Standard Patterns migration from LTS21 to LTS24

If you have not done so already, upgrade all components to their latest LTS21 version available.

Then you can switch to the latest LTS24 version. Note that you cannot use the LTS24 patterns with LTS21 nevisAdmin. You have to upgrade nevisAdmin first. Read the release notes of all in-between pattern releases.

You can prepare the pattern configuration beforehand, but in case of classic deployments, before you deploy, you have to upgrade the target hosts first. For Kubernetes deployments, you have to ensure that the operator is upgraded and the images are pushed to the container registry.

Breaking Changes

Here is a list of changes that we consider breaking and may require pattern configuration changes.

4.14.0

General

• NEVISADMV4-7765: The available options for Log Targets in Log Settings patterns are changed.
  • The option file is now called default because in Kubernetes deployments the log is always written to the pod log.
  • The option file + syslog is now called default + syslog for the same reason.
  • If you selected one of the options above you get an error. Select default instead.
• NEVISADMV4-7840: Generic Instance Settings for Java-based components now support setting all formats of Java properties. If you use a variable for Java Opts check that the configuration is generated as expected.

Application protection

• NEVISADMV4-7812: When an Error Handler pattern with a sub-paths parameter is added to a Virtual Host, the default error handler of the Virtual Host is now applied to the sub-paths not covered by the attached Error Handler pattern. Previously, the default error handler was disabled as soon as an Error Handler pattern was attached to the Virtual Host. If you want to keep the previous behavior, attach an additional Error Handler pattern with Mode set to disabled to the Virtual Host.

Authentication

• NEVISADMV4-7920: The default value of Client Authentication was changed to enabled for nevisAuth Instance.
  • The Frontend Trust Store now has to contain the CA certificate which issued the cert of the Client Key Store of associated realm patterns.
• NEVISADMV4-7910: When Translation Mode is set to combined (default) for nevisLogrend and nevisAuth, the uploaded files have to be called labels\_<code>.properties. Rename the uploaded files if required.

Identity management

• NEVISIDM-7694: Encryption settings are now exposed in nevisIDM Instance.
  • From now on the Encryption Key has to be set.
  • The database should be checked for encrypted content to determine if Encryption Fallback has to be enabled.
    • encrypted properties: select \* from tidma\_property where encrypted \= 1;
    • unused URL tickets: select \* from tidma\_credential where CREDENTIAL\_TYPE\_ID = 14 and STATE\_ID = 2;
• NEVISADMV4-5588: The setting Enabled SOAP WebService Versions in nevisIDM Instance is removed.
  • This setting was not working in recent releases.
  • Use Generic nevisIDM Instance Settings to set the property webservice.versions instead.

4.15.0

General

• NEVISADMV4-8076: The fields used for Log Levels in Log Settings patterns are aligned. In case you have to adapt your pattern configuration, a message is shown to guide you through the process.

Application protection

• NEVISPROXY-6145: We improved the nevisProxy patterns to only generate one servlet per web.xml for storing sessions. In addition, the session store servlets now have fixed names: MySQLSessionStoreServlet, LocalSessionStoreServlet, MultiLevelSessionStoreServlet. If you are using Generic Virtual Host Settings or Generic Application Settings to patch these servlets you have to adapt the pattern configuration.

Authentication

• NEVISPROXY-6089: The internal property providing the Required Roles of the Authorization Policy pattern is renamed. If you see a text box called Unknown property: roles in your Authorization Policy pattern, configure the reported roles or the reported variable in the Required Roles setting. Write one value per line if you set roles directly.
• NEVISPROXY-6089: SecurityRolesFilter generated to enforce mandatory role requirements are now called Authorization_Required_Roles_<roles>_<realm> instead of Authorization_<roles>_<realms>.
• NEVISPROXY-6089: When combining several Authorization Policy patterns for an application, by default the pattern with the most specific mapping overrides the settings of the more general patterns, including the empty values. Empty values were previously ignored. As a consequence, if one of the Required Roles, Forbidden Roles or Authentication Level settings is defined in the most general pattern, but is empty in the most specific one, by default no rule will be enforced for this setting on paths where the specific pattern is mapped.

Identity management

• NEVISIDM-7872: The nevisIDM Administration GUI pattern enables REST API access by default. As this may conflict with the nevisIDM REST Service pattern, it is mandatory to either manually disable it, or remove the conflicting pattern.

4.16.0

General

• NEVISADMV4-8429: The SameSite flag is now set to None by default for nevisProxy session cookies.

Application protection

• NEVISPROXY-6256: The Hosting Service pattern is adapted. The underlying DefaultServlet is replaced by a FileReaderServlet to allow future improvements. This change may affect you if you customised your HostingService with a Generic nevisProxy Settings pattern.

Authentication

• We renamed several Gui descriptors. If you are using the Gui names in your Login Template, you have to adapt your .vm and .js files.
• NEVISADMV4-8369: In the credentials selection dialog of the nevisIDM Second Factor Selection pattern, we renamed the label method.tan.label to method.mtan.label.

4.16.1

SAML / OAuth / OpenID Connect

• PAT-30: Removed Custom Pre-Processing hook in OAuth 2.0 Authorization Server / OpenID Provider pattern.

4.16.2

General

• PAT-90: We added a new setting Regex Filter to Log Settings patterns of Log4J2-based components.
  • If configured, messages matching the regular expression are not logged.
  • By default, the following is not generated for nevisLogrend anymore: .*GET /nevislogrend/health.*

4.16.3

SAML / OAuth / OpenID Connect

• PAT-109: The SAML IDP does not dispatch according to the last used SP anymore.

4.17.0

General

• PAT-75: Added a new widget for map-like settings.
  • Existing configuration have to be migrated. Warning issues will be generated for patterns that require attention.
  • The widget will guide you through the migration steps when you visit the pattern. By saving the pattern you complete the migration.
  • In some places several separators where allowed (->,:,=) in previous releases. The old widget used the same parsing order for all lines and thus some separators had to be used the “wrong way round”. Often, the order of the -> was wrong. The new widget will fix this problem. The widget will import existing data using a proper, “natural” reading order (value -> key, key = value, key : value). This can lead to invalid configuration in some cases. Double-check carefully how the migration has interpreted your existing configuration as you may have to switch left and right side in some cases.

Application Protection

• PAT-36: Added new setting Remote Session Store in the Virtual Host pattern. Use this new setting instead of Additional Resources.

Identity Management

• PAT-52: Migrated nevisIDM Authorizations pattern to be file based to avoid size restrictions.

SAML / OAuth / OpenID Connect

• PAT-57: Changed default paths in OAuth 2.0 Authorization Server / OpenID Connect Provider.
  • Changed default paths to exact:/oauth/<name>. See the help section for details.
  • Changed /auth endpoint to /authorization based on RFC examples.
• PAT-73: Refactor Social Login patterns to avoid security issues when the user is not linked.
  • You have to upgrade your flows. See the pattern help for details.

4.18.0

General

• PAT-138: Removed the setting Compat Level in nevisAuth Instance.
• PAT-138: Removed settings which used a text box when there is a corresponding file upload.
• PAT-118: Added new Database patterns for all Nevis components which use a database.
  • You can now use the same pattern for classic (VM) and Kubernetes deployments.
  • The drop-down Session Management in Advanced Settings can be set to disabled to opt out of automatic DB schema setup and migration.
  • The existing database patterns have been removed. Adapt your pattern configuration by using the new patterns.
  • The technical property name for assigning the Database pattern has been adapted in:
    • nevisAuth Instance
    • nevisAdapt Instance
    • nevisFIDO UAF Instance
    • nevisDetect Persistency Instance

Authentication

• PAT-165: Adapted the generation of key stores and trust stores for outgoing TLS connection in nevisAuth.
  • nevisAuth now supports using separate key material for all these connections and can fall back to the system trust store in the JDK.
  • The SwissPhone Connection pattern has been adapted accordingly.
  • If you are using Generic Authentication Step or Groovy Script Step, and you have outgoing TLS connections then you may have to adapt your configuration.
    • Details can be found in the nevisAuth release notes.
    • If a suspicious property name is generated, the patterns will produce a warning issue.
      • If this check produces a false positive it is safe to ignore.
      • The check has been implemented to help with the migration and will be removed in a future release.
• PAT-192: The recommended option in the Synchronize Sessions drop-down in the nevisAuth Database pattern now behaves like the option always in both classic and Kubernetes deployment.
  • In previous releases (previous database patterns) the behavior of recommended was:
    • always in Kubernetes deployment
    • after-successful-authentication in classic deployments
  • This change can increase the number of sessions stored in the remote session store.
  • The benefit is that now the authentication can continue on another line, in case nevisProxy decides to send the user to a different line.
  • You can opt out of this change by selecting the option after-successful-authentication.

Mobile Authentication

• PAT-157: The JavaScript used by Out-of-band Mobile Authentication has been rewritten from scratch. If you use a custom login template, adapt the template accordingly.
• PAT-198: Improved the Mobile Device Deregistration pattern.
  • The technical property name used for Authentication Realm has changed. Assign your In-band Mobile Authentication Realm to the new setting instead.
  • Rewritten the help text to make clear which APIs are exposed.
• PAT-196: The Out-of-band Device Management App has been simplified.
  • This pattern is provided for demo purposes only. If you want to do mobile device management in production you should implement your own application.
  • The pattern help has been improved. It is now documented which API the example application makes and how the required endpoints may be provided.
  • The FIDO Settings and Userinfo Settings tabs have been removed.
  • The pattern does not automatically expose the required APIs anymore. Instead, you now have to configure additional patterns as described in the help.

4.18.3

FIDO2 / Passwordless

• IDC-2999: The FIDO2 Onboarding pattern now renders a welcome screen.

4.19.0

Application Protection

• PAT-230: Removed the deprecated Navajo SSL Cache setting from the Virtual Host pattern.
• PAT-365: nevisProxy upgraded to OpenSSL 3.0, which has a more strict default for security level than OpenSSL version 1.1.1. The default security level 1 now forbids signatures using SHA1 and MD5. As a consequence, the following issues may occur:
  1. Connections using TLSv1.1 will fail with the following message in the navajo.log:

     3-ERROR : OpenSSL-failure: 00777CC0137F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2255:0x0a [OSSL-0005]
     We recommend upgrading your configuration to use TLSv1.2 or TLSv1.3. If it is not possible, you can add the suffix :@SECLEVEL=0 to your TLSv1.1 cipher suites to allow their signature algorithms.
  2. Connections using a certificate with a deprecated signature algorithm will fail with the following message in the navajo.log:

     3-ERROR :  [...] error:0A00018E:SSL routines::ca md too weak (must be pem encoded)) [NVCT-0054]
     We recommend renewing your certificates with a stronger signature algorithm. Meanwhile, you can add the suffix :@SECLEVEL=0 to the cipher suites of the affected filter or servlet. If the issue occurs at several places, or if it affects your EsAuth4ConnectorServlets, you can also modify the default cipher suites to include this suffix. Proceed as follows:
     • Add a Generic nevisProxy Instance Settings pattern to you configuration.
     • Add a bc.property for each cipher suite you want to modify. The keys are:
       • ch.nevis.isiweb4.servlet.connector.http.SSLCipherSuites for the HttpsConnectorServlets
       • ch.nevis.isiweb4.servlet.connector.websocket.SSLCipherSuites for the WebSocketServlets
       • ch.nevis.isiweb4.servlet.connector.soap.esauth4.Transport.SSLCipherSuites for the EsAuth4ConnectorServlets
       • ch.nevis.nevisproxy.servlet.connector.http.BackendConnectorServlet.Secure.CipherSuites for the BackendConnectorServlets
       • ch.nevis.isiweb4.filter.icap.ICAPFilter.SSLCipherSuites for the ICAPFilters
     • The modified default values should be ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:@SECLEVEL=0
     • Attach this pattern to your nevisProxy Instance, under Advanced Settings > Additional Settings.

SAML / OAuth / OpenID Connect

• PAT-183: The REST endpoint configuration for OAuth 2.0 / OpenID Connect has been moved to a separate pattern for each endpoint. You have to adapt your configuration and use the new patterns.
• PAT-306: Allow disabling IDP-initiated authentication in SAML IDP pattern.
  • IDP-initiated authentication is disabled by default. You can opt out of this change by enabling it again.

Mobile Authentication

• PAT-255: The following deprecated patterns have been removed with this release:
  • Mobile Authentication with Custom URI Link
    • custom URI links have to be configured in the nevisFIDO UAF Instance pattern instead.
  • Mobile Authentication with Deep Link
    • deep links have to be configured in the nevisFIDO UAF Instance pattern instead.
  • Mobile Device Registration
    • use In-band Mobile Registration Service and/or Out-of-band Mobile Registration Service patterns to expose the APIs required by your client.

Authentication Cloud

• PAT-298: Removed Authentication Cloud pattern.
  • Use the new Authentication Cloud Login and Authentication Cloud Onboarding patterns instead.

4.20.0

General

• PAT-369: Refactored automatic key management for classic deployments.
  • The master for all key material is now generated during project generation and deployed to target hosts as .pem files.
  • Only .jks and .p12 files are still assembled on the target hosts by running script during deployment.
  • The overall solution is now much simpler and more reliable.
  • However, if automatic key management was used with an earlier release, you have to perform some manual clean up operations:
    1. remove /var/opt/keys folder on target hosts
    2. run the following SQL commands in the nevisadmin4 database:

       delete from pki_store_content;
       delete from pki_store;
       commit;

Authentication

• PAT-390: Changes to logrend.properties.
  • Fixed usage of expressions in logrend.properties configuration.
  • Removed the file-based configuration. Use the key-value based configuration instead.

User behavior analytics

• NEVISDETECT-1704: Refactored configuration of feedback configuration:
  • Added setting nevisAdapt Feedback Configuration to Advanced Settings of nevisAdapt Instance.
  • Added new pattern nevisAdapt Feedback Configuration to keep all related configurations.
  • Removed settings from nevisAdapt Instance:
    • nevisAuth reference
    • JWE key config
  • Removed settings from nevisAdapt Authentication Connector:
    • nevisProxy reference
    • Distrust Token Behavior
    • Feedback Token Lifetime

7.2311.0

Application Protection

• PAT-421: Improved the Maintenance Page pattern:
  • The status code is now 503 by default. We recommend 503 as this status code is intended for service unavailable. You can opt out of this change by selecting 200.
  • The Base Path where the maintenance page is hosted can now be configured. As the path is not exposed with a servlet-mapping, this has no user impact, but it may be required to change the path in case of clashes with other hosted resources.

Identity Management

• PAT-309: The nevisIDM User Update step now supports overwriting user attributes and properties.
  • Overwrite is allowed by default. You can opt out by setting Allow Overwrite to disabled in the Advanced Settings tab.

SAML / OAuth / OpenID Connect

• PAT-357: Refactored the Signature Validation in SAML IDP Connector and Signed Element in SAML SP Connector to provide more options. Adapt your configuration as required.
  • Removed both option in SAML SP Connector
  • Replaced both option with recommended in SAML IDP Connector

7.2402.0

Authentication

• PAT-364: Updated the generation of the RenewIdentification init-param for the IdentityCreationFilter to its new Boolean type.

Authentication

• PAT-654: The default maximum session lifetime has been reduced to 8 hours. This was done to align the realm pattern with the defaults of nevisAuth. The original value of 12 hours has the benefit that sessions for end-users logging into an office account only have to log in once during a business day with the drawback of generating more, longer lasting sessions overall. If you want to go back to the “once a day login”, simply set the maximum session lifetime back to 12 hours in your realm patterns.