Release notes
nevisAdmin 4 is the completely overhauled configuration and deployment solution for the Nevis Identity Suite.
nevisAdmin 3 configurations cannot be automatically migrated to nevisAdmin 4. Contact your integration partner, if you need assistance to migrate from nevisAdmin 3 to nevisAdmin 4.
If you are looking for updates to nevisAdmin 3, check the nevisAdmin 3 documentation.
nevisAdmin 7.2405.1 Release Notes - 2024-06-26
Release information
- RPM: nevisadmin4-7.2405.1.0-1.noarch.rpm
- GUI Version: FE 7.2405.0-1302 - BE 7.2405.1.0
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- FIXED: CORS preflight requests are no longer rejected. (NEVISADMV4-10021)
nevisAdmin 7.2405.0 Release Notes - 2024-05-15
Release information
- RPM: nevisadmin4-7.2405.0.3-1.noarch.rpm
- GUI Version: FE 7.2405.0-1302 - BE 7.2405.0.3
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
- CHANGED: Due to the shallow checkout feature, Kubernetes deployments no longer work with uninitialized repositories. (NEVISADMV4-10018)
Main improvement
- NEW: nevisAdmin 4 now collects anonymized analytics data. This helps us understand better how nevisAdmin 4 is used. (PRODROAD-402)note
nevisAdmin 4 only collects data, it does not send it to us without explicit user interaction. For more information, see product-analytics.
Notable changes and bug fixes
- IMPROVED: Issues with INFO severity are now logged at DEBUG log level instead of INFO log level, for better log readability. This change only affects issues (mostly the ones created during the validation of configurations), not all log messages. (NEVISADMV4-9878)
- IMPROVED: The deployment process now creates a shallow clone of the deployment repository. (NEVISADMV4-9293)
- IMPROVED: The log viewer dialog (for pod's or nevisAdmin 4's logs) now lets you turn on line wrapping. The preference is sticky among logs. (NEVISADMV4-9904)
- FIXED: Using REST requests, it used to be possible to deploy projects with inventories that are not in the same tenant as the project. Such requests are now rejected. (NEVISADMV4-9556)
- FIXED: We fixed a GUI issue in the pattern editor where an error was thrown when a variable was assigned to a multi-select type of pattern field. (NEVISADMV4-9894)
- FIXED: The file tree in the Generation Results in the Deployment Wizard no longer throws errors or become unresponsive when the tree has a lot of items. Moving the divider between the file tree and the file content previewer also became easier. (NEVISADMV4-9519)
- FIXED: The authentication flow tree (in the right sidebar of the pattern editor) mixed up multiple occurrences of the same pattern when navigating using the links in the tree. Now those links correctly select the expected pattern in the tree. (NEVISADMV4-9910)
Dependency upgrades
- org.eclipse.jgit 6.9.0.202403050737-r (NEVISADMV4-9293)
- jsch 0.2.17 (NEVISADMV4-9812)
- jackson 2.17.0 (NEVISADMV4-9922)
- jetty-rewrite 12.0.8 (NEVISADMV4-9922)
- groovy 4.0.20 (NEVISADMV4-9922)
- aspectjweaver 1.9.22 (NEVISADMV4-9922)
- jakarta-activation-api 2.1.3 (NEVISADMV4-9922)
- jakarta-xml-bind-api 4.0.2 (NEVISADMV4-9922)
- jaxb-runtime 4.0.5 (NEVISADMV4-9922)
- slf4j-api 2.0.12 (NEVISADMV4-9812)
- logback-classic 1.5.3 (NEVISADMV4-9922)
- guava 33.1.0-jre (NEVISADMV4-9922)
- commonmark 0.22.0 (NEVISADMV4-9922)
- opensaml 4.3.1 (NEVISADMV4-9922)
- spring-boot 3.2.5 (NEVISADMV4-9942)
- springdoc-openapi-starter-webmvc-ui 2.5.0 (NEVISADMV4-9922)
- mariadb-java-client 3.3.3 (NEVISADMV4-9812)
- postgresql 42.7.3 (NEVISADMV4-9922)
- nimbus-jose-jwt 9.37.3 (NEVISADMV4-9812)
- bcprov-jdk18on 1.78 (NEVISADMV4-9922)
- bcpkix-jdk18on 1.78 (NEVISADMV4-9922)
- bcpg-jdk18on 1.78 (NEVISADMV4-9922)
- bcutil-jdk18on 1.78 (NEVISADMV4-9922)
- kubernetes-java-client 20.0.1 (NEVISADMV4-9922)
- micrometer 1.12.4 (NEVISADMV4-9922)
Patterns 7.2405.0 Release Notes - 2024-05-15
Release information
- Build Version: 7.2405.0.3
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select LTS24 RELEASE / 2024 May.
Enter the version in the Search field: 7.2405.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
General
- ⚠️ The image version encoded in the patterns has been raised to
7.2405.0for all components. If you are deploying to Kubernetes you have to push all required images to your container registry before deployment. - PAT-675: Fixed duplicate Java agent configuration in
env.confwhen usingJava Observability Settingspattern. - PAT-667: Support generation of
otelconfiguration based on inventory variables.
Application Protection
- PAT-674: Fix error during background generation when using a nevisAdmin
${varexpression and using only a variable asparam-valuein aservletorfilterinGeneric Virtual Host SettingsorGeneric Application Settings.
Authentication
- N/A: Fixed corrupted binary files being deployed when uploading them to
Custom ResourcesinnevisAuth Instance. - PAT-652: New advanced setting
Shared Groovy ScriptsonnevisAuth Instance. - PAT-642: Fix requirement clash when reusing
JSON Response Step. - PAT-669: Support configuration of custom Audit channels for nevisAuth.
- ⚠️ PAT-654: The default maximum session lifetime has been reduced to 8 hours. This was done to align the realm pattern with the defaults of nevisAuth. The original value of 12 hours has the benefit that sessions for end-users logging into an office account only have to log in once during a business day with the drawback of generating more, longer lasting sessions overall. If you want to go back to the “once a day login”, simply set the maximum session lifetime back to 12 hours in your realm patterns.
- PAT-657: Support child element
MappingforMethodelement inGeneric nevisAuth Web Servicepattern. - PAT-657: Ensure errors caused by uploaded XML files are shown where the XML file is uploaded.
Identity Management
- PAT-680: For permissions related to credentials (such as CredentialChangeState, CredentialCreate, CredentialDelete, CredentialModify, CredentialPdfView, CredentialSearch, CredentialView, and CredentialViewPlainValue), it is now allowed to reduce the elementary permission to a specific credential type. Example:
CredentialCreate.PASSWORD
Mobile Authentication
- PAT-641: Fix HTTP connection to nevisFIDO for
Out-of-band Mobile Onboarding.
User behavior analytics
- NEVISDETECT-1827: updated nevisAdapt Demo app in the template.
- NEVISDETECT-1831: Added option to disable private IP filtering and configure default country code in that case.
- NEVISDETECT-1834: Added option to enable
Apache Hostname VerifierundernevisAdapt Instance/Advanced Settings. - NEVISDETECT-1835: Added option to disable nevisAdapt analyzers, either on module or analyzer level.
Known issues and limitations
See also:
nevisAdmin 4
Since 7.2405
- On startup, nevisAdmin 4 produces warning messages, such asThese can be ignored.
Bean 'shiroConfig' of type [ch.nevis.admin.v4.infra.spring.rest.ShiroConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). The currently created BeanPostProcessor [lifecycleBeanPostProcessor] is declared through a non-static factory method on that class; consider declaring it as static instead.
Since 4.19:
- After deleting a deployment from the Kubernetes Status screen, the overall status of the deployment is not updated automatically, only the pods' status.
- On the Configuration tab, if a library upgrade is available for the selected Project, the upgrade icon should open the upgrade dialog, but if you are on the Project Settings screen, the dialog does not open. As a workaround, you can open the dialog from the Overview or Patterns screens.
Since 4.18:
When managing users and groups, in some cases the nevisAdmin 4 GUI incorrectly allows assigning permissions for which the currently logged-in user does not have permission to assign. In these cases, an error dialog will be shown and the permission assignment will not be executed.
The 4.18.0.0 flyway script could fail if the database contains a duplicated user that has groups assigned. To fix this problem, execute these scripts manually.
Remove failed migration history.
delete from flyway_schema_history where version='4.18.0.0';Delete group assigments of the duplicated users.
delete from `group_member` where user_id not in (select min(u.id) from `user` u group by u.user_id);Restart nevisAdmin 4, the 4.18.0.0 migration script will be executed again.
Since 4.12:
- Updating an inventory attachment with a file that has a new name, does not update the reference in the inventory. This results in an outdated file name shown in the reference (
inv-res-secret://<id>#fileName>). - If there are multiple RPM nevisAdmin 4 installations on a server, the command
nevisadmin4 statuslists the versions of all installations under the Component field in the nevisAdmin 4 GUI, not only the currently used one. - You cannot change the case of a letter of an already published variable. This bug does not affect unpublished variables.
- The Project summary report tab can take several seconds to load in case of very large projects.
- Loading the Pattern list can take several seconds in the case of very large projects. In such cases, the Label view or Filters function is a more convenient way to view the patterns.
- The deployment preview phase reports an error if the
automatic key managementsetting is enabled during classic deployments. This issue does not occur if the deployment is initiated by therootuser.
Fixed Issues
4.18 only:
- Deploying to a Kubernetes cluster that uses cgroups v2 such as AKS 1.25 could result in increased memory consumption for all Java based Nevis components. This is caused by a bug in the used Java version(JDK-8230305). As a workaround it's recommended to use
Generic Instance Settingpatterns and set the maximum heap size directly with the-Xmxoption.
4.16 only:
- Updating the value of a binary global secret or global file, such as a zip in Secret and Files results in no change. As a workaround, update the value through the Swagger endpoint reachable at
/nevisadmin/swagger-ui/index.html#/tenant-secret-resource-resource/update_2for global secrets, and/nevisadmin/swagger-ui/index.html#/tenant-resource-resource/update_3for global files.
4.15 only:
- The Used in column on Secret & Files does not contain inventories that use a secret through a global constant.
- The label of the link to access pod logs on the Kubernetes Status screen was mistakenly changed to "view operator logs" though it shows only pod logs.
4.14 only:
- If there is an error in the Managed Kubernetes Certificates screen (for example, connection to Kubernetes cluster fails), the table is not refreshed even if another inventory is selected from the drop-down. If the selected inventory is not default, by refreshing the page the issue can be resolved. Otherwise, the error needs to be fixed first.
- The Project summary report tab can take several seconds to load in case of very large projects.
- The Groovy Script Step pattern script validation does not work with 4.13.x plugins. As a workaround, you can disable the validation under Advanced Settings, or update the plugins version to 4.14+.
4.13 only:
- You can now choose the instance patterns in the Deployment Wizard for Classic deployment. By default, the last selected instance patterns will be deployed in the next deployment. If a new instance pattern is added in the meantime, that pattern is not selected automatically since the last selected option is selected by default. This behaviour will be improved in a future release.
Patterns
Automatic key management - Kubernetes deployment
In Kubernetes deployments, automatic keystores are scoped to a Kubernetes service.
To support side-by-side deployment, a post-fix is appended to Kubernetes service names.
As the service name is included in the certificate subject, it is required to generate new keystores when a service is renamed.
This can be problematic for keystores used to sign a token, because all truststores used to validate the token signature have to be updated as well.
This means that tokens signed by the previous signer are no longer accepted.
For instance, a previous signer may have used to sign a SecToken for the user, which is then stored in the session.
To avoid this problem, the following keystores are not scoped to the Kubernetes service, this applies even if side-by-side deployment is not being used:
- The internal SecToken that nevisAuth issues for itself to access nevisIDM and nevisMeta APIs.
- Application access tokens issued to the user to access applications protected by nevisProxy.
This works when no key management patterns are assigned, but it may fail when assigning an Automatic Key Store pattern.
If you use Automatic Key Store patterns to sign tokens, make sure the pattern name ends with -signer.
HTTP error codes cause session loss
By default, the Virtual Host maps an ErrorFilter that handles HTTP error codes.
For security reasons, the filter is configured to remove response headers.
This behavior can lead to the loss of the nevisProxy session when an HTTP error occurs, for example while the session cookie is being renewed after a successful authentication.
For status codes 404 and 502, the headers are not reset, which makes session loss less likely.
You can opt out by adding your own HTTP Error Handling pattern.
This pattern allows you to define which status codes are handled, and for which codes the headers are kept.
You can do this using the property Keep Header Status Codes.
Assign the HTTP Error Handling pattern to relevant locations, for example, the entire Virtual Host or in applications.
Fixed Issues
Up to 4.19:
- When the folder
/var/opt/keys/is completely removed on target hosts in VM deployments, two deployments are required to recreate the key material. This is an exceptional case which occurs only during disaster recovery or nevisAdmin 4 CA renewal.