Release Highlights

This section provides the release highlights for Enterprise Security Administrator (ESA) and Protectors v10.0.

Enterprise Security Administrator

The ESA v10.0 release delivers robust architectural upgrades designed to boost scalability, enhance resilience, and reinforce data security across your enterprise.

Architectural & Operational Upgrades

  • Resilient Package Deployment: New architecture improves performance and reliability in policy distribution.
  • Expanded Log Indexing: Logs now categorized into Audit, Troubleshooting, Policy, and Status indexes for finer control.
  • ILM & Scheduler Enhancements: Export/import expanded; scheduler now supports multiple log types.
  • Audit Store Discover Page Sorting: Latest records now surface first by default for better usability.

Dashboard Modernization

  • New dashboards added for:
    • Protector Status
    • Security Operations
    • Inventory
    • Policy Metrics
  • Enables centralized, real-time monitoring.
    View dashboard guide

Security & Compliance Features

  • FIPS Mode Enabled: Compliant operating system-level security introduced.
  • AWS KMS Support: Direct integration for secure key management.
  • License Enforcement: Invalid or expired licenses block policy distribution and DevOps API usage.
  • Protegrity Signed Packages: All ESA packages now cryptographically signed for authenticity.

DevOps & Admin Enhancements

  • File Upload Expansion: ESA Web UI now supports uploads of any size—ideal for larger patches.
  • CLI Improvements: Basic Authentication toggle now configurable from the CLI.

Platform Upgrades

  • OS: Debian 12.7
  • Kernel: 6.6.48
  • OpenSearch: 2.15.0
  • Python: 3.11.2
  • Fluentd: 5.0.3
  • Fluent-bit: 2.2.3
  • OpenSSL: 3.0.14

Protegrity Data Security Gateway

  • DSG 3.3.0.0 Backward Compatibility
    Foundation established to support multiple ESA versions going forward. DSG 3.3.0.0 is now compatible with ESA 10.0.0.

  • UEFI Support Added
    Systems can now boot using either BIOS or UEFI, with GPT partition support for flexible OS setup.
    UEFI Boot Guide

  • Python Upgrade in Bullseye OS
    Python updated from v3.7 to v3.9 for increased performance and compatibility.

  • Azure AD Integration
    External and internal appliance access now manageable via Azure portal and corporate directories.
    Azure AD Setup

  • Firewall Modernization
    Appliance firewall migrated from iptables to nftables for improved scalability and control.
    Firewall Configuration

  • Azure AD Member Source Support
    Azure AD now pulls and organizes user and group info for structured access control.
    Member Source Configuration

  • OpenSSH Idle Timeout Enhancement
    Console sessions auto-terminate when idle—background processes remain uninterrupted.
    Advanced SSH Config

  • Core System Updates

    • Kernel: Updated to v5.10.206
    • OS: Upgraded to Bullseye v11.8
    • OpenSSL: Advanced to v3.0
    • td-agent: Updated to v4.5.0

Protectors

Application Protector – Java

  • REST-based KMS Callback Support
    DevOps callback mechanism now integrates with REST-based KMS services in Protegrity containerized setups for secure DEK decryption.

Application Protector – Python

  • Performance Enhancement
    Optimized for faster execution across single and limited bulk operations.

  • Signed Package Integrity
    All distributed packages are now digitally signed by Protegrity to ensure safe and verified installations.

  • Enhanced Security Posture
    JWT-based form authentication enables flexible token and credential handling for certificate access.

  • ESA Load Reduction
    RPP and RpSync components now regulate interaction frequency with ESA, reducing infrastructure strain.

  • Inventory and Status Insights
    Improved logging and dashboard visibility via ESA to track protector state—even when idle.

  • Resilient Package Agent (RP Agent)
    A dedicated sync component for secure policy downloads via TLS; replaces older policy retrieval mechanisms.
    Architecture Guide

  • New config.ini Configuration Support
    Introduces flexible protector configuration via file located in install path.
    Configuration File Details

  • DevOps-Friendly Deployment Option
    Supports immutable policy delivery via REST API—no RP Agent required.
    DevOps Deployment Guide

Big Data Protector – CDP-PVC-Base (Release Highlights v10.0)

Architecture & Security Enhancements

  • Resilient Architecture: Protection halts and memory is cleared if RP Agent fails—ensuring controlled shutdown.
  • Resilient Package Agent: Replaces PEP server; securely syncs updated policies over TLS.
    Architecture Overview
  • Patch Signing: All packages now digitally signed for installation integrity.
  • Form-Based Authentication: JWT-based access mechanism supports token and credential inputs.

Configuration & Operational Improvements

  • New config.ini File: Enables parameter customization at /opt/cloudera/parcels/PTY_BDP/bdp/data/.
    Config Guide
  • Helper Scripts:
  • Semantic Versioning: Adopted from v10.0.0 for consistent release tracking.

Monitoring & ESA Interaction Optimization

  • Status Dashboard: Tracks protector health—even when idle—using ESA log signals.
  • ESA Load Management: Gen 3 improvements using RPP and RpSync to reduce traffic strain.

API & Data Format Enhancements

  • Charset Support:
    • Introduced for MapReduce and Spark byte array APIs.
    • Added to HBase operations (Put, Get, Scan).

Enhancements & Cleanups

  • Unified pepspark.jar: Single binary for Spark2 and Spark3 support.
  • Spark Plugin Removal: Legacy plugin parameters deprecated.
  • Fluent Bit Parcel Renamed: PTY_FLUENTBIT_CONFPTY_LOGFORWARDER_CONF
  • Expanded CheckAccess() Permissions: Added Protect, Unprotect, Reprotect.
  • Removed Auxiliary APIs: Cleaned out unused functions like flushAudits(), pty_GetKey_Id(), etc.
  • Data Element Deprecation: Retired legacy formats like HMAC-SHA1, 3DES, Unicode tokens, and old date formats.
  • New getversionextended() API: Returns full build version string for audit and diagnostics.

Data Warehouse Protector – Teradata (Release Highlights v10.0)

Security & Architecture Enhancements

  • Multi-node Protector Architecture
    New design improves efficiency, regularly detects policy changes, and syncs updates over encrypted channels—reducing ESA load.
    Architecture Overview

  • Form-Based Authentication with JWT
    Replaces legacy BasicAuth; supports flexible token-based credential handling via RP Agent.
    Installation Guide

  • Patch Signing Validation
    Teradata packages are now cryptographically signed to ensure trusted delivery.
    Signature Verification

Functional & Data Type Support

  • Small Integer UDFs Added
    Supports data types up to 2 bytes in Teradata-based user-defined functions.
    UDF Support Reference

  • HMAC-SHA256 Support Introduced
    Improves encryption standards, replacing deprecated HMAC-SHA1.

  • Inventory Visibility via Insights
    Enhanced tracking of protector status and operational metrics for improved monitoring.


Last modified : October 29, 2025