We are pleased to announce the availability of release 2.17 of the Enterprise Cloud on 15 December 2012.

Authentication permits use of X.509 certificates from Personal Identity Verification cards. Certificates that sign end entity certificates and the certificates of any Certificate Authorities in the trust hierarchy up to the certificate the customer declares as trusted, or the root Certificate Authority, are exported and stored within the Enterprise Cloud service. Certificates presented are validated using Online Certificate Status Protocol (OCSP) to the OCSP responder provided to the Enterprise Cloud. Certificate Revocation Lists are not supported.

• The current login page works seamlessly with the different authentication mechanisms: certificate-based, username and password only, and username and password with telephone multi-factor. Telephone multi-factor is unavailable to organizations with certificate-based authentication.
• As with existing authentication, based on the assessment of the certificate offered the user is directed to their default Infinicenter Console page or returned to the login page.
• In organizations with certificate-based authentication, administrators may choose to also permit username and password authentication. If permitted, may set the authentication method for each user.

Previously, to create an Internet Service on both TCP port 21 and UDP port 21 required two Internet services. A new protocol of TCP+UDP now permits a single Internet service to simultaneously support the same port, or ports, on both the TCP and UDP protocols. Furthermore, TCP, UDP, and TCP+UDP Internet services permit multiple ports and multiple port ranges.

• Users may view, create, manage, and delete Internet services with a port, ports, a port range, port ranges, or combination simultaneously on both TCP and UDP protocols.

• API users may view, create, manage, and delete Internet services with a port, ports, a port range, port ranges, or combination simultaneously on both TCP and UDP protocols.

Role-Based Access Control (RBAC) is a National Institute of Standards and Technology (NIST) standard with the second level adding constraints to basic RBAC. In the Enterprise Cloud, RBAC2 is implemented with Security Groups added to the granular permissions introduced in release 2.10. Devices are assigned to Security Groups and, as with existing Organization and Environment roles, roles are defined with specific constraints upon device-level activities for each Security Group. Users are assigned to Security Group roles in the same manner as Organization and Environment roles. "User with All Operations" is a new system-defined role for Security Groups.

Note: Users with Organization-level Administrator role, users with Environment-level User w/Billing role, and users with Environment-level User w/o Billing role override the constraints of Security Group roles.

Where Environment level and Security Group level permissions conflict, the Security Group level permissions apply exclusively to actions upon virtual machines that are members of the Security Group; for all other actions the Environment level permissions apply. For example, Manage Device IPs may be assigned in both Environment and Security Group levels. The user with Manage Device IPs permission for a Security Group but not for the Environment may assign IPs to a device in the Security Group but may not reserve IPs on the Network tab.

Note: A user must have access to the Environment in which devices in a Security Group reside. The Security Group role cannot override a lack of an Environment level role.

• System permits or denies user actions on a server depending on Organizational, Environmental, and Security Group access levels.
• Users may retrieve a list of all security groups or a specified security group.
• Administrators may create, edit, enable, disable, or delete security groups.
• Administrators may create, edit, or delete a security group level role.
• Administrators may assign users security group level roles from Roles service or Users service.
• Administrators may assign virtual machines and physical devices to a security group or security groups to a virtual machine or physical device.

Note: The calls, which assign security groups to a virtual machine or physical device, incorrectly return the virtual machine or physical device. They should return only the AssignedSecurityGroups object. Release 2013-02-01 will return the correct object.

Template Distribution automates the distribution of templates to all data centers and permits versioning of templates. Versioning permits users to create virtual machines from prior versions of templates to ensure consistent application environments, if desired.

• Users retrieve multiple versions of templates when available, or a specific version, and may create servers from the version of their choice.

• Users may export metered billing data in detail or summarized by virtual machine.
• Administrators may set a flag during creates and edits of non-administrator users indicating that they should receive Enterprise Cloud Change Notices.
• Firewall Audit report enhanced to perform string comparisons between firewall rules from the firewall configuration and from the Infinicenter configuration. Matches are printed in blue. When exported, a new column, Is Match W/String Comparison, indicates a match with a value of yes.

• Users may retrieve metered billing grouped by virtual machine.