# KCM Version 2.20.0

### **Overview**

Keeper Connection Manager 2.20.0 includes several important updates. Please read through the full release notes prior to upgrading. The updates include:

1. [Mandatory changes to support Remote Browser Isolation (RBI)](#mandatory-changes-to-support-remote-browser-isolation-rbi)
2. [End of support for EL7](#end-of-support-for-el7)
3. [Support for ignoring HTTPS certificate errors in RBI](#support-for-ignoring-https-certificate-errors-in-rbi)
4. [Configurable clipboard size limits](#configurable-clipboard-size-limits)
5. [Certificate authentication support for SSH](#certificate-authentication-support-for-ssh)
6. [Bug fixes](#bug-fixes-for-rbi)

***

### Mandatory changes to support Remote Browser Isolation (RBI)

{% hint style="info" %}
**IMPORTANT:** Some of the changes to RBI in this release required additional services and sandboxing not required in previous releases. The operations used for this sandboxing have required updates to the `seccomp` profile used for Docker deployments, as well as the creation of an AppArmor profile. 

**This AppArmor profile must be loaded for RBI to function on any platform using AppArmor, such as Ubuntu.**
{% endhint %}

Required Action: Download the latest version of the `kcm-setup.run` script:

```
curl -O https://keepersecurity.com/kcm/kcm-setup.run
```

#### Option 1: Add the AppArmor profile automatically using `kcm-setup.run` <a href="#adding-the-apparmor-profile-automatically-using-kcm-setup.run" id="adding-the-apparmor-profile-automatically-using-kcm-setup.run"></a>

If you have not modified your own `docker-compose.yml` since installing KCM, you can apply these changes automatically by:

1. Downloading the latest copy of `kcm-setup.run` from Keeper Security.
2. Running `sudo ./kcm-setup.run upgrade` to upgrade to the latest release.
3. Running `sudo ./kcm-setup.run reconfigure` to regenerate `docker-compose.yml`.

{% hint style="info" %}
If you manually changed `docker-compose.yml`, follow **Option 2 below.**
{% endhint %}

#### Option 2: Adding the AppArmor profile to a modified `docker-compose.yml` <a href="#adding-the-apparmor-profile-to-a-modified-docker-compose.yml" id="adding-the-apparmor-profile-to-a-modified-docker-compose.yml"></a>

If you have modified your own `docker-compose.yml`, these changes require some manual editing of `docker-compose.yml` to point the “guacd” container at the new profile:

1. Downloading the latest copy of `kcm-setup.run` from Keeper Security.
2. Running `sudo ./kcm-setup.run upgrade` to upgrade to the latest release.
3. Editing `/etc/kcm-setup/docker-compose.yml`, adding an additional `"apparmor:..."` option to the `security_opt` section of the “guacd” container such that the section now matches the following:

```
security_opt:
    - "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
    - "apparmor:guacd-apparmor-profile"
```

4. Running `sudo ./kcm-setup.run apply` to apply these latest changes from `docker-compose.yml`.

#### Manually extracting the AppArmor profile

*Only if necessary*, the AppArmor profile is bundled in a standard location and can be extracted from the Docker image:

{% code overflow="wrap" %}

```
sudo docker run --rm --entrypoint=/bin/cat keeper/guacd /opt/keeper/share/guacd/guacd-apparmor-profile > guacd-apparmor-profile
```

{% endcode %}

The profile should then be copied beneath `/etc/apparmor.d` so that it is automatically loaded on boot:

```
sudo cp guacd-apparmor-profile /etc/apparmor.d/
```

The new profile can then be loaded either by rebooting or by manually running `apparmor_parser`:

```
sudo apparmor_parser -r /etc/apparmor.d/guacd-apparmor-profile
```

***

{% hint style="danger" %}
**Important notice regarding Ubuntu Docker Installations**
{% endhint %}

**Do not use the** `docker.io` **package provided by Ubuntu.** Testing has suggested that this older Docker package may not function correctly with AppArmor profiles. Containers have been observed to not correctly resume using the configured AppArmor profile after a reboot.

Instead, use the official Docker packages provided by Docker themselves: <https://docs.docker.com/engine/install/ubuntu/>

As long as Docker isn’t already installed, `kcm-setup.run` will install the official Docker packages automatically. This can be an easy method to both install KCM and the proper version of Docker.

***

### End of support for EL7 <a href="#end-of-support-for-el7" id="end-of-support-for-el7"></a>

With CentOS 7 having reached end-of-life in June 2024, and with RHEL 7 having reached end-of-maintenance at the same time, KCM will no longer provide EL7 builds. This means that the previous release (KCM 2.19.3) will be the last release with an EL7 build and KCM 2.20.0 will be the first release without EL7 support.

Users that are maintaining RPM-based installations of KCM but are still using RHEL 7, CentOS 7, or another EL7-derivative should upgrade to EL8 when possible so that they can upgrade to KCM 2.20.0. Support for EL9 and EL10 will be coming in future releases.

***

### Support for ignoring HTTPS certificate errors in RBI <a href="#support-for-ignoring-https-certificate-errors-in-rbi" id="support-for-ignoring-https-certificate-errors-in-rbi"></a>

**KCM-404**: Add support for ignoring self-signed HTTPS certificates

Remote Browser Isolation (RBI) is strict in its enforcement of SSL/TLS certificate validation. If it is known that the domain of the initial URL of a connection has a self-signed or otherwise invalid certificate, and administrators wish to allow access to that server through RBI despite the invalid certificate, certificate validation can now be bypassed for the initial URL.

**NOTE:** This validation bypass affects only **the domain of the initial URL**. This means that bypassing SSL/TLS validation will not have any effect if:

* There is no initial URL (the administrator leaves this connection parameter blank).
* The domain with an invalid certificate does not identically match the domain of the initial URL (as may be the case if redirects are involved).&#x20;

***

### Configurable clipboard size limits <a href="#configurable-clipboard-size-limits" id="configurable-clipboard-size-limits"></a>

**KCM-405**: Allow connection clipboard limits to be configured

The clipboard within KCM has historically been limited to a maximum of 256 KB. If users will possibly need to copy larger amounts of data through a connection, this limit can now be overridden by the administrator on a per-connection basis.

***

### Certificate authentication support for SSH <a href="#certificate-authentication-support-for-ssh" id="certificate-authentication-support-for-ssh"></a>

**KCM-433**: Support certificate authentication for SSH

For SSH servers that require certificate authentication, KCM now accepts a public key parameter in addition to the private key parameter that would otherwise be sufficient. The public key that was signed by your CA should be provided with this new parameter.

***

### Bug Fixes <a href="#bug-fixes-for-rbi" id="bug-fixes-for-rbi"></a>

#### **RBI**

**KCM-390**: RBI connections may fail when loading YouTube Shorts\
**KCM-396**: Allowed URL Patterns list truncated without warning\
**KCM-410**: Autofill for KCM fails with a sufficiently large "autofill-rules.yml"\
**KCM-413**: RBI freezes when attempting to input Japanese\
**KCM-417**: RBI autofill of TOTP may cause memory error\
**KCM-419**: RBI autofill cannot be used with Cloudflare login + reCAPTCHA\
**KCM-425**: Touch interaction does not work in RBI on iPad\
**KCM-431**: RBI autofill interferes with manual interaction\
**KCM-435**: RBI cannot be used to log into Google services

#### Terminal-related Issues <a href="#terminal-related-bug-fixes" id="terminal-related-bug-fixes"></a>

**KCM-399**: Binary column data may disrupt terminal output of MySQL connection\
**KCM-437**: KCM terminal emulator can become garbled when "vim" is used

#### Miscellaneous bug fixes <a href="#miscellaneous-bug-fixes" id="miscellaneous-bug-fixes"></a>

**KCM-380**: KSM integration cannot be used on a RHEL system with FIPS mode enabled\
**KCM-386**: guacamole-db-mysql image appears to be broken on aarch64\
**KCM-392**: Guacamole webapp warns "expected language resource does not exist" for Polish\
**KCM-400**: Mysterious "0:00" timestamps appear in the middle of keystroke logs\
**KCM-403**: Session recording playback heatmap broken for short videos\
**KCM-411**: File upload progress bar completes before file is fully uploaded\
**KCM-426**: KSM static token mapping does not work with a per user config\
**KCM-427**: Recording playback sometimes freezes\
**KCM-439**: \_\_guac\_wol\_send\_packet() uses incorrect structure for IPv6 address

#### Dependency updates <a href="#dependency-updates" id="dependency-updates"></a>

**KCM-453**: Update third-party dependencies of KCM

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://newdocs.keeper.io/en/release-notes/enterprise/keeper-connection-manager/kcm-version-2.20.0.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.