Standard Patterns migration from LTS21 to LTS24
If you have not done so already, upgrade all components to their latest LTS21 version available.
Then you can switch to the latest LTS24 version. Note that you cannot use the LTS24 patterns with LTS21 nevisAdmin. You have to upgrade nevisAdmin first. Read the release notes of all in-between pattern releases.
You can prepare the pattern configuration beforehand, but in case of classic deployments, before you deploy, you have to upgrade the target hosts first. For Kubernetes deployments, you have to ensure that the operator is upgraded and the images are pushed to the container registry.
Breaking Changes
Here is a list of changes that we consider breaking and may require pattern configuration changes.
4.14.0
General
- NEVISADMV4-7765: The available options for
Log TargetsinLog Settingspatterns are changed.- The option
fileis now calleddefaultbecause in Kubernetes deployments the log is always written to the pod log. - The option
file + syslogis now calleddefault + syslogfor the same reason. - If you selected one of the options above you get an error. Select
defaultinstead.
- The option
- NEVISADMV4-7840:
Generic Instance Settingsfor Java-based components now support setting all formats of Java properties. If you use a variable forJava Optscheck that the configuration is generated as expected.
Application protection
- NEVISADMV4-7812: When an
Error Handlerpattern with a sub-paths parameter is added to aVirtual Host, the default error handler of theVirtual Hostis now applied to the sub-paths not covered by the attachedError Handlerpattern. Previously, the default error handler was disabled as soon as anError Handlerpattern was attached to theVirtual Host. If you want to keep the previous behavior, attach an additionalError Handlerpattern withModeset todisabledto theVirtual Host.
Authentication
- NEVISADMV4-7920: The default value of
Client Authenticationwas changed toenabledfornevisAuth Instance.- The
Frontend Trust Storenow has to contain the CA certificate which issued the cert of theClient Key Storeof associated realm patterns.
- The
- NEVISADMV4-7910: When
Translation Modeis set tocombined (default)for nevisLogrend and nevisAuth, the uploaded files have to be calledlabels\_<code>.properties. Rename the uploaded files if required.
Identity management
- NEVISIDM-7694: Encryption settings are now exposed in
nevisIDM Instance.- From now on the
Encryption Keyhas to be set. - The database should be checked for encrypted content to determine if
Encryption Fallbackhas to beenabled.- encrypted properties:
select \* from tidma\_property where encrypted \= 1; - unused URL tickets:
select \* from tidma\_credential where CREDENTIAL\_TYPE\_ID = 14 and STATE\_ID = 2;
- encrypted properties:
- From now on the
- NEVISADMV4-5588: The setting
Enabled SOAP WebService VersionsinnevisIDM Instanceis removed.- This setting was not working in recent releases.
- Use
Generic nevisIDM Instance Settingsto set the propertywebservice.versionsinstead.
4.15.0
General
- NEVISADMV4-8076: The fields used for
Log LevelsinLog Settingspatterns are aligned. In case you have to adapt your pattern configuration, a message is shown to guide you through the process.
Application protection
- NEVISPROXY-6145: We improved the nevisProxy patterns to only generate one servlet per
web.xmlfor storing sessions. In addition, the session store servlets now have fixed names:MySQLSessionStoreServlet,LocalSessionStoreServlet,MultiLevelSessionStoreServlet. If you are usingGeneric Virtual Host SettingsorGeneric Application Settingsto patch these servlets you have to adapt the pattern configuration.
Authentication
- NEVISPROXY-6089: The internal property providing the
Required Rolesof theAuthorization Policypattern is renamed. If you see a text box calledUnknown property: rolesin yourAuthorization Policypattern, configure the reported roles or the reported variable in theRequired Rolessetting. Write one value per line if you set roles directly. - NEVISPROXY-6089:
SecurityRolesFiltergenerated to enforce mandatory role requirements are now calledAuthorization_Required_Roles_<roles>_<realm>instead ofAuthorization_<roles>_<realms>. - NEVISPROXY-6089: When combining several
Authorization Policypatterns for an application, by default the pattern with the most specific mapping overrides the settings of the more general patterns, including the empty values. Empty values were previously ignored. As a consequence, if one of theRequired Roles,Forbidden RolesorAuthentication Levelsettings is defined in the most general pattern, but is empty in the most specific one, by default no rule will be enforced for this setting on paths where the specific pattern is mapped.
Identity management
- NEVISIDM-7872: The
nevisIDM Administration GUIpattern enables REST API access by default. As this may conflict with thenevisIDM REST Servicepattern, it is mandatory to either manually disable it, or remove the conflicting pattern.
4.16.0
General
- NEVISADMV4-8429: The
SameSiteflag is now set toNoneby default for nevisProxy session cookies.
Application protection
- NEVISPROXY-6256: The
Hosting Servicepattern is adapted. The underlyingDefaultServletis replaced by aFileReaderServletto allow future improvements. This change may affect you if you customised yourHostingServicewith aGeneric nevisProxy Settingspattern.
Authentication
- We renamed several Gui descriptors. If you are using the Gui names in your
Login Template, you have to adapt your.vmand.jsfiles. - NEVISADMV4-8369: In the credentials selection dialog of the
nevisIDM Second Factor Selectionpattern, we renamed the labelmethod.tan.labeltomethod.mtan.label.
4.16.1
SAML / OAuth / OpenID Connect
- PAT-30: Removed
Custom Pre-Processinghook inOAuth 2.0 Authorization Server / OpenID Providerpattern.
4.16.2
General
- PAT-90: We added a new setting
Regex FiltertoLog Settingspatterns of Log4J2-based components.- If configured, messages matching the regular expression are not logged.
- By default, the following is not generated for nevisLogrend anymore:
.*GET /nevislogrend/health.*
4.16.3
SAML / OAuth / OpenID Connect
- PAT-109: The
SAML IDPdoes not dispatch according to the last used SP anymore.
4.17.0
General
- PAT-75: Added a new widget for map-like settings.
- Existing configuration have to be migrated. Warning issues will be generated for patterns that require attention.
- The widget will guide you through the migration steps when you visit the pattern. By saving the pattern you complete the migration.
- In some places several separators where allowed (
->,:,=) in previous releases. The old widget used the same parsing order for all lines and thus some separators had to be used the “wrong way round”. Often, the order of the->was wrong. The new widget will fix this problem. The widget will import existing data using a proper, “natural” reading order (value -> key,key = value,key : value). This can lead to invalid configuration in some cases. Double-check carefully how the migration has interpreted your existing configuration as you may have to switch left and right side in some cases.
Application Protection
- PAT-36: Added new setting
Remote Session Storein theVirtual Hostpattern. Use this new setting instead ofAdditional Resources.
Identity Management
- PAT-52: Migrated
nevisIDM Authorizationspattern to be file based to avoid size restrictions.
SAML / OAuth / OpenID Connect
- PAT-57: Changed default paths in
OAuth 2.0 Authorization Server / OpenID Connect Provider.- Changed default paths to
exact:/oauth/<name>. See the help section for details. - Changed
/authendpoint to/authorizationbased on RFC examples.
- Changed default paths to
- PAT-73: Refactor Social Login patterns to avoid security issues when the user is not linked.
- You have to upgrade your flows. See the pattern help for details.
4.18.0
General
- PAT-138: Removed the setting
Compat LevelinnevisAuth Instance. - PAT-138: Removed settings which used a text box when there is a corresponding file upload.
- PAT-118: Added new Database patterns for all Nevis components which use a database.
- You can now use the same pattern for classic (VM) and Kubernetes deployments.
- The drop-down
Session ManagementinAdvanced Settingscan be set todisabledto opt out of automatic DB schema setup and migration. - The existing database patterns have been removed. Adapt your pattern configuration by using the new patterns.
- The technical property name for assigning the Database pattern has been adapted in:
nevisAuth InstancenevisAdapt InstancenevisFIDO UAF InstancenevisDetect Persistency Instance
Authentication
- PAT-165: Adapted the generation of key stores and trust stores for outgoing TLS connection in nevisAuth.
- nevisAuth now supports using separate key material for all these connections and can fall back to the system trust store in the JDK.
- The
SwissPhone Connectionpattern has been adapted accordingly. - If you are using
Generic Authentication SteporGroovy Script Step, and you have outgoing TLS connections then you may have to adapt your configuration.- Details can be found in the nevisAuth release notes.
- If a suspicious property name is generated, the patterns will produce a warning issue.
- If this check produces a false positive it is safe to ignore.
- The check has been implemented to help with the migration and will be removed in a future release.
- PAT-192: The
recommendedoption in theSynchronize Sessionsdrop-down in thenevisAuth Databasepattern now behaves like the optionalwaysin both classic and Kubernetes deployment.- In previous releases (previous database patterns) the behavior of recommended was:
alwaysin Kubernetes deploymentafter-successful-authenticationin classic deployments
- This change can increase the number of sessions stored in the remote session store.
- The benefit is that now the authentication can continue on another line, in case nevisProxy decides to send the user to a different line.
- You can opt out of this change by selecting the option
after-successful-authentication.
- In previous releases (previous database patterns) the behavior of recommended was:
Mobile Authentication
- PAT-157: The JavaScript used by
Out-of-band Mobile Authenticationhas been rewritten from scratch. If you use a custom login template, adapt the template accordingly. - PAT-198: Improved the
Mobile Device Deregistrationpattern.- The technical property name used for
Authentication Realmhas changed. Assign yourIn-band Mobile Authentication Realmto the new setting instead. - Rewritten the help text to make clear which APIs are exposed.
- The technical property name used for
- PAT-196: The
Out-of-band Device Management Apphas been simplified.- This pattern is provided for demo purposes only. If you want to do mobile device management in production you should implement your own application.
- The pattern help has been improved. It is now documented which API the example application makes and how the required endpoints may be provided.
- The
FIDO SettingsandUserinfo Settingstabs have been removed. - The pattern does not automatically expose the required APIs anymore. Instead, you now have to configure additional patterns as described in the help.
4.18.3
FIDO2 / Passwordless
- IDC-2999: The
FIDO2 Onboardingpattern now renders a welcome screen.
4.19.0
Application Protection
- PAT-230: Removed the deprecated
Navajo SSL Cachesetting from theVirtual Hostpattern. - PAT-365: nevisProxy upgraded to OpenSSL 3.0, which has a more strict default for security level than OpenSSL version 1.1.1. The default security level 1 now forbids signatures using SHA1 and MD5.
As a consequence, the following issues may occur:
- Connections using TLSv1.1 will fail with the following message in the
navajo.log:We recommend upgrading your configuration to use TLSv1.2 or TLSv1.3. If it is not possible, you can add the suffix3-ERROR : OpenSSL-failure: 00777CC0137F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2255:0x0a [OSSL-0005]:@SECLEVEL=0to your TLSv1.1 cipher suites to allow their signature algorithms. - Connections using a certificate with a deprecated signature algorithm will fail with the following message in the
navajo.log:We recommend renewing your certificates with a stronger signature algorithm. Meanwhile, you can add the suffix3-ERROR : [...] error:0A00018E:SSL routines::ca md too weak (must be pem encoded)) [NVCT-0054]:@SECLEVEL=0to the cipher suites of the affected filter or servlet. If the issue occurs at several places, or if it affects your EsAuth4ConnectorServlets, you can also modify the default cipher suites to include this suffix. Proceed as follows:- Add a
Generic nevisProxy Instance Settingspattern to you configuration. - Add a
bc.propertyfor each cipher suite you want to modify. The keys are:ch.nevis.isiweb4.servlet.connector.http.SSLCipherSuitesfor the HttpsConnectorServletsch.nevis.isiweb4.servlet.connector.websocket.SSLCipherSuitesfor the WebSocketServletsch.nevis.isiweb4.servlet.connector.soap.esauth4.Transport.SSLCipherSuitesfor the EsAuth4ConnectorServletsch.nevis.nevisproxy.servlet.connector.http.BackendConnectorServlet.Secure.CipherSuitesfor the BackendConnectorServletsch.nevis.isiweb4.filter.icap.ICAPFilter.SSLCipherSuitesfor the ICAPFilters
- The modified default values should be
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:@SECLEVEL=0 - Attach this pattern to your
nevisProxy Instance, underAdvanced Settings>Additional Settings.
- Add a
- Connections using TLSv1.1 will fail with the following message in the
SAML / OAuth / OpenID Connect
- PAT-183: The REST endpoint configuration for OAuth 2.0 / OpenID Connect has been moved to a separate pattern for each endpoint. You have to adapt your configuration and use the new patterns.
- PAT-306: Allow disabling IDP-initiated authentication in
SAML IDPpattern.- IDP-initiated authentication is disabled by default. You can opt out of this change by enabling it again.
Mobile Authentication
- PAT-255: The following deprecated patterns have been removed with this release:
Mobile Authentication with Custom URI Link- custom URI links have to be configured in the
nevisFIDO UAF Instancepattern instead.
- custom URI links have to be configured in the
Mobile Authentication with Deep Link- deep links have to be configured in the
nevisFIDO UAF Instancepattern instead.
- deep links have to be configured in the
Mobile Device Registration- use
In-band Mobile Registration Serviceand/orOut-of-band Mobile Registration Servicepatterns to expose the APIs required by your client.
- use
Authentication Cloud
- PAT-298: Removed
Authentication Cloudpattern.- Use the new
Authentication Cloud LoginandAuthentication Cloud Onboardingpatterns instead.
- Use the new
4.20.0
General
- PAT-369: Refactored automatic key management for classic deployments.
- The master for all key material is now generated during project generation and deployed to target hosts as
.pemfiles. - Only
.jksand.p12files are still assembled on the target hosts by running script during deployment. - The overall solution is now much simpler and more reliable.
- However, if automatic key management was used with an earlier release, you have to perform some manual clean up operations:
- remove
/var/opt/keysfolder on target hosts - run the following SQL commands in the nevisadmin4 database:
delete from pki_store_content;
delete from pki_store;
commit;
- remove
- The master for all key material is now generated during project generation and deployed to target hosts as
Authentication
- PAT-390: Changes to
logrend.properties.- Fixed usage of expressions in
logrend.propertiesconfiguration. - Removed the file-based configuration. Use the key-value based configuration instead.
- Fixed usage of expressions in
User behavior analytics
- NEVISDETECT-1704: Refactored configuration of feedback configuration:
- Added setting
nevisAdapt Feedback ConfigurationtoAdvanced SettingsofnevisAdapt Instance. - Added new pattern
nevisAdapt Feedback Configurationto keep all related configurations. - Removed settings from
nevisAdapt Instance:- nevisAuth reference
- JWE key config
- Removed settings from
nevisAdapt Authentication Connector:- nevisProxy reference
Distrust Token BehaviorFeedback Token Lifetime
- Added setting
7.2311.0
Application Protection
- PAT-421: Improved the
Maintenance Pagepattern:- The status code is now
503by default. We recommend503as this status code is intended forservice unavailable. You can opt out of this change by selecting200. - The
Base Pathwhere the maintenance page is hosted can now be configured. As the path is not exposed with aservlet-mapping, this has no user impact, but it may be required to change the path in case of clashes with other hosted resources.
- The status code is now
Identity Management
- PAT-309: The
nevisIDM User Updatestep now supports overwriting user attributes and properties.- Overwrite is allowed by default. You can opt out by setting
Allow Overwritetodisabledin theAdvanced Settingstab.
- Overwrite is allowed by default. You can opt out by setting
SAML / OAuth / OpenID Connect
- PAT-357: Refactored the
Signature ValidationinSAML IDP ConnectorandSigned ElementinSAML SP Connectorto provide more options. Adapt your configuration as required.- Removed
bothoption inSAML SP Connector - Replaced
bothoption withrecommendedinSAML IDP Connector
- Removed
7.2402.0
Authentication
- PAT-364: Updated the generation of the
RenewIdentificationinit-param for theIdentityCreationFilterto its new Boolean type.
Authentication
- PAT-654: The default maximum session lifetime has been reduced to 8 hours. This was done to align the realm pattern with the defaults of nevisAuth. The original value of 12 hours has the benefit that sessions for end-users logging into an office account only have to log in once during a business day with the drawback of generating more, longer lasting sessions overall. If you want to go back to the “once a day login”, simply set the maximum session lifetime back to 12 hours in your realm patterns.