Enhancements

Extended REST palette and REST hook integration to expose response headers and HTTP status codes alongside the response body.Enables workflows to consume API response metadata for chained operations that depend on header-driven logic.Removes the previous limitation that required Python packages for full response access in Cloud Connector-based workflows.

Updated credential provider references from Thycotic to Delinea across all workflow credential selection and display surfaces.Aligns platform naming with the vendor's current product identity following its rebranding.Ensures consistent branding and reduces confusion when configuring credential-based integrations.

Enhanced the out-of-the-box orphan object report to include additional ADC objects such as node-default-monitor, node, and virtual servers referenced in iRules, helping identify configuration objects that are not linked to any traffic-serving entity.

Updated credential provider name from Thycotic to Delinea across the device onboarding interface.Ensures naming consistency with the vendor's current product identity.Includes migration scripts to apply the naming change to existing configurations.

A new status API has been introduced for Light weight Config fetch operations to provide real-time visibility into configuration fetch progress during SSPC automation workflows.

• Enhanced Microsoft AD FS certificate management with automated discovery, inventory, and lifecycle operations.

• Added support to automatically discover and inventory AD FS certificates, including: Token-Signing, Token-Decrypting, Service Communication, SSL Bindings, Relying Party Trust (RPT) Signature, and Encryption certificates.

• Introduced automated certificate lifecycle management capabilities for Encryption and Signature certificates, Token-Signing and Token-Decrypting certificates, and Service Communication and SSL certificates.

• Introduced a guided and audited workflow to simplify certificate lifecycle management for AD FS environments. The system enables administrators to generate a CSR and private key using certreq, with keys stored in the LocalMachine\My certificate store.

• The workflow allows importing CA-issued certificates and automatically pushing and binding them to the appropriate targets, including RPT Encryption/Signature, Token-Decrypting, Token-Signing, Service Communication, and SSL roles.

Converted the Age (Validity Period) and Certificates by Issuing CAs widgets to asynchronous mode to improve performance. Updated the API request (isSync flag) to reduce load time for large datasets.

• AppViewX enhanced private key management during certificate enrollment and push to improve security and prevent overwrites. This feature extends across regeneration and re-enrollment workflows and includes:
• Encryption of private keys at the endpoint and creation of timestamped key files during enrollment to avoid overwriting existing files.
• Secure decryption of key during push, associating it with the target keystore (JKS/PKCS), and removal of decrypted or temporary key files.
• Prevents retention of plain-text private key files after enrollment and push.

Updated all Server and Firewall device integrations to replace Thycotic Secret Server references with Delinea. This includes updates to UI labels, configuration fields, tooltips, API names, backend identifiers, and logs, ensuring consistency with the new branding without impacting existing functionality.

• Enabled administrators to push Root and Intermediate (CA) certificates to Cloud Connector devices independently of server certificate deployment. The workflow supports uploading, selecting, validating, and deploying trust chain certificates while maintaining hierarchy, logging, and sync status.

• This enhancement allows centralized management of trust stores, improving flexibility for mutual TLS, upstream validation, and integration requirements without manual installation on individual connectors.

• AppViewX extends batch import/export and sample templates to support Location Type (File System, Certificate Store, Port Scan) and Keystore Formats (CRT, CER, PEM, PFX, JKS, etc.) for Microsoft Server devices.
• Batch import now accepts these values, and sample CSV/XLSX templates include the new columns with valid options, ensuring consistency with UI and policy configurations.

The Policy Engine now supports Location Type and Keystore Format settings in Microsoft Server device templates for both administrator and application user policies. These settings are applied consistently during policy creation, updates, execution, auto-onboarding through network scans, and device updates triggered by policy changes.

AppViewX now officially supports NetScaler ADC v14 for certificate lifecycle management. This release includes formal QA certification, feature parity with v13, and updates to the compatibility matrix and product documentation.

AppViewX now supports onboarding devices using DNS short names across supported firewall, server, and HAProxy integrations. By selecting FQDN as the communication type, devices can be resolved through the Cloud Connector or worker node, while credentials are retrieved from the configured PAM vault using the short hostname.

AppViewX CERT+ has been rebranded to AVX CLM across the product. The update includes changes to UI labels, navigation elements, dialogs, dashboards, messages, and other user-facing components to align with the new CLM branding guidelines.

Optimized load time for the Age (Validity Period) and Certificates by Issuing CAs widgets on the SLC dashboard. Resolved slow API response behavior that caused each widget to exceed 2 seconds to load at large inventory scale.Improves dashboard responsiveness and usability for environments with high certificate volume.

Introduced a configurable logon mechanism for Windows Gateway network logon mode to reduce credential exposure risk.Added support for LOGON32_LOGON_NEW_CREDENTIALS as a secure alternative alongside the default cleartext mode for backward compatibility.Aligns authentication behavior with Kerberos/NTLM negotiation standards without disrupting existing customer workflows.

Corrected discovery scope enforcement so scans strictly honor configured drives and directories without implicit fallback to the system drive.Added graceful handling of RBAC and NTFS permission-restricted paths so inaccessible directories are skipped and logged without terminating the scan.Improves discovery accuracy and reliability across mixed-permission environments.

AppViewX now supports onboarding SSH and REST-based devices using DNS short friendly names. Host mappings from /etc/hosts and Cloud Connector are synchronized for consistent resolution within pods. This improves onboarding reliability for custom hostname and PAM-based setups.

AppViewX now enforces a controlled bash prompt for Linux SSH sessions to ensure consistent command execution and reliable completion detection. It also introduces automatic switching to bash for service accounts where the default shell is non-bash. This improves execution stability and prevents push delays or failures caused by dynamic prompts or unsupported shells.

• Certificate Holistic View performance has been improved by replacing synchronous workflow status polling with an asynchronous event-driven update mechanism. This enhancement enables faster page loading and ensures consistent responsiveness regardless of the number of in-progress application connector operations.

Enhanced RBAC auditing to ensure complete visibility of changes across roles, user groups, permissions, and their mappings. Added audit/history tracking for previously uncovered changes, including assignment and unassignment relationships (capturing only delta changes). Logged all create, update, delete, and assignment actions with source details.

Rebranded all user-facing references from Thycotic to Delinea. This includes updates to UI labels, configuration fields, tooltips, API names, backend identifiers, and logs, ensuring consistency with the new branding while maintaining existing functionality.

AppViewX now supports API authentication using Keycloak-issued JWT tokens without requiring GUI user onboarding. The enhancement automatically provisions API-only service accounts, supports authorization through external group mappings, enforces separation from GUI access, and provides audit logging for authentication and authorization activities.

The platform has been updated to align with the latest AppViewX branding across user-facing and system-generated components, including the UI, email templates, downloadable assets, and related branding references.

Enhanced Test Connection diagnostics for PAM integrations. Connectivity validation now captures vendor-specific responses and provides structured error details along with actionable recommendations to help resolve connection issues.

AppViewX now monitors HSM integrations (Entrust, Fortanix, Utimaco, and Thales) with periodic health checks that validate reachability and port connectivity. When a check fails, an HSM Down event is generated; when checks succeed, an HSM Up event is triggered. In-product notifications and email alerts are sent to configured subscribers. The HSM Health event is disabled by default and can be enabled in the Notification Center, where administrators can select the notification channel and subscribers.

Added a publish-time option to hide AppViewX navigation menus and the launcher for users accessing published pages.Restricts end users to the published page context with only a logout option available.Improves security and UX control for externally accessible or embedded published page deployments.

Report widgets now support a configurable option to automatically fetch live data on page load. When enabled, the widget executes its report query via hooks and displays the latest results, improving data freshness and reducing reliance on cached outputs.

AppViewX Native PKI enhances OCSP capabilities with support for both HTTP GET and POST methods, ensuring RFC 6960 compliance and improved compatibility with modern clients such as Azure Application Gateway. It also enables secure OCSP signing using HSM-backed certificates via standards like PKCS#11, eliminating the need to export private keys.

AppViewX Native PKI introduces support for Hybrid (Classical + PQC) certificates using a Composite approach, enabling cryptographic agility and backward compatibility. Administrators can create composite CAs and issue hybrid certificates with integrated support across the PKI hierarchy, including CRL generation. Composite certificates are managed with limited lifecycle actions in CLM, ensuring controlled adoption while maintaining operational stability.

AppViewX now supports endpoint-based CSR and private key generation for Azure Key Vault, ensuring private keys remain securely on the endpoint during certificate enrollment. This capability is also available via the Policy Engine, enhancing security and control in cloud-based certificate management.

Administrators now have granular control to enable or disable CRL publishing during the creation of Root, Subordinate, and External Subordinate CAs, providing greater flexibility in managing revocation processes.

AppViewX simplifies certificate template creation by removing the mandatory requirement for Key Usage (KU) and Extended Key Usage (EKU) selection. This provides greater flexibility to align templates with specific CA hierarchies and business needs, while intelligent warnings ensure critical attributes like CertSign and CRLSign are not overlooked for CA templates.

AppViewX enables hybrid interoperability between CLM and AppViewX PKI CA across On-Prem and SaaS environments, allowing PKI CA to function as an External CA within CLM. This supports seamless certificate lifecycle management, including enrollment, renewal, discovery, and revocation, through secure and flexible connectivity with full visibility into CA hierarchy, templates, and certificate status validation mechanisms.

AppViewX enables end-to-end discovery and onboarding of certificates issued by AppViewX Native PKI directly into CLM. Administrators can perform scheduled or on-demand scans to identify certificates and their chains, with efficient handling for large environments. The solution supports selective onboarding, enforces role-based access control, and maintains a complete audit trail for secure and compliant operations.

Widget loading performance is improved by enabling independent widget loading and retaining precalculated data during live refresh. A “Refreshing data and updating results” banner is shown during updates, and widgets are refreshed with the latest data and timestamp once complete, improving load time and isolating failures.

In the CLM configuration scan dashboard, the Quantum Readiness by Crypto Library widget now shows improved messages based on data availability. If scan data exists but no crypto library information is found for selected filters, it displays “No crypto library information identified” with a note suggesting agent-based scanning for better visibility. If no scan data is available, it shows “No data available.”

Business applications can now be mapped to PQC policies by selecting them in configuration and certificate rules. If multiple applications are selected, separate rules are created per application, while no selection applies the policy to all applications by default. Only one Key Type & Strength and Business Application mapping is allowed, and on migration all existing and default policies are applied to all business applications.

The Key Exchange Algorithm dropdown for custom policy configuration has been updated to display only algorithm names, excluding curve groups and key strengths. This ensures policies apply across all variants of an algorithm rather than specific variants. The enhancement aligns with NIST PQC guidance, which defines recommendations at the algorithm level without distinguishing variants.

A Business Application filter has been added to the Configuration Scan and Certificate Scan dashboards in Quantum Trust Hub to improve visibility into application-specific cryptographic posture. It enables focused analysis of assets, configurations, components, and certificates tied to a selected application, improving traceability and remediation prioritization. In the Certificate Scan dashboard, the filter works in conjunction with the selected certificate group for refined data filtering.

The configuration scan inventory now consolidates results from multiple sources into a single unified record showing the latest scan output. Instead of deleting and recreating endpoint records for each scan, the system now uses an upsert model that updates existing records or inserts new ones when needed. Previous scan data is retained in PQC logs for audit and traceability.

In the configuration scan inventory, post-quantum cryptographic recommendations for quantum-vulnerable assets have been updated. This enhancement ensures that applying the recommendations improves resilience against future quantum computing threats and aligns with emerging cryptographic standards.

Enhanced the Recently Deleted Keys and Recently Rotated Keys screens to display additional metadata needed for audit, investigation, and reconciliation. This ensures lifecycle views provide comparable visibility to the inventory screens. Additinally, added an Export to CSV and XLSX support to the Recently Deleted Keys & Recently Rotated Keys screen for users to extract lifecycle data for audit, reporting, investigation, and reconciliation with external systems.

Improved SSH file detection by shifting from filename-based to content-based classification. The system now accurately identifies files as private keys, public/authorized keys, known_hosts entries, or unsupported content, reducing misclassification and false positives.

Updated all SSH host on-boarding pages to replace Thycotic Secret Server references with Delinea. This includes updates to UI labels, configuration fields, tooltips, API names, backend identifiers, and logs, ensuring consistency with the new branding without impacting existing functionality.

Updated the SSH module to align with the latest AppViewX branding. Applied new product name references, logo, and brand elements across UI, logs, APIs, downloadable templates, and email communications to ensure a consistent platform experience.

The SIGN Package now supports secure runtime credential injection for CI/CD pipelines through environment variables. Credentials can be supplied dynamically during signing operations, are handled securely without persistence or plaintext storage, and do not impact existing workflows that use preconfigured credentials.

Advanced Search in Signing Inventory now supports Username and IP Address filters. Both can be used independently or combined with existing filters (Signed Type, Status, etc.) to quickly locate and audit signing records.