Eloquence B.08.10 (beta) ======================== Revision: B2, 2010-02-05 Thank you for your interest in the Eloquence B.08.10 beta test. This Eloquence test release provides a development snapshot of the upcoming Eloquence B.08.10 version that has passed some limited QA process. By making the test versions available publicly we hope to encourage wider testing. Please contact support@marxmeier.com to share your feedback or report a problem. Please note: This release is available under the terms of the Eloquence Beta Test Agreement which is specified in the file AGREEMENT. http://www.marxmeier.com/eloquence/download/beta/B0810/AGREEMENT Downloading and installing the software indicates your agreement to the Beta Test terms and conditions. This beta release does not meet the release criteria for quality or performance and is only intended for test usage. If it breaks you get to keep the pieces. Introduction ------------ This beta version currently includes a preliminary version of the Eloquence B.08.10 release. Major Eloquence B.08.10 database goals include: - item masking - data encryption Eloquence B.08.10 may be installed in parallel with any previous Eloquence release. Eloquence B.08.10 is installed in the /opt/eloquence/8.1 directory and the configuration files reside in the /etc/opt/eloquence/8.1 directory. Requirements ------------ To use the B.08.10 beta the following requirements must be met: - On HP-UX, the HP OpenSSL software must be installed. It may be obtained from the HP Software Depot web site. https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I - For HP-UX 11i v1 it is recommended to install the KRNG kernel support for strong random numbers in addition. It is available from the HP Software Depot web site. https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I - On Linux based systems, OpenSSL 0.9.7 or 0.9.8 must be installed. - Eloquence B.08.10 requires a license key version B.08.10 or above. - To use Eloquence encryption, an additional license key option is required. Installation ------------ The Eloquence B.08.10 test releases are available for download from the following location: HTTP protocol: http://www.marxmeier.com/download/beta/B0810/ FTP protocol: ftp://ftp.marxmeier.com/eloq/beta/B0810/ To install, please follow the installation instructions in the platform specific INSTALL document. B.08.00 compatibility --------------------- Eloquence B.08.10 is upwards compatible with previous Eloquence versions. However, a database created with B.08.10 should not be used with previous Eloquence releases. To revert to B.08.00 the following procedure is required: * Please refer to the compatibility section of item masking functionality on databases created with B.08.10 when downgrading to a previous Eloquence version. * Please refer to the compatibility section of item encryption functionality on databases created with B.08.10 when downgrading to a previous Eloquence version. Documentation ------------- INSTALL-HPUX HP-UX platform specific installation notes INSTALL-LINUX Linux platform specific installation notes eq810_item_access.txt Describes preliminary implementation of item masking eq810_dbkeyutil.txt Describes the dbkeyutil utility to maintain master keys eq810_dbutil.txt Describes the dbutil changes to support data encryption Please refer to the Eloquence B.08.00 release notes and reference documentation for additional information. http://eloquence.marxmeier.com/support/B0800/ Summary of enhancements (relative to the initial B.08.00 release) ----------------------------------------------------------------- * All B.08.00 patches (as applicable) are merged to B.08.10 * Add support for item masking * Add support for data encryption Known issues and limitations ---------------------------- The following issues are known in the current test version: - The fwaudit utility is unable to access encrypted content as it does not yet support a way to specify a master key. - The dbcfix utility is is unable to access encrypted data and may either abort or (in write mode) corrupt the database. - Applications using the fwutil library are unable to access encrypted content as it does not yet support a way to specify a master key. - The dbbexp utility is is unable to access encrypted data and may either abort or create corrupted export files. - Installation of the OpenSSL library is required, if the encryption license option is present, even if data is not encrypted. - Attempting to open an encrypted database where encryption keys are unavailable will fail with status -5 (access denied). Opening in mode 8 (readonly) will succeed in this case but encrypted data will be "blanked". - There is currently no documented way to delete an encryption key. - An Eloquence 8.10 version for Windows is not yet available Recent Changes -------------- Changes since B1 - The dbkeyutil utility uses a secure communication channel to submit the master key to the server process. Depending on the CPU performance this could result in a short delay when submitting a master key to the server while a temporary session key is generated. - The data base server now encrypts indexes on fields marked as encrypted. - The "operator" user property was added. This may be used to indicate user accounts permitted to perform operational tasks. This allows to be more restrictive with administrative accounts. - The DBINFO mode 114 was added to allow obtaining field status. DBINFO mode 114 is similar to DBINFO mode 104 but returns item status information rather than item numbers. It is available in both the image3k and the native client library. However it is currently not available in eloqcore. The returned status information is bit encoded (per item) as indicated below: bit 0 - set if field is stored on disk in encrypted format bit 1 - set if some encryption key for the database is not available. If this affects actual record, the field is blanked (if a string item) or zeroed. bit 2 - set if an item mask exists for this item bit 3 - set if if an item mask affects information in this field (eg. information is truncated). Bit 0 and and bit 2 may be used by an application to understand a field has sensitive information, so it should be handled with extra care (eg. not included in application logs). Bit 1 and bit 3 may be used to indicate the field content is not available or only partially returned. Please note that DBINFO 114 is considered experimental at the moment and your feedback is appreciated. - Improved server messages on submitting and revoking master keys - The dbkeyutil utility no longer links directly against libcrypto - The dbkeyutil adds a note to the key file when creating a new master key - The dbutil utility was enhanced to support the operator user property (both interactive and in batch use). - The dbutil utility supports transferring all data encryption keys of a database to a new master key - The dbutil utility emits a warning message if encrypted fields are used as search items and are not encrypted in a related set - The dbutil utility emits an error message if encryption is used but no data encryption key was created. - The dbutil utility emits a warning message if data encryption keys present but encryption is not used. - A problem in the fwutil library was fixed that could result in an abort due to an alignment problem with encrypted information - Fixed a problem in the server process that could result in a corrupted database structure when upgrading the database catalog. - Fixed a problem in the dbutil utility that could result in memory corruption. Changes since A3 - Provide full Eloquence distribution Changes since A2 - Fixed problem with dbkeyutil chpass command - Fixed problem on HP-UX accessing the OpenSSL library Changes since A1 - Incorporated the most recent B.08.00 fixes - Added new dbkeyutil utility to maintain master keys - Added support for data encryption - Fixed a problem causing database restructuring to fail on databases created with previous Eloquence versions.