Skip to main content
Version: 7.2405.x.x LTS

Release notes

Important Information for nevisAdmin 3 Users

nevisAdmin 4 is the completely overhauled configuration and deployment solution for the Nevis Identity Suite.

nevisAdmin 3 configurations cannot be automatically migrated to nevisAdmin 4. Contact your integration partner, if you need assistance to migrate from nevisAdmin 3 to nevisAdmin 4.

If you are looking for updates to nevisAdmin 3, check the nevisAdmin 3 documentation.

nevisAdmin 7.2411.0 Release Notes - 2024-11-20

Release information

  • RPM: nevisadmin4-7.2411.0.10-1.noarch.rpm
  • GUI Version: FE 7.2411.0-1460 - BE 7.2411.0.10

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

  • IMPROVED: Addressed some performance issues that happened when there were a lot of plugin libraries uploaded. (NEVISADMV4-10073)
  • FIXED: The variables screen now also considers ${var.<name>} references when listing the usages of variables. (NEVISADMV4-10024)
  • FIXED: Renaming a variable now also updates all references to it that use the ${var.<name>} format. (NEVISADMV4-10085)
  • FIXED: In some rare cases, newly created tenant scoped secrets were not available in the inventory editor to be inserted, until another inventory was opened first. They are now available immediately. (NEVISADMV4-10134)
  • FIXED: We fixed a GUI issue which caused project variables to be imported with an invalid value. (NEVISADMV4-10245)
  • FIXED: We fixed a GUI issue in the inventory editor, where inserting a secret in the middle of a line replaced the rest of the line instead of inserting the secret at the caret's location. Highlighting secrets in the editor is also fixed. (NEVISADMV4-10293)

Dependency upgrades

  • shiro 2.0.1 (NEVISADMV4-9164)
  • org.eclipse.jgit 6.10.0.202406032230-r (NEVISADMV4-10027)
  • jsch 0.2.20 (NEVISADMV4-10273)
  • jackson 2.18.0 (NEVISADMV4-10273)
  • jetty-rewrite 12.0.14 (NEVISADMV4-10273)
  • groovy 4.0.23 (NEVISADMV4-10273)
  • snakeyaml 2.3 (NEVISADMV4-10273)
  • aspectjweaver 1.9.22.1 (NEVISADMV4-10027)
  • jakarta-annotation-api 3.0.0 (NEVISADMV4-10027)
  • slf4j-api 2.0.16 (NEVISADMV4-10027)
  • logback-classic 1.5.9 (NEVISADMV4-10273)
  • guava 33.3.1-jre (NEVISADMV4-10273)
  • opensaml 4.3.2 (NEVISADMV4-10027)
  • spring-boot 3.3.5 (NEVISADMV4-10307)
  • spring-dependency-management-plugin 1.1.6 (NEVISADMV4-10027)
  • springdoc-openapi-starter-webmvc-ui 2.6.0 (NEVISADMV4-10027)
  • mustache 0.9.14 (NEVISADMV4-10027)
  • mariadb-java-client 3.4.1 (NEVISADMV4-10027)
  • postgresql 42.7.4 (NEVISADMV4-10027)
  • nimbus-jose-jwt 9.41.2 (NEVISADMV4-10273)
  • bcprov-jdk18on 1.78.1 (NEVISADMV4-10027)
  • bcpkix-jdk18on 1.78.1 (NEVISADMV4-10027)
  • bcpg-jdk18on 1.78.1 (NEVISADMV4-10027)
  • bcutil-jdk18on 1.78.1 (NEVISADMV4-10027)
  • kubernetes-java-client 21.0.1 (NEVISADMV4-10027)

Patterns 7.2411.0 Release Notes - 2024-11-20

Release information

  • Build Version: 7.2411.0.10

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS24 RELEASE / 2024 November.

Enter the version in the Search field: 7.2411.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

General

  • NEVISADMV4-9763: Added new logger ProductAnalytics to Nevis components.
    • The logger is enabled by default, it can be disabled by setting the log level to WARN or ERROR.
  • PAT-762: Fixed a bug in Generic Deployment which caused unknown files in nested sub-folders to be deleted, even when Path: Delete Unknown Files is set to disabled.

Application Protection

  • NEVISPROXY-7343: We fixed the Error Handling pattern to replace placeholders when the Content-Type includes a charset or a boundary.
  • ⚠️ PAT-755: We improved the Maintenance Page pattern:
    • The Update Interval is now configurable.
    • The pattern now includes its sanitized name in the names of the generated MaintenanceFilter and DefaultServlet.
      • This prevents naming collisions, and allow linking multiple Maintenance Page patterns to a single Virtual Host or Application.
      • Check your configuration if you use Generic Application Settings or Generic Virtual Host Settings to customize your MaintenanceFilter or the related DefaultServlet.
  • PAT-759: The SOAP Service pattern can now be attached to several Virtual Host patterns even when SOAP Schema Validation files are configured.

SAML / OAuth / OpenID Connect

  • PAT-744: Fixed invalid generation of nevisIDM HttpClient in Social Login patterns.
  • PAT-701: Updated the translation text for the OAuth2 / OpenID Connect consent screen.

Patterns 7.2405.4 Release Notes - 2024-10-17

Release information

  • Build Version: 7.2405.4.0

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS24 RELEASE / 2024 May.

Enter the version in the Search field: 7.2405.4.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

Application Protection

  • PAT-751: Added CRS version 4.7.0 to the OWASP ModSecurity CRS Version setting in the Virtual Host nevisProxy pattern.

Identity Management

  • ⚠️ PAT-749: Modified the nevisIDM Password Login pattern to verify whether the URL from which the login page is opened in the Password Reset use case is startable. The new functionality can be fine-tuned using Redirection Path Validation Mode, Application Path Fallback, and Custom Redirection Path Validation Regexes properties in the Password Reset tab of the pattern. If new line or carriage return characters can appear in your protected URL paths, fine-tuning of the settings may be required, as the new default settings block them.

Patterns 7.2405.3 Release Notes - 2024-09-24

Release information

  • Build Version: 7.2405.3.1

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS24 RELEASE / 2024 May.

Enter the version in the Search field: 7.2405.3.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

Application Protection

  • NEVISPROXY-7253: The HTTP Error Handling pattern now also replaces placeholders in JSON error pages.
    • This also applies to any ErrorFilter filters generated by default.

SAML / OAuth / OpenID Connect

  • PAT-742: The IDP URL in SAML IDP Connector now allows to enter a URL containing an EL expression.

Patterns 7.2405.2 Release Notes - 2024-08-30

Release information

  • Build Version: 7.2405.2.0

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS24 RELEASE / 2024 May.

Enter the version in the Search field: 7.2405.2.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

Identity Management

  • PAT-722: The nevisIDM Authorizations pattern now adds default values to Roles where no setting is defined in the pattern.
  • PAT-722: The nevisIDM Authorizations pattern now accepts MultiClient authorization as well.
  • PAT-704: NevisIDM Second Factor pattern now validates if the found credentials are active and during their validity period.
  • PAT-726: Password validation displays error correctly when using Self-Registration flow in Simple Sign-in / Sign On Template
  • PAT-743: Added SYSLOG formatting option for nevisIDM's batch log.
  • PAT-745: Created pattern for nevisIDM Create Credential AuthState.
  • PAT-770: nevisIDM Authorizations pattern now handles fine-grained authorizations for UserModify and UserSearch authorization.
  • PAT-763: Path of password reset in nevisIDM Password Login automatically added to the Allowed Application paths.

Patterns 7.2405.1 Release Notes - 2024-07-25

Release information

  • Build Version: 7.2405.1.x

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS24 RELEASE / 2024 May.

Enter the version in the Search field: 7.2405.1.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

General

  • PAT-706: Replace nested ${var expressions in patterns that support referencing inventory variables.

Application Protection

  • PAT-688: Fixed an unexpected error when using a variable for the Public Key of the JWT Access Restriction pattern.

Authentication

  • PAT-710: Apply Custom Attributes to RemoteOutOfContextDataStore as well
    • ⚠️ If you have attributes that should only be applied to the RemoteSessionStore use the prefix session: in the attribute name.

Identity Management

  • PAT-507: Upload of additional resources for nevisDataPorter Instance.

SAML / OAuth / OpenID Connect

  • PAT-716: Adapted the Groovy script used by SAML patterns to extract SOAP single logout messages.

nevisAdmin 7.2405.1 Release Notes - 2024-06-26

Release information

  • RPM: nevisadmin4-7.2405.1.0-1.noarch.rpm
  • GUI Version: FE 7.2405.0-1302 - BE 7.2405.1.0

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

  • FIXED: CORS preflight requests are no longer rejected. (NEVISADMV4-10021)

nevisAdmin 7.2405.0 Release Notes - 2024-05-15

Release information

  • RPM: nevisadmin4-7.2405.0.3-1.noarch.rpm
  • GUI Version: FE 7.2405.0-1302 - BE 7.2405.0.3

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

  • CHANGED: Due to the shallow checkout feature, Kubernetes deployments no longer work with uninitialized repositories. (NEVISADMV4-10018)

Main improvement

  • NEW: nevisAdmin 4 now collects anonymized analytics data. This helps us understand better how nevisAdmin 4 is used. (PRODROAD-402)
    note

    nevisAdmin 4 only collects data, it does not send it to us without explicit user interaction. For more information, see product-analytics.

Notable changes and bug fixes

  • IMPROVED: Issues with INFO severity are now logged at DEBUG log level instead of INFO log level, for better log readability. This change only affects issues (mostly the ones created during the validation of configurations), not all log messages. (NEVISADMV4-9878)
  • IMPROVED: The deployment process now creates a shallow clone of the deployment repository. (NEVISADMV4-9293)
  • IMPROVED: The log viewer dialog (for pod's or nevisAdmin 4's logs) now lets you turn on line wrapping. The preference is sticky among logs. (NEVISADMV4-9904)
  • FIXED: Using REST requests, it used to be possible to deploy projects with inventories that are not in the same tenant as the project. Such requests are now rejected. (NEVISADMV4-9556)
  • FIXED: We fixed a GUI issue in the pattern editor where an error was thrown when a variable was assigned to a multi-select type of pattern field. (NEVISADMV4-9894)
  • FIXED: The file tree in the Generation Results in the Deployment Wizard no longer throws errors or become unresponsive when the tree has a lot of items. Moving the divider between the file tree and the file content previewer also became easier. (NEVISADMV4-9519)
  • FIXED: The authentication flow tree (in the right sidebar of the pattern editor) mixed up multiple occurrences of the same pattern when navigating using the links in the tree. Now those links correctly select the expected pattern in the tree. (NEVISADMV4-9910)

Dependency upgrades

  • org.eclipse.jgit 6.9.0.202403050737-r (NEVISADMV4-9293)
  • jsch 0.2.17 (NEVISADMV4-9812)
  • jackson 2.17.0 (NEVISADMV4-9922)
  • jetty-rewrite 12.0.8 (NEVISADMV4-9922)
  • groovy 4.0.20 (NEVISADMV4-9922)
  • aspectjweaver 1.9.22 (NEVISADMV4-9922)
  • jakarta-activation-api 2.1.3 (NEVISADMV4-9922)
  • jakarta-xml-bind-api 4.0.2 (NEVISADMV4-9922)
  • jaxb-runtime 4.0.5 (NEVISADMV4-9922)
  • slf4j-api 2.0.12 (NEVISADMV4-9812)
  • logback-classic 1.5.3 (NEVISADMV4-9922)
  • guava 33.1.0-jre (NEVISADMV4-9922)
  • commonmark 0.22.0 (NEVISADMV4-9922)
  • opensaml 4.3.1 (NEVISADMV4-9922)
  • spring-boot 3.2.5 (NEVISADMV4-9942)
  • springdoc-openapi-starter-webmvc-ui 2.5.0 (NEVISADMV4-9922)
  • mariadb-java-client 3.3.3 (NEVISADMV4-9812)
  • postgresql 42.7.3 (NEVISADMV4-9922)
  • nimbus-jose-jwt 9.37.3 (NEVISADMV4-9812)
  • bcprov-jdk18on 1.78 (NEVISADMV4-9922)
  • bcpkix-jdk18on 1.78 (NEVISADMV4-9922)
  • bcpg-jdk18on 1.78 (NEVISADMV4-9922)
  • bcutil-jdk18on 1.78 (NEVISADMV4-9922)
  • kubernetes-java-client 20.0.1 (NEVISADMV4-9922)
  • micrometer 1.12.4 (NEVISADMV4-9922)

Patterns 7.2405.0 Release Notes - 2024-05-15

Release information

  • Build Version: 7.2405.0.3

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select LTS24 RELEASE / 2024 May.

Enter the version in the Search field: 7.2405.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

General

  • ⚠️ The image version encoded in the patterns has been raised to 7.2405.0 for all components. If you are deploying to Kubernetes you have to push all required images to your container registry before deployment.
  • PAT-675: Fixed duplicate Java agent configuration in env.conf when using Java Observability Settings pattern.
  • PAT-667: Support generation of otel configuration based on inventory variables.

Application Protection

  • PAT-674: Fix error during background generation when using a nevisAdmin ${var expression and using only a variable as param-value in a servlet or filter in Generic Virtual Host Settings or Generic Application Settings.

Authentication

  • N/A: Fixed corrupted binary files being deployed when uploading them to Custom Resources in nevisAuth Instance.
  • PAT-652: New advanced setting Shared Groovy Scripts on nevisAuth Instance.
  • PAT-642: Fix requirement clash when reusing JSON Response Step.
  • PAT-669: Support configuration of custom Audit channels for nevisAuth.
  • ⚠️ PAT-654: The default maximum session lifetime has been reduced to 8 hours. This was done to align the realm pattern with the defaults of nevisAuth. The original value of 12 hours has the benefit that sessions for end-users logging into an office account only have to log in once during a business day with the drawback of generating more, longer lasting sessions overall. If you want to go back to the “once a day login”, simply set the maximum session lifetime back to 12 hours in your realm patterns.
  • PAT-657: Support child element Mapping for Method element in Generic nevisAuth Web Service pattern.
  • PAT-657: Ensure errors caused by uploaded XML files are shown where the XML file is uploaded.

Identity Management

  • PAT-680: For permissions related to credentials (such as CredentialChangeState, CredentialCreate, CredentialDelete, CredentialModify, CredentialPdfView, CredentialSearch, CredentialView, and CredentialViewPlainValue), it is now allowed to reduce the elementary permission to a specific credential type. Example: CredentialCreate.PASSWORD

Mobile Authentication

  • PAT-641: Fix HTTP connection to nevisFIDO for Out-of-band Mobile Onboarding.

User behavior analytics

  • NEVISDETECT-1827: updated nevisAdapt Demo app in the template.
  • NEVISDETECT-1831: Added option to disable private IP filtering and configure default country code in that case.
  • NEVISDETECT-1834: Added option to enable Apache Hostname Verifier under nevisAdapt Instance / Advanced Settings.
  • NEVISDETECT-1835: Added option to disable nevisAdapt analyzers, either on module or analyzer level.

Known issues and limitations

See also:

nevisAdmin 4

Since 7.2411

  • If you initiate a library upgrade using the update icon in the project selector bar, the upgrade notes dialog might not open. As a workaround, downgrade the library back to the old version, and initiate the upgrade from the Project Settings page.

Since 7.2405

  • On startup, nevisAdmin 4 produces warning messages, such as
    Bean 'shiroConfig' of type [ch.nevis.admin.v4.infra.spring.rest.ShiroConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). The currently created BeanPostProcessor [lifecycleBeanPostProcessor] is declared through a non-static factory method on that class; consider declaring it as static instead.
    These can be ignored.

Since 4.19:

  • After deleting a deployment from the Kubernetes Status screen, the overall status of the deployment is not updated automatically, only the pods' status.
  • On the Configuration tab, if a library upgrade is available for the selected Project, the upgrade icon should open the upgrade dialog, but if you are on the Project Settings screen, the dialog does not open. As a workaround, you can open the dialog from the Overview or Patterns screens.

Since 4.18:

  • When managing users and groups, in some cases the nevisAdmin 4 GUI incorrectly allows assigning permissions for which the currently logged-in user does not have permission to assign. In these cases, an error dialog will be shown and the permission assignment will not be executed.

  • The 4.18.0.0 flyway script could fail if the database contains a duplicated user that has groups assigned. To fix this problem, execute these scripts manually.

    1. Remove failed migration history.

      delete from flyway_schema_history where version='4.18.0.0';

    2. Delete group assigments of the duplicated users.

      delete from `group_member` where user_id not in (select min(u.id) from `user` u group by u.user_id);

    3. Restart nevisAdmin 4, the 4.18.0.0 migration script will be executed again.

Since 4.12:

  • Updating an inventory attachment with a file that has a new name, does not update the reference in the inventory. This results in an outdated file name shown in the reference (inv-res-secret://<id>#fileName>).
  • If there are multiple RPM nevisAdmin 4 installations on a server, the command nevisadmin4 status lists the versions of all installations under the Component field in the nevisAdmin 4 GUI, not only the currently used one.
  • You cannot change the case of a letter of an already published variable. This bug does not affect unpublished variables.
  • The Project summary report tab can take several seconds to load in case of very large projects.
  • Loading the Pattern list can take several seconds in the case of very large projects. In such cases, the Label view or Filters function is a more convenient way to view the patterns.
  • The deployment preview phase reports an error if the automatic key management setting is enabled during classic deployments. This issue does not occur if the deployment is initiated by the root user.

Fixed Issues

4.18 only:

  • Deploying to a Kubernetes cluster that uses cgroups v2 such as AKS 1.25 could result in increased memory consumption for all Java based Nevis components. This is caused by a bug in the used Java version(JDK-8230305). As a workaround it's recommended to use Generic Instance Setting patterns and set the maximum heap size directly with the -Xmx option.

4.16 only:

  • Updating the value of a binary global secret or global file, such as a zip in Secret and Files results in no change. As a workaround, update the value through the Swagger endpoint reachable at /nevisadmin/swagger-ui/index.html#/tenant-secret-resource-resource/update_2 for global secrets, and /nevisadmin/swagger-ui/index.html#/tenant-resource-resource/update_3 for global files.

4.15 only:

  • The Used in column on Secret & Files does not contain inventories that use a secret through a global constant.
  • The label of the link to access pod logs on the Kubernetes Status screen was mistakenly changed to "view operator logs" though it shows only pod logs.

4.14 only:

  • If there is an error in the Managed Kubernetes Certificates screen (for example, connection to Kubernetes cluster fails), the table is not refreshed even if another inventory is selected from the drop-down. If the selected inventory is not default, by refreshing the page the issue can be resolved. Otherwise, the error needs to be fixed first.
  • The Project summary report tab can take several seconds to load in case of very large projects.
  • The Groovy Script Step pattern script validation does not work with 4.13.x plugins. As a workaround, you can disable the validation under Advanced Settings, or update the plugins version to 4.14+.

4.13 only:

  • You can now choose the instance patterns in the Deployment Wizard for Classic deployment. By default, the last selected instance patterns will be deployed in the next deployment. If a new instance pattern is added in the meantime, that pattern is not selected automatically since the last selected option is selected by default. This behaviour will be improved in a future release.

Patterns

Automatic key management - Kubernetes deployment

In Kubernetes deployments, automatic keystores are scoped to a Kubernetes service.

To support side-by-side deployment, a post-fix is appended to Kubernetes service names.

As the service name is included in the certificate subject, it is required to generate new keystores when a service is renamed.

This can be problematic for keystores used to sign a token, because all truststores used to validate the token signature have to be updated as well.

This means that tokens signed by the previous signer are no longer accepted.

For instance, a previous signer may have used to sign a SecToken for the user, which is then stored in the session.

To avoid this problem, the following keystores are not scoped to the Kubernetes service, this applies even if side-by-side deployment is not being used:

  • The internal SecToken that nevisAuth issues for itself to access nevisIDM and nevisMeta APIs.
  • Application access tokens issued to the user to access applications protected by nevisProxy.

This works when no key management patterns are assigned, but it may fail when assigning an Automatic Key Store pattern. If you use Automatic Key Store patterns to sign tokens, make sure the pattern name ends with -signer.

HTTP error codes cause session loss

By default, the Virtual Host maps an ErrorFilter that handles HTTP error codes.

For security reasons, the filter is configured to remove response headers.

This behavior can lead to the loss of the nevisProxy session when an HTTP error occurs, for example while the session cookie is being renewed after a successful authentication.

For status codes 404 and 502, the headers are not reset, which makes session loss less likely.

You can opt out by adding your own HTTP Error Handling pattern.

This pattern allows you to define which status codes are handled, and for which codes the headers are kept.

You can do this using the property Keep Header Status Codes.

Assign the HTTP Error Handling pattern to relevant locations, for example, the entire Virtual Host or in applications.

Fixed Issues

Up to 4.19:

  • When the folder /var/opt/keys/ is completely removed on target hosts in VM deployments, two deployments are required to recreate the key material. This is an exceptional case which occurs only during disaster recovery or nevisAdmin 4 CA renewal.