Eloquence B.08.10 (beta) ======================== Revision: B3, 2010-03-03 Thank you for your interest in the Eloquence B.08.10 beta test. This Eloquence test release provides a development snapshot of the upcoming Eloquence B.08.10 version that has passed some limited QA process. By making the test versions available publicly we hope to encourage wider testing. Please contact support@marxmeier.com to share your feedback or report a problem. Please note: This release is available under the terms of the Eloquence Beta Test Agreement which is specified in the file AGREEMENT. http://www.marxmeier.com/eloquence/download/beta/B0810/AGREEMENT Downloading and installing the software indicates your agreement to the Beta Test terms and conditions. This beta release does not meet the release criteria for quality or performance and is only intended for test usage. If it breaks you get to keep the pieces. Introduction ------------ This beta version currently includes a preliminary version of the Eloquence B.08.10 release. Major Eloquence B.08.10 database goals include: - item masking - data encryption Eloquence B.08.10 may be installed in parallel with any previous Eloquence release. Eloquence B.08.10 is installed in the /opt/eloquence/8.1 directory and the configuration files reside in the /etc/opt/eloquence/8.1 directory. Requirements ------------ To use the B.08.10 beta the following requirements must be met: - On HP-UX, the HP OpenSSL software must be installed. It may be obtained from the HP Software Depot web site. https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I - For HP-UX 11i v1 it is recommended to install the KRNG kernel support for strong random numbers in addition. It is available from the HP Software Depot web site. https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I - On Linux based systems, OpenSSL 0.9.7 or 0.9.8 must be installed. - Eloquence B.08.10 requires a license key version B.08.10 or above. - To use Eloquence encryption, an additional license key option is required. Installation ------------ The Eloquence B.08.10 test releases are available for download from the following location: HTTP protocol: http://www.marxmeier.com/download/beta/B0810/ FTP protocol: ftp://ftp.marxmeier.com/eloq/beta/B0810/ To install, please follow the installation instructions in the platform specific INSTALL document. B.08.00 compatibility --------------------- Eloquence B.08.10 is upwards compatible with previous Eloquence versions. However, a database created with B.08.10 should not be used with previous Eloquence releases. To revert to B.08.00 the following procedure is required: * Please refer to the compatibility section of item masking functionality on databases created with B.08.10 when downgrading to a previous Eloquence version. * Please refer to the compatibility section of item encryption functionality on databases created with B.08.10 when downgrading to a previous Eloquence version. Documentation ------------- INSTALL-HPUX HP-UX platform specific installation notes INSTALL-LINUX Linux platform specific installation notes eq810_item_access.txt Describes preliminary implementation of item masking eq810_dbkeyutil.txt Describes the dbkeyutil utility to maintain master keys eq810_dbutil.txt Describes the dbutil changes to support data encryption Please refer to the Eloquence B.08.00 release notes and reference documentation for additional information. http://eloquence.marxmeier.com/support/B0800/ Summary of enhancements (relative to the initial B.08.00 release) ----------------------------------------------------------------- * All B.08.00 patches (as applicable) are merged to B.08.10 * Add support for item masking * Add support for data encryption Known issues and limitations ---------------------------- The following issues are known in the current test version: - The fwaudit utility is unable to access encrypted content as it does not yet support a way to specify a master key. - The dbcfix utility is is unable to access encrypted data and may either abort or (in write mode) corrupt the database. - Applications using the fwutil library are unable to access encrypted content as it does not yet support a way to specify a master key. - The dbbexp utility is is unable to access encrypted data and may either abort or create corrupted export files. - Installation of the OpenSSL library is required, if the encryption license option is present, even if data is not encrypted. - Attempting to open an encrypted database where encryption keys are unavailable will fail with status -5 (access denied). Opening in mode 8 (readonly) will succeed in this case but encrypted data will be "blanked". - There is currently no documented procedure to delete a data encryption key unless the database does not use encryption. - An Eloquence 8.10 version for Windows is not yet available Recent Changes -------------- Changes since B2 dbkeyutil utility - The dbkeyutil was enhanced to support PBKDF2 as recommended by RFC 2898 (PKCS#5 v2.0). Newly created master keys will be incompatible with previous Eloquence beta versions. However, master keys created by previous beta versions are still supported with this version. A new "cipher" config entry is used to describe the password derivation and encryption algorithm. - The dbkeyutil utility will default to using a 1024 bit RSA key to communicate with the db server process. Previous versions used a 2048 bit RSA session key which turned out to be too slow to be practical for older hardware. The dbkeyutil -b command line option may be used to specify a longer RSA session key. - The dbkeyutil "auth" operation was changed to "submit". - Restore terminal echo if dbkeyutil was interrupted while entering a passphrase. dbutil utility - The dbutil utility was enhanced to support deleting the data encryption keys if a database does not use encryption. The following syntax is supported: DELETE ALL ENCRYPTION KEYS; Deleting encryption keys must be performed in a separate session than removing database encryption. - The dbutil utility was enhanced to produce more helpful error messages for crypto related failure causes. The following cases were enhanced: - creating a data encryption key when encryption is not available - creating a data encryption key when the specified master key is not available to the database server - changing the associated master key for a data encryption key when the new or previous master key is not available to the database server. db server - A DBOPEN will no longer fail if a data encryption key is not available (eg. due to a missing master key) if the database does not have encrypted information. - Fixed a problem with timeout handling of the HTTP status if the TCP connection is hung. - Add message log notice when creating, changing or deleting a data encryption key. dbclient library - Resolve binary incompatibility when using the suprtool fastmode. - Changed library revision to "B.08.10.02" image3k library - Fix DBINFO mode 114 returning negative flag values if the data set is writable. - Changed library revision to "B.08.10.02" installation - HP-UX: Create Eloquence specific symbolic link to HP-UX OpenSSL libcrypto (if present) during configure step of the installation procedure. - Fixed a problem where terminal types and map files were not properly installed. Changes since B1 - The dbkeyutil utility uses a secure communication channel to submit the master key to the server process. Depending on the CPU performance this could result in a short delay when submitting a master key to the server while a temporary session key is generated. - The data base server now encrypts indexes on fields marked as encrypted. - The "operator" user property was added. This may be used to indicate user accounts permitted to perform operational tasks. This allows to be more restrictive with administrative accounts. - The DBINFO mode 114 was added to allow obtaining field status. DBINFO mode 114 is similar to DBINFO mode 104 but returns item status information rather than item numbers. DBINFO mode 114 is available in both the image3k and the native client library. However, it is currently not available in eloqcore. The returned status information is bit encoded (per item) as indicated below: bit 0 - set if field is stored on disk in encrypted format bit 1 - set if some encryption key for the database is not available. If this affects actual record, the field is blanked (if a string item) or zeroed. bit 2 - set if an item mask exists for this item bit 3 - set if if an item mask affects information in this field (eg. information is truncated). Bit 0 and and bit 2 may be used by an application to understand a field has sensitive information, so it should be handled with extra care (eg. not included in application logs). Bit 1 and bit 3 may be used to indicate the field content is not available or only partially returned. Please note that DBINFO 114 is considered experimental at the moment and your feedback is appreciated. - Improved server messages on submitting and revoking master keys - The dbkeyutil utility no longer links directly against libcrypto - The dbkeyutil adds a note to the key file when creating a new master key - The dbutil utility was enhanced to support the operator user property (both interactive and in batch use). - The dbutil utility supports changing all data encryption keys of a database to a new master key - The dbutil utility emits a warning message if encrypted fields are used as search items and are not encrypted in a related set - The dbutil utility emits an error message if encryption is used but no data encryption key was created. - The dbutil utility emits a warning message if data encryption keys present but encryption is not used. - A problem in the fwutil library was fixed that could result in an abort due to an alignment problem with encrypted information - Fixed a problem in the server process that could result in a corrupted database structure when upgrading the database catalog. - Fixed a problem in the dbutil utility that could result in memory corruption. Changes since A3 - Provide full Eloquence distribution Changes since A2 - Fixed problem with dbkeyutil chpass command - Fixed problem on HP-UX accessing the OpenSSL library Changes since A1 - Incorporated the most recent B.08.00 fixes - Added new dbkeyutil utility to maintain master keys - Added support for data encryption - Fixed a problem causing database restructuring to fail on databases created with previous Eloquence versions.