured to make the SMC server and
client components accessible.
High Availability Considerations
Pairing
SMC servers cannot be paired across versions. Due to the potential for changes
within the database schema, pairing across versions is not supported.

Pairing also requires that all SMC servers being paired are able to resolve each
other’s host names. This can be done either automatically (by using the network
DNS server), or manually (by adding the host names to the hosts files of the
respective SMC servers). For the paired nodes with fully qualified domain
name (FQDN), add the hostname without domain name to the hosts file.

In a pairing configuration, device operation may lead to an

usmDHUserOwnPrivKeyChange SNMP error response. Ignore the error message and
refresh the browser instance.
Reference: 74936

Restoring an SMC database to another SMC server, and configuring pairing between
those two servers will not replicate the devices already present in the database.
After restoring the database, but before setting up pairing, go to Administration >
System Configuration > System, delete the property named
com.safenetinc.smc.system.ServerUniqueId, and then restart both servers. Only new
devices (added after the pairing is configured) will be replicated.
Reference: 82354

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 5 of 14

 MySQL Database Backup File Corruption
Starting with SMC 1.2, the mysqldump command is the prescribed tool for taking
database backups. However, the backup files contain binary data mixed with ASCII
information, which is not generally supported for the mysql database restore
command. You must use the ”mysqldump --hex-blob” option to take correct
database backups.
Contact SafeNet Technical Support to obtain assistance with restoring the version
1.2 backup images if restoring one of them is necessary, and fails.
SMC Server with Multiple Network Interface Cards (NICs)
SMC is designed to work on servers with multiple NICs, however, there are two
features which require special configuration. These steps (described below), are
required to be run on all SMC servers whether running in standalone, or replication
(primary and secondary servers). The interface and IP address values should be
configured for each server’s respective values.

o Configuring SMC Firmware Download, SNMP Proxy Agent, and SNMP Trap
Listener to Bind with Specific IP Address

Firmware Download, SNMP Proxy Agent, and SNMP Trap Listener will default to
the value of the smc.server.hostaddress property, as set in the file
<SMC_INSTALL_DIRECTORY>/jboss/server/default/conf/system.properties.

The following line must be added to the configuration file:

smc.server.hostaddress=<IP_address>

After setting the property, restart the SMC server. An SMC user with
administrator privileges is required to stop the SMC server:

To stop the SMC server, run:

# /etc/rc3.d/S99smcjboss stop

To start the SMC server, run:

# /etc/rc3.d/S99smcjboss start

SMC Servers Configured to use only IPv6 Addressing

MySQL database replication configured to use IPv6 addressing only is not a
supported configuration.

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 6 of 14

 Device Management Considerations
SNMP Timeouts with SxE 3.5-based Devices
The 3.5 release of the SxE device firmware adds IPv6 support for device
management. The implementation within the device slightly increases the response
time when making certain management interface changes (for example, modifying
IP address parameters or updating trap destinations).

If the delay negatively affects the SMC interface to the device, SMC’s SNMP timeout
property can be adjusted to accommodate the device response times. Configure the
setting by navigating to Administration > System Configuration > SSE/SAEII/SEE.
Enter a valid value (in seconds) in the Connection Timeout field.

Inband Management with Ethernet Encryptors

The management of remote in-band encryptors via the management interface is a
complex issue to address. The requirement to manage an encryptor from either the
management or the in-band interface, and then to ensure response packets are
routed via the same interface from which the request was received, differs from
normal IP routing behavior. This can lead to invalid network topologies that work in
some cases, but fail in other cases.

As a result, it is not possible to download a software image (or receive traps) via the
management interface of an in-band, remote-managed encryptor that is not the in-
band gateway encryptor.

To eliminate these problems, ensure that if both the management and in-band
interfaces are configured on a remote-managed encryptor, then there are active
routed paths back to the SMC workstation for both interfaces (especially the in-band
interface).
Reference: 72713

Link Encryptors
There is no error checking for the correct SLE device type. Select a valid SLE device
type in the drop-down menu and double-check to ensure it matches correctly with
the hardware device type.
Reference: 33265

The configuration timeout settings for SLE devices are longer than expected;
however, no action is required by the user. The configuration timeout is set to an
Exponential Backoff algorithm, where Timeout = 5 and Retry = 3, retransmit occurs
at 0 (first), 5 (R1) + 10(R2) + 20(R3) + 40(final timeout) = 75 secs.
Reference: 33438

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 7 of 14

 General
Duplicate IP addresses are, by design, allowed to be entered into SMC. However, the
administrator will need to verify the IP address and network configuration and
communication to be certain that that is what is intended.

When opened with third-party programs such as Microsoft Excel, the contents of
CSV files may be interpreted by the program in use. Refer to the third-party
documentation for control of formatting for display purposes.

If SMC is running on a system that does not meet SMC’s system requirements, the
keystore migration from SMC’s database to the Luna hardware security module fails
with an exception. The workaround to this issue is to add the following property in
SMC_HOME/jboss/server/default/conf/system.properties:
smc.bootstrap.start.luna=true and then restart the SMC server.

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 8 of 14

 Resolved Issues
Severity Classification Definition
C Critical No reasonable workaround exists
H High Reasonable workaround exists
M Medium Medium level priority problems
L Low Lowest level priority problems

Issues Resolved in this Release

Issue Severity Synopsis
80598 L Installer displays ":!not found" and then continues

102124 H Windows: SMC does not report failure message in the server.log when another
ftp server is running
102125 C Windows: SNMP Agent does not report failure when the port 162 was occupied

102126 C Windows SMC does not start SNMP Agent service when the port 161/162 was
released.
106612 H Restore db utility always complains about Access denied

108522 M CSV escaping of quotes is not compatible with Excel

109192 M MAC Mode Devices Do Not Display Inband VLAN Table in Connections Panel

111015 H Manage Global Search privilege does not give user access to manage.

122323 C Dir Sync startup failed on Windows 2008

123616 M Increase import file size limit

123619 M Page Refresh Issue: Working bar goes away long before refresh the page

124322 M All keysets- Search box image displays partial

125816 C Error initializing keystore

128431 H SMC sending incorrect accounting request message

128486 M Radius accounting request message should include Class attribute

128865 L Incomplete message in Baseline configuration report

128891 M Sorting on Device List Page does not work correctly on IP Addresses

130186 L SxE device user limit is not enforced on DMK

133370 H Pairing - Certificate renewal fails when choose preferred from a pairing node-
EXCEPTION = Keyset not found

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 9 of 14

 Issues Resolved in this Release
Issue Severity Synopsis
135038 H Missing field "Disable Non admin user" and "Expire CLI session" from CTAM-
User Management page
136899 M Incorrect Target Name and Type in Audit log
136903 M Change instruction for 1st time certification of a BO device pre 2.1
136905 M Incorrect Audit log entry when user modifies user profile
140402 L Changing Preferred Key causing exception
140802 L Created null - when user creates a role an audit log entry is created as null
140803 M Misleading Audit entry
140807 L Missing Successful/Unsuccessful flag in Audit log entry
141400 H JBoss security vulnerability (CVE-2010-0738)
143498 C Keyset not found to certify the device when user trying to recertify a device
using script
144951 M Event not converted into alarm warning "Secure tunnel(s) are down"
147017 L Trap description for certificateExpiry and fipsModeChange are wrong for SxE
device
147638 L Enlarge- "Script Selected" field in the Script runner
151095 M Force Logout does not work.
151913 L Mismatched menu and page name: Event Log
151915 M Renew Device Certificate failed on SEE 3.2.7
151920 H SAE2: Device was not actually re certified but the script output shows Certificate
loaded
151935 L Mismatched menu and page name: Audit Log
151936 L Mismatched menu and page name: Script Management
151937 L Mismatched menu and page name: Script Run History
151938 L License code entry field too small - 136 characters in a 25 char field
152526 M Incorrect Target Name in the Audit Log
153174 H After import filtering device is not working as expected
154136 L SxE trap ALARM_POWER_REMOVED is not converted into alarm

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 10 of 14

 Known Issues and Workarounds
Issue Severity Synopsis
64453 H Summary: Secure negotiation fails if a V2 certificate has Subject Name (DN)
longer than 32 characters.
Workaround: Limit Subject Names to 32 characters or fewer. From SMC, issue
certificate(s) with 32 or fewer characters in the Subject Name field.
107368 H Summary: SNMP connection timeout during multiple device user deletion may
lead to non-selected users getting deleted.
Workaround: Set the Connection Timeout to a higher value from the System
Properties panel. This will circumvent the timeout issue, and address the
problem.
83734 H Summary: SMC may not log events in the event table sent by SxE device if the
device times out during alarm polling.
Workaround: Disable Trap filter under Configuration > SNMP Proxy Agent >
Trap Configuration.
138608 H Summary: Device (SEE/SSE) configurations restore fails.
150285 Workaround: None. Contact Customer Support for assistance.
154641 H Summary: Pairing - Sent Sync and Update fails for hostname with domain name
(FQDN) due to hostname resolve failure.
Workaround: Configure the hostname of the paired nodes without the domain
name in the system hosts file.
155155 H Summary: SNMP error badValue occurs when setting default multicast action
and default broadcast action of the Ethertype Default Policy for SEE BO device.
Workaround: Configure using Command Line Interface (CLI)
156904 H Summary: SNMP error notWritable occurs when clearing frame counts for SEE
BO 2.1 device in VLAN connection mode
Workaround: Clear frame counts from Command Line Interface (CLI)
156917 H Summary: Tx / Rx frame counts are not displayed for SEE BO device in VLAN
connection mode.
Workaround: View frame counts using Command Line Interface (CLI)
31878 M Summary: Data Migration from legacy SMC does not import manufacturing
certificates for SLE device management.
Workaround: Import certificates manually and re-authenticate SLEs.
107349 M Summary: Special character usage causes text to convert into unreadable hex
numbers in Pre-Login, Post-Login Banners, and Notes fields of an encryptor.
Workaround: Delete the incorrect values and avoid the usage of special
characters in the above mentioned fields.

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 11 of 14

 Issue Severity Synopsis
107356 M Summary: SNMP Proxy request using V1/V2 may timeout when a device is
edited.
Workaround: Reload the SNMP Proxy Agent configuration using SNMP Proxy
Agent > Agent Settings > Maintenance > Reload button.
81721 M Summary: Clicking the New Window when browsing with IE8 will sometimes
display the Certificate Warning page, and other times it will not.
Workaround: Add the Self-signed SMC certificate to the trusted root certification
authority’s store of the client machine.
107372 M Summary: Script Input Details editor panel disappears
Workaround: Click the Input Details button twice.
107374 M Summary: Deletion of an Extended Inventory report created from Security >
Reports for the SLE removes all the reports from the table.
Workaround: Navigate away from the page and then reopen Security > Reports
> SLE > Inventory > Extended Inventory to see the old reports in the Report
table.
107376 M Summary: During a Script Run, nothing opens when attempting to open a script’s
Input Details and/or Show Contents.
Workaround: Refresh the browser page.
107377 M Summary: Double-clicking on the Connections page Refresh button causes the
page to lock.
Workaround: Refresh the browser page.
107378 M Summary: Nullpointer exception in RADIUS login
Workaround: None. SMC does not support Change Password During Next Login
with EAP-MSCHAP_v2.
138513 M Summary: Incorrect misleading event log message logged for a successful
firmware download sometimes. "Firmware download XYZ failed. Error message:
org.jboss.serial.exception.SerializationException: Could not create instance of
com.safenetinc.smc.firmware.download.adapter.ctam.FirmwareDownload
Adapter".
Workaround: Firmware activation may not have completed. Verify the firmware
upgrade status. Perform firmware activation if the status shows “100% download
successful.”

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 12 of 14

 Issue Severity Synopsis
153172 M Summary: Importing a large file (device list) causes wrapped exception
sometimes
Workaround: After loading a large file wait for few seconds before importing the
file
154754 M Summary: Alarm Status page fails to load when Acknowledge or Unacknowledge
action is performed on more than 1000 alarms.
Workaround: Acknowledge or Unacknowledge not more than 100 alarms at a
time.
156825 M Summary: Firmware download completion status may not be reported in the
event log and new firmware may not be activated sometimes for SSE/SEE
running on 4.1 version or SEE BO on 2.1 version. It happens when the device
reports incorrect status (e.g. -1006348440% Retrieving file) randomly at the very
beginning of upgrade.
Workaround: Check the device firmware upgrade status from ‘Status | System |
Software Upgrade Status’ field for ‘100% Upgrade completed successful’ to
confirm the upgrade is complete. Reboot the device to activate the new
firmware.
31035 L Summary: Terminal window doesn’t close after installation of SMC.
Workaround: Close the window manually by clicking on the x button.
61973 L Summary: Configuration > Firmware > Firmware Download: SMC fails to
download the 'Downgrade Fix Image' to a SEE/SSE/SAEII device.
Workaround: Ignore the error in SMC. This downgrade fix automatically reboots
the device. SMC polls for the status and times out logging the error, "Firmware
download failed.” In reality, the download has completed correctly.
107361 L Summary: Alarms in the Alarm Status table are supposed to stay checked, even
after an action is performed on them (such as acknowledge, unacknowledge).
However, intermittently, some of the selected rows will become unselected after
performing the action
Workaround: Select the multiple selection option to select the rows again.
140533 L Summary: On Solaris, GUI mode installer does not repaint the scrollable area
when scrolled up and down
Workaround: Select the content in the scrollable to view.

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 13 of 14

 Publications
The following publications are associated with this release:
SafeNet Security Management Center User’s Guide, 007-012002-001 (March 2012)

SafeNet Security Management Center Installation Guide, 007-012003-001 (March 2012)

SafeNet Security Management Center Data Replication Setup Guide, 007-012004-001

(March 2012)

SafeNet Security Management Center Luna SA Integration Quick Start Guide,

007-012005-001 (March 2012)

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover
errors or omissions, or these issues are brought to our attention, we endeavor to correct them in succeeding releases of the product.

Part Number 007-011540-001

Revision A

© 2012 SafeNet, Inc. All rights reserved. www.safenet-inc.com Page 14 of 14