Release notes

Important Information for nevisAdmin 3 Users

nevisAdmin 4 is the completely overhauled configuration and deployment solution for the Nevis Identity Suite.

nevisAdmin 3 configurations cannot be automatically migrated to nevisAdmin 4. Contact your integration partner, if you need assistance to migrate from nevisAdmin 3 to nevisAdmin 4.

If you are looking for updates to nevisAdmin 3, check the nevisAdmin 3 documentation.

Patterns 7.2402.1 Release Notes - 2024-03-08

Release information

• Build Version: 7.2402.1.3

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2024 February.

Enter the version in the Search field: 7.2402.1.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience.

Review these changes carefully, and adapt your pattern configuration as required.

General

• ⚠️ The 7.2402.1 patch release of Nevis includes new docker images. You have to download these as well. The image version encoded in the pattern has been raised to 7.2402.1 for all components which are part of this release:
  • nevisproxy
  • nevisidm
  • nevismeta
  • nevisfido
  • nevisdp

Authentication

• N/A: Fixed corrupted binary files being deployed when uploading them to Custom Resources in nevisAuth Instance.
• PAT-642: Fix requirement clash when reusing JSON Response Step.
• PAT-652: New advanced setting Shared Groovy Scripts on nevisAuth Instance.
• ⚠️ PAT-654: The default maximum session lifetime has been reduced to 8 hours. This was done to align the realm pattern with the defaults of nevisAuth. The original value of 12 hours has the benefit that sessions for end-users logging into an office account only have to log in once during a business day with the drawback of generating more, longer lasting sessions overall. If you want to go back to the “once a day login”, simply set the maximum session lifetime back to 12 hours in your realm patterns.
• PAT-657: Support child element Mapping for Method element in Generic nevisAuth Web Service pattern.
• PAT-657: Ensure errors caused by uploaded XML files are shown where the XML file is uploaded.

Mobile Authentication

• PAT-641: Fix HTTP connection to nevisFIDO for Out-of-band Mobile Onboarding.

nevisAdmin 7.2402.0 Release Notes - 2024-02-21

Release information

• RPM: nevisadmin4-7.2402.0.30-1.noarch.rpm
• GUI Version: FE 7.2402.0-1163 - BE 7.2402.0.30

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Main improvement

• NEW: Inactivity timeout can now be set with the jwt.token.inactivity.timeout property. Users who are inactive for the amount of time specified by this property, are logged out. (NEVISADMV4-9611)
• NEW: Product analytic reports can now be downloaded from the top right context menu. (NEVISADMV4-9729)
• NEW: Local changes to version controlled inventories can now be reverted. (NEVISADMV4-9769)
• NEW: The search feature is extended to content of inventory yamls, and the description and file names of secrets, inventory secret files, and inventory files. (NEVISADMV4-9697)
• NEW: Passkey project template (PRODROAD-431)

Notable changes and bug fixes

• IMPROVED: When viewing logs of Kubernetes pods (also the logs of nevisAdmin4 itself when it is running on Kubernetes), the dialog for that is now bigger, shows up to 100000 lines, and uses the same advanced editor as the inventory editor. This allows for more thorough log inspection without having to download and open them in an external editor. (NEVISADMV4-9187)
• IMPROVED: When using the recently released Search feature, the search term is now highlighted in the result snippets, making it easier to identify the correct search result. (NEVISADMV4-9648)
• IMPROVED: Validation messages in multiple places (Pattern Editor, Deployment Wizard) now force wrap their content if it is long without spaces thus making it readable without scrolling, but keep the normal wrapping for non-technical messages. (NEVISADMV4-9291)
• IMPROVED: The pattern category filter buttons above the pattern list are now ordered alphabetically. When there are many of them, it is easier to find the correct one. (NEVISADMV4-9501)
• IMPROVED: It is now possible to use percentage based autoscaling for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-9792)

Dependency upgrades

• org.eclipse.jgit 6.8.0.202311291450-r (NEVISADMV4-9675)
• jsch 0.2.13 (NEVISADMV4-9675)
• jackson 2.16.0 (NEVISADMV4-9675)
• jetty-rewrite 11.0.18 (NEVISADMV4-9675)
• groovy 4.0.16 (NEVISADMV4-9675)
• jaxb-runtime 4.0.4 (NEVISADMV4-9675)
• logback-classic 1.4.14 (NEVISADMV4-9675)
• spring-boot 3.1.6 (NEVISADMV4-9675)
• spring-dependency-management-plugin 1.1.4 (NEVISADMV4-9675)
• springdoc-openapi-starter-webmvc-ui 2.3.0 (NEVISADMV4-9675)
• mariadb-java-client 3.3.1 (NEVISADMV4-9675)
• postgresql 42.7.1 (NEVISADMV4-9675)
• shiro 1.13.0 (NEVISADMV4-9675)
• nimbus-jose-jwt 9.37.2 (NEVISADMV4-9675)
• bcprov-jdk18on 1.77 (NEVISADMV4-9675)
• bcpkix-jdk18on 1.77 (NEVISADMV4-9675)
• bcpg-jdk18on 1.77 (NEVISADMV4-9675)
• bcutil-jdk18on 1.77 (NEVISADMV4-9675)
• kubernetes-java-client 19.0.0 (NEVISADMV4-9675)
• micrometer 1.12.0 (NEVISADMV4-9675)

Patterns 7.2402.0 Release Notes - 2024-02-21

Release information

• Build Version: 7.2402.0.7

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2024 February.

Enter the version in the Search field: 7.2402.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience.

Review these changes carefully, and adapt your pattern configuration as required.

General

• PAT-576: Adapted the default log format of all components to include the trace_id and span_id provided by OpenTelemetry. If OpenTelemetry is disabled, the log format will still work but these IDs will be missing.
• PAT-599: Fixed duplication within JAVA_OPTS when using space as a separator.
• PAT-607: Support tracing with OpenTelemetry out of the box by loading the agent by default.

Application Protection

• PAT-492: Added setting Overwrite Status Codes in the Error Handling pattern.
• PAT-520/PAT-585: Support serving content from subdirectories in Hosting Service pattern.
• PAT-572: Added Country IP filtering to the Access Restriction nevisProxy pattern.
• PAT-600: Added Liveness Delay, Readiness Delay and Probe Periodicity settings to the nevisProxy Instance pattern.
• ⚠ PAT-621: Updated the generation of the AutoRewrite init-param for the Http(s)ConnectorServlet to the supported values.
• NEVISPROXY-6945: Updated the nevisProxy Observability Settings pattern to generate the OpenTelemetry configuration in navajo.xml instead of the TelemetryFilter. The pattern settings stay the same.
• ⚠ NEVISPROXY-6945: Removed the Virtual Host Observability Settings pattern. Due to the refactoring of the OpenTelemetry integration in nevisProxy, the configuration now applies to the whole instance.

Authentication

• ⚠️ PAT-364: Updated the generation of the RenewIdentification init-param for the IdentityCreationFilter to its new Boolean type.
• PAT-574: Support resolving inventory variables in resources uploaded to Generic Authentication Step.
• PAT-578: Added session setting Update Session Timestamp Interval in realm patterns.
• PAT-594: Added setting to configure init-param values for Esauth4ConnectorServlet in realm patterns.
• PAT-608: Improve issue text when attempting to configure -Dfile.encoding. Only UTF-8 is allowed.
• PAT-609: Support connectionMaxLifeTime configuration.
• PAT-610: Removed lodash.js from pattern JAR as it is unused.
• PAT-628: Support dynamic expressions in JSON Response Step.

Identity Management

• PAT-579: Improved nevisIDM Custom Property pattern help.
• PAT-611: Adapted nevisIDM URL Ticket Consume to not consume ticket with reload or language change.
• PAT-615: Extend nevisIDM User Lookup pattern with Buttons setting.

Mobile Authentication

• PAT-601: Transaction Confirmation now exposes the /nevisfido/token/dispatch/authentication endpoint.
• PAT-632: Use nevisIDM SOAP service version v1_46 because of new requirements in mobile authentication.
• PAT-663: Expose new nevisFIDO endpoints /nevisfido/devices/credentials and /nevisfido/devices/oobOperations in mobile auth patterns.

SAML / OAuth / OpenID Connect

• PAT-562: Improved Hosting Service configuration in Social Login project templates.
• PAT-565: Adapt script used for Apple Login to be compatible with the latest release of nevisAuth.
• PAT-577: Fixed OAuth2 UserInfo Signer keystore missing signer usage.
• PAT-630: Fixed OAuth 2.0 / OpenID Connect User Info to generate correct MappingType and URIPrefix when using an exact:/ path as Endpoint.
• IDC-3892: Fixed an issue with the CORS filter generated by OAuth2 Client pattern (Identity Cloud only).

User behavior analytics

• PAT-582: Ensure untrained step is invoked during generation.
• PAT-584: Cleanups in nevisAdapt / nevisDetect Instance patterns, log settings, addons and observability patterns.

nevisAdmin 7.2311.1 Release Notes - 2024-01-16

Release information

• RPM: nevisadmin4-7.2311.1.0-1.noarch.rpm
• GUI Version: FE 7.2311.1-1116 - BE 7.2311.1.0

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

• FIXED: We fixed an issue with the Authentication Flow Graph that caused the graph to crash and not display. (NEVISADMV4-9678)

nevisAdmin 7.2311.0 Release Notes - 2023-11-15

Release information

• RPM: nevisadmin4-7.2311.0.10-1.noarch.rpm
• GUI Version: FE 7.2311.0-1066 - BE 7.2311.0.10

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

• CHANGED: We upgraded to java 17 and groovy 4 so the old plugins version are not compatible with this version. The usual one version backward compatibility can not be provided. (PRODROAD-321) (PRODROAD-322)
• CHANGED: New Jetty version used in nevisAdmin 4 performs more strict validation for TLS connections. The SNI will be checked for matching the hostname in the configured certificate. (NEVISADMV4-9142)
• CHANGED: The Git deployment repository is now seperated to namespace folders when using Git deployments. (NEVISADMV4-9506)

Main improvement

• NEW: The GUI editor of the attachment property now displays line numbers, and also applies syntax highlight to some common file types if it can identify the file type based on the extension. (NEVISADMV4-9403)
• NEW: We added a new search window. You can use it to search in all patterns, attachments, and more. (NEVISADMV4-9465)
• NEW: We added the possibility to compare inventories, which makes it easier to work with multiple stages of infrastructure, like dev, QA, prod. (NEVISADMV4-9457)
• NEW: We added multiple ways to get informed about how others work on the same resource. On the configuration tab near the project name, a user icon signals if others changed the project since you worked on, and it also notifies with a subtle real-time animation if there's a change in the same project. The Deploy button and the deployment wizard now signals in real-time with spinners when a deployment is going on. (NEVISADMV4-9488)
• NEW: Git deployments can now be performed with side-by-side deployment strategy. (NEVISADMV4-9506)
• NEW: Git deployments can now be deleted. (NEVISADMV4-9593)

Notable changes and bug fixes

• IMPROVED: The inventory validation now detects invalid characters in the kubernetes token. (NEVISADMV4-9444)
• IMPROVED: Pod affinity settings will now apply to the migration jobs when using Kubernetes deployment. (NEVISADMV4-9595)
• IMPROVED: The default imagePullPolicy can now be configured in the inventory for Kubernetes deployments.(NEVISADMV4-9446)
• FIXED: The deployment preview no longer considers all nevisComponents unchanged if the git tag for the upstream is not found. Now these components are considered new. (NEVISADMV4-9244)
• FIXED: We fixed a bug that sometimes caused patterns with attachments to have an inaccurate timestamp. (NEVISADMV4-9436)
• FIXED: Hibernate ddl validation is now disabled by default for PostgreSQL because it does not work when the schema username contains uppercase letters. (NEVISADMV4-9443)
• FIXED: Improved validation on operations that can create project variables, to better prevent inconsistent states. (NEVISADMV4-9485)
• FIXED: The name of the remote temporary upload directory is randomized for classic deployments to avoid naming conflicts.(NEVISADMV4-9587)

Dependency upgrades

• jaxb-runtime 4.0.3 (NEVISADMV4-9406)
• jsch 0.2.11 (NEVISADMV4-9406)
• jetty-rewrite 11.0.16 (NEVISADMV4-9533)
• groovy 4.0.15 (NEVISADMV4-9533)
• jakarta-annotation-api 2.1.1 (NEVISADMV4-9142)
• jakarta-activation-api 2.1.2 (NEVISADMV4-9172)
• jakarta-xml-bind-api 4.0.1 (NEVISADMV4-9533)
• spring-boot 3.1.4 (NEVISADMV4-9533)
• spring-dependency-management-plugin 1.1.3 (NEVISADMV4-9406)
• opensaml 4.3.0 (NEVISADMV4-9126)
• apache-el is removed (NEVISADMV4-9126)
• springdoc-openapi-starter-webmvc-ui 2.2.0 (replacing springdoc-openapi-ui) (NEVISADMV4-9406)
• org.eclipse.jgit 6.6.0.202305301015-r (NEVISADMV4-9406)
• jackson 2.15.3 (NEVISADMV4-9533)
• logback-classic 1.4.11 (NEVISADMV4-9406)
• guava 32.1.3-jre (NEVISADMV4-9533)
• snakeyaml 2.2 (NEVISADMV4-9533)
• aspectjweaver 1.9.20.1 (NEVISADMV4-9533)
• postgresql 42.6.0 (NEVISADMV4-9406)
• shiro 1.12.0 (NEVISADMV4-9406)
• bcprov-jdk18on 1.76 (NEVISADMV4-9406)
• bcpkix-jdk18on 1.76 (NEVISADMV4-9406)
• bcpg-jdk18on 1.76 (NEVISADMV4-9406)
• bcutil-jdk18on 1.76 (NEVISADMV4-9406)
• slf4j-api 2.0.9 (NEVISADMV4-9533)
• mustache 0.9.11 (NEVISADMV4-9533)
• mariadb-java-client 3.2.0 (NEVISADMV4-9533)
• nimbus-jose-jwt 9.37 (NEVISADMV4-9533)
• spring-security 5.8.7 (NEVISADMV4-9533)
• jetty 9.4.53.v20231009 (NEVISADMV4-9552)

Patterns 7.2311.0 Release Notes - 2023-11-15

Release information

• Build Version: 7.2311.0.12

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2023 November.

Enter the version in the Search field: 7.2311.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience.

Review these changes carefully, and adapt your pattern configuration as required.

General

• PAT-478/PAT-521: Added support for TLS encrypted database connection for PostgreSQL to all database patterns.

Application Protection

• ⚠️ PAT-421: Improved Maintenance Page pattern:
  • The status code is now 503 by default. We recommend 503 as this status code is intended for service unavailable. You can opt out of this change by selecting 200.
  • The Base Path where the maintenance page is hosted can now be configured. As the path is not exposed with a servlet-mapping this has no user impact, but it may be required to change the path in case of clashes with other hosted resources.
• PAT-555: Included Hosting Service patterns in Application Mapping Report.
  • Only the Frontend Path will be reported, not all hosted resources. As there is no backend the Backend Addresses column will have the text n/a.
• PAT-528: Escape ( and ) in generated exclude-url-regex elements.
• PAT-502: Removed the generation of deprecated navajo.xml elements and attributes in nevisProxy, such as HttpSession, UserAgent, DocumentRoot, MemorySize.
• PAT-503: Increased the maximum allowed value for Session Timeout in the Unauthenticated Realm pattern.
  • We advise against raising the value as this increases the DoS attack surface.
• PAT-530: Added setting Send Certificate Chain to Web Application, REST Service and SOAP Service patterns.
• PAT-532: Added the Crash Recovery Strategy kill to the nevisProxy Instance pattern.
  • The default for Kubernetes deployments is kill as Kubernetes automatically starts a new pod.
• PAT-534: Fixed the validation of the ModSecurity Rule Set of Virtual Host to allow using a variable.
• PAT-542: Added metrics settings to the nevisProxy Observability pattern.

Authentication

• PAT-544: Changed nevisAuth Database pattern to allow specification of whether a password is provided or a command that echos the password.
• PAT-535: Support configuration of Allowed HTTP Methods in authentication service patterns, such as Standalone Authentication Flow.
• PAT-497: Removed the JAVA_OPTS -XX:+UseConcMarkSweepGC and -XX:+UseParNewGC from the default configuration of nevisAuth.
• PAT-485: Moved configuration of Out-of-context Data Store to esauth4.xml as required by the latest nevisAuth version.
• PAT-551: Aligned configuration generated by Generic SMTP with the latest nevisAuth version.

Identity Management

• ⚠️ PAT-309: The nevisIDM User Update step now supports overwriting user attributes and properties.
  • Overwrite is allowed by default. You can opt out by setting Allow Overwrite to disabled in the Advanced Settings tab.
• PAT-529: nevisIDM Administration GUI pattern now allows all methods used by the nevisIDM REST API.
• NEVISIDM-8916: The nevisIDM Instance pattern now handles Oracle drivers for nevisidmdb correctly.

Mobile Authentication

• ⚠️ PAT-559: The nevisFIDO UAF Instance now uses the REST API of nevisIDM for some operations. This requires a configuration change:
  • The setting Client in nevisFIDO UAF Instance has been changed to Client ID. Adapt your configuration and enter the ID instead of the name there.
• PAT-223: Added support for number matching for out-of-band push notifications.
• PAT-506: Migrated nevisFIDO UAF Instance logging from logback to log4j2.

FIDO2 Passwordless

• PAT-506: Migrated nevisFIDO FIDO2 Instance logging from logback to log4j2.
• PAT-489: Fixed small issue in the JavaScript used for usernameless authentication.
• PAT-539: Extended nevisFIDO FIDO2 Instance pattern for username / display mapping support.

SAML / OAuth / OpenID Connect

• PAT-478: You can now set all properties for nevismeta.properties with the Custom Properties setting in nevisMeta Instance.
• ⚠️ PAT-357: Refactored the Signature Validation in SAML IDP Connector and Signed Element in SAML SP Connector to provide more options. Adapt your configuration as required.
  • Removed both option in SAML SP Connector
  • Replaced both option with recommended in SAML IDP Connector
• N/A: Consent management can now be disabled in OAuth 2.0 Authorization Server / OpenID Provider by setting Consent Screen to disabled.

User behavior analytics

• PAT-305: Added support for automatic schema setup for nevisAdapt when using Oracle and PostgreSQL databases.

Patterns 4.20.1 Release Notes - 2023-09-30

Release information

• Build Version: 4.20.1.8

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2023 Aug.

Enter the version in the Search field: 4.20.1.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience.

Review these changes carefully, and adapt your pattern configuration as required.

General

• PAT-478: Apart from nevisProxy Remote / Hybrid Session Store, database patterns now support TLS encryption when using PostgreSQL.
• PAT-495: Support overwrite of -XX:MaxRAMPercentage in JAVA_OPTS.
• PAT-498: Fixed a bug that has caused multiple Checking if %s instance '%s' had a different name before triggers to be generated for the same instance.

Application Protection

• PAT-500: Fixed the generation of DynamicConfigFilter in nevisProxy patterns.
• PAT-509: Fixed the class-name of the RewriteFilter generated by Hosting Service when configuring Rewrite Rules.
• PAT-512: Fixed the generation of the ConnectString parameter when using PostgreSQL in nevisProxy Remote / Hybrid Session Store.

Authentication

• PAT-480: Removed Authentication Flow category from step patterns.
  • The corresponding settings can now be found in the Basic Settings tab.
  • This makes navigation between steps easier as you don't have to switch tabs.
• PAT-486: Support setting a Custom Classpath for Groovy Script Step.
• PAT-488: Fixed wrong schema user password generation for the nevisAuth OOCDS.
• N/A: The Groovy Script Step now validates that steps assigned to On Success, On Failure, and Custom Follow-up Steps are used in the script.
  • As the validation could produce false positives, the generated issues are INFO level issues for now.

Identity Management

• PAT-409: nevisIDM batch jobs now use a proper value for org.quartz.jobStore.driverDelegateClass when PostgreSQL is used.
• PAT-501: Fixed a NullPointerException caused by nevisIDM Password Login when Login Type is set to AUTO or EMAIL.
• NEVISIDM-8916: Fixed issue with Oracle driver deployment where empty file was copied for nevisIDMDB.

SAML / OAuth / OpenID Connect

• PAT-471: Removed setting ID Token Lifetime in OAuth 2.0 Authorization Server / OpenID Provider pattern.
  • This setting does not have any effect in setups which use nevisMeta as the ID token lifetime is configured there.
• PAT-482: Exclude CSRF protection on SAML IDP Frontend Path(s).
• N/A: Consent Management can now be disabled in OAuth 2.0 Authorization Server / OpenID Provider.

User behavior analytics

• PAT-515: Fixed ubi tool version for nevisAdapt.
• NEVISDETECT-1729: Removed validation check for maximum value for Medium Risk Threshold and High Risk Threshold.
• NEVISDETECT-1754: Added default browser fingerprint risk scores.

nevisAdmin 4.20.0 Release Notes - 2023-08-16

Release information

• RPM: nevisadmin4-4.20.0.13-1.noarch.rpm
• GUI Version: FE 4.20.0-995 - BE 4.20.0.13

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

• CHANGED: The REST endpoint GET /api/v1/tenants/{tenantKey}/constants does not return the usedIn field anymore by default, due to its computational complexity. If you need this field, call the API with ?usedIn=true query parameter. (NEVISADMV4-9332)

• CHANGED: The RSA/SHA1 signature algorithm is disabled by default for the ssh connection used for classic deployments and git. (NEVISADMV4-9136)

  If you still need this unsecure signature algorithm you have to either:

  • Edit the var/opt/nevisadmin4/conf/env.conf and add these system properties:

    -Djsch.server_host_key=ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
    -Djsch.client_pubkey=ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
  • Or edit the ssh config of the user, typically ~/.ssh/config, see more details.

    Host {old-host}      
        HostkeyAlgorithms +ssh-rsa
        PubkeyAcceptedAlgorithms +ssh-rsa

• CHANGED: During kubernetes deployments, git metadata and the list of secret references used are now added to nevis components. This will show up as a change in the deployment preview screen when they are deployed for the first time after upgrading to this version. (NEVISADMV4-9354)

Main improvement

• NEW: Projects can now be jumpstarted from predefined project templates in the newly added marketplace tab. (NEVISADMV4-8522)
• NEW: You can also define your own custom project templates. (NEVISADMV4-9003)
• NEW: In the pattern editor, on the Usage tab on the right, you can now see which other projects the currently selected pattern was copied to. (NEVISADMV4-9074)
• NEW: After the validation phase of a deployment completes, the generation results can be downloaded as a zip file. (NEVISADMV4-9355)
• NEW: Added experimental support for PostgreSQL database. (NEVISADMV4-9118)
• NEW: During deployment, the git configuration can now be saved to a persistent volume using the kubernetes.git-init.mirror attribute in the inventory. This can be used as a fallback source for pods when they restart, in case the connection to git is down. (NEVISADMV4-9276)
• NEW: Git deployments have been introduced. During git deployments, the generated configuration is uploaded to the specified git repository without performing any furthers steps. This can be used to integrate nevisAdmin 4 with GitOps continuous delivery tools. (NEVISADMV4-9354)

Notable changes and bug fixes

• NEW: Added a new property nevisadmin.git.commit.name-format for changing the format of the username on commits made by nevisAdmin 4. (NEVISADMV4-9325)
• NEW: The ssh connection for classic deployment and git now supports Ed25519 keys. (NEVISADMV4-9136)
• NEW: The default imagePullPolicy can now be configured for Kubernetes deployments. For more information see: Configuration Properties in the nevisoperator.yml file (NEVISADMV4-9378)
• NEW: The used time zone can now be configured for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-9071)
• CHANGED: On the GUI, attachment properties now only allow variables to be assigned if there are no attachments. This is to prevent some edge cases, where attachments could unexpectedly disappear and re-appear when you assign or unassign a variable to the property. (NEVISADMV4-9188)
• IMPROVED: Secrets are now only mounted to pods that actually need them. (NEVISADMV4-9292)
• IMPROVED: We improved the loading time of the inventory GUI and decreased the load this screen puts on the backend. This will be more noticeable if you have many inventories that reference a lot of resources, secrets and global constants. (NEVISADMV4-9185)
• FIXED: We fixed a GUI issue in the pattern editor that in certain cases caused a KeyValue property to request an empty string to be migrated instead of displaying an empty value. (NEVISADMV4-9351)
• FIXED: We fixed a GUI issue that caused the project or the inventory selector to be out of sync from the actually selected project or inventory, if you tried to switch project/inventory when there were unsaved changes, and you selected Cancel in the confirmation dialog. (NEVISADMV4-8761)
• FIXED: We fixed a GUI issue that happened sometimes when the validation data was being loaded after a pattern change. Now pattern items' version info tooltip and the filters above the pattern list are more robust. (NEVISADMV4-8985)
• FIXED: We fixed a GUI issue related to multiline text pattern properties that occurred when un-assigning a variable and caused a technical pattern reference (var://) to be displayed as the value, instead of the actual value of the unassigned variable. (NEVISADMV4-9304)
• FIXED: We fixed a GUI issue that could cause deleted Kubernetes deployments to be shown on the Kubernetes Status page. (NEVISADMV4-9169)
• FIXED: We fixed a GUI issue that caused the secondary deployment option to be visible even when there was no primary deployment. (NEVISADMV4-9169)
• FIXED: We fixed a GUI issue, where deleted variables were still shown as a link in the pattern editor, instead of a text label. (NEVISADMV4-9223)
• FIXED: Pressing the Validate button quickly no longer causes the deployment Preview page to be empty. (NEVISADMV4-9000)
• FIXED: We fixed a GUI issue on the Managed Kubernetes Certificates screen that caused some columns to permanently disappear from the dropdown list, if any change was made to the selected columns. (NEVISADMV4-9296)
• FIXED: We fixed a GUI issue that allowed users with usernames containing invalid characters to be created. In such cases, now a validation message is displayed and the user is not created. (NEVISADMV4-9215)
• FIXED: We improved the performance of the REST API for listing inventories (GET inventories?tenantKey={tenantKey}). (NEVISADMV4-9257)
• FIXED: We improved the performance of the REST APIs for listing secrets, resources, secret-resources, and global constants. (NEVISADMV4-9257)
• FIXED: On the validation step of deployments, an incorrect warning was shown for each k8s-secret in the inventory that had a key that was at least 24 characters long. These warnings are no longer shown. (NEVISADMV4-9245)
• FIXED: Global constants no longer have their scalar values double-quoted upon being saved. The error message shown when the submitted global constant has invalid yaml syntax is also improved. (NEVISADMV4-9327)
• FIXED: Files that had no extensions when uploaded to patterns as attachments used to be given a .json extension upon being downloaded. Now, they are downloaded without an extension. (NEVISADMV4-9275)
• FIXED: We fixed an issue that errors during the Ingress creation did not cause the Deployment to fail. (NEVISADMV4-8982)

Dependency upgrades

• jackson 2.15.0 (NEVISADMV4-9199)
• jetty-rewrite 9.4.51.v2023021 (NEVISADMV4-9199)
• springdoc-openapi-ui 1.7.0 (NEVISADMV4-9199)
• groovy 3.0.17 (NEVISADMV4-9199)
• snakeyaml 2.0 (NEVISADMV4-9199)
• slf4j-api 2.0.7 (NEVISADMV4-9199)
• Logback-classic 1.3.7 (NEVISADMV4-9199)
• mariadb-java-client 3.1.4 (NEVISADMV4-9199)
• apache-el was removed (NEVISADMV4-9199)
• kubernetes-java-client 18.0.1 (NEVISADMV4-9368)
• spring-boot 2.7.14 (NEVISADMV4-9368)
• guava 32.0.1-jre (NEVISADMV4-9311)
• bcprov-jdk18on 1.75 (NEVISADMV4-9311)
• bcpkix-jdk18on 1.75 (NEVISADMV4-9311)
• spring-security 5.8.5 (NEVISADMV4-9368)
• shiro 1.12.0 (NEVISADMV4-9368)

Patterns 4.20.0 Release Notes - 2023-08-16

Release information

• Build Version: 4.20.0.9

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2023 Aug.

Enter the version in the Search field: 4.20.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

General

• ⚠️ PAT-369: Refactored automatic key management for classic deployments.
  • The master for all key material is now generated during project generation and deployed to target hosts as .pem files.
  • Only .jks and .p12 files are still assembled on the target hosts by running script during deployment.
  • The overall solution is now much simpler and more reliable.
  • However, if automatic key management was used with an earlier release, you have to perform some manual clean up operations:
    1. remove /var/opt/keys folder on target hosts
    2. run the following SQL commands in the nevisadmin4 database:

       delete from pki_store_content;
       delete from pki_store;
       commit;

Application Protection

• PAT-361: Added Static Content Cache pattern.
• PAT-368: Removed a check which may produce invalid warning messages when using certain authentication steps in a realm assigned to a SOAP Service pattern.
• PAT-394: Added Peer Servlet Strategy setting to the nevisProxy Remote/Hybrid Session Store pattern.
• PAT-406: Added nevisProxy Observability Settings and Virtual Host Observability Settings patterns to support tracing with OpenTelemetry in nevisProxy.
• PAT-407: Fix the missing html mime mapping when using the Maintenance Page pattern.
• PAT-418: Fixed an unexpected warning when trying to remove the default error handler mapping of a Virtual Host using Generic Virtual Host Settings.
  • Note: The default error handler can also be disabled by linking an HTTP Error Handling pattern to your Virtual Host and setting Mode to disabled.
• ⚠️ PAT-419: Upgraded the default ModSecurity CRS to 3.3.5 and removed the previous version 3.3.4.

Authentication

• PAT-167: Added support for the renderElement attribute in GuiElem elements.
• PAT-299: Added pre-selected profileId to session when consuming an access token in Access Token Consumer step.
• PAT-342: Use request.getHttpHeader method in generated Groovy scripts.
• PAT-372: Fix error Upload a keytab file or enter the path of an existing keytab file on the target host(s) when using a variable for the keytab file in Frontend Kerberos Login pattern.
• PAT-386: Updated the nevisAuth Database pattern to use the new Hikari-based connection provider.
• ⚠️ PAT-388: Added a new Kerberos Login pattern which uses the new KerberosLoginAuthState and marked the existing Frontend Kerberos Login as deprecated.
  • The existing pattern will be removed in the November 2023 release.
• ⚠️ PAT-390: Changes to logrend.properties.
  • Fixed usage of expressions in logrend.properties configuration.
  • Removed the file-based configuration which has been marked as deprecated in the May 23 release. Use the key-value based configuration instead.
• PAT-391: New setting Login Template Mode in realm patterns.
• PAT-399: Do not return 403 for AUTH_CONTINUE in Groovy Script Step.
• PAT-401: Support AUTH_CONTINUE in JSON Response Step.
• PAT-408: Made SMTP User and SMTP Password optional in Generic SMTP pattern.

Identity Management

• IDC-3166: Support UNIT_GLOBAL for nevisIDM Custom Property.
• N/A: Updated the list of supported nevisIDM permissions which can be configured in Role Permissions in the nevisIDM Authorizations pattern.
• PAT-343: Replaced SecToken creation in authentication step patterns with use of IdmRestClient.
• PAT-384: Fixed Oracle database requires a volume to be prepared warning during background generation.
• PAT-395: The nevisIDM Custom Property pattern now allows to define properties which are not READ_ONLY.

SAML / OAuth / OpenID Connect

• PAT-284: Fixed access denied when calling OAuth 2.0 / OpenID Connect User Info endpoint.
• PAT-392: Added a Custom Pre-Processing hook to OAuth2.0 Authorization Server / OpenID Connect Provider.
• PAT-397: Fix the generation of the Claims Request setting in the social login steps.
• PAT-412: Support configuration of trust store and proxy in OAuth2.0 Authorization Server / OpenID Connect Provider for outbound connection to JWK Set endpoint for ID token encryption.
• PAT-413: Added refresh token rotation configuration for OAuth2.0 Authorization Server / OpenID Connect Provider.

User behavior analytics

• ⚠️ NEVISDETECT-1704: Refactored configuration of feedback configuration:
  • Added setting nevisAdapt Feedback Configuration to Advanced Settings of nevisAdapt Instance.
  • Added new pattern nevisAdapt Feedback Configuration to keep all related configurations.
  • Removed settings from nevisAdapt Instance:
    • nevisAuth reference
    • JWE key config
  • Removed settings from nevisAdapt Authentication Connector:
    • nevisProxy reference
    • Distrust Token Behavior
    • Feedback Token Lifetime
• NEVISDETECT-1699: Internal changes how the conversation is wrapped up when authentication is done.

nevisAdmin 4.19.1 Release Notes - 2023-06-05

Release information

• RPM: nevisadmin4-4.19.1.0-1.noarch.rpm
• GUI Version: FE 4.19.0-910 - BE 4.19.1.0

Notable changes and bug fixes

• FIXED: The report generation no longer fails when the project has a variable that references a secret, secret file, or file attachment.
• FIXED: Wrong autoscaling API version in nevisOperator caused deployments to fail on Kubernetes v1.26+ unless autoscaling was enabled.

nevisAdmin 4.19.0 Release Notes - 2023-05-17

Release information

• RPM: nevisadmin4-4.19.0.14-1.noarch.rpm
• GUI Version: FE 4.19.0-910 - BE 4.19.0.14

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

• CHANGED: When updating a user with PUT /api/v1/users/{userKey}, sending the user type is now mandatory. (NEVISADMV4-8956)
• CHANGED: The database connector no longer enables autocommit automatically. If you are using a custom database and need this feature, ensure that your database has autocommit enabled. (NEVISADMV4-8689)
• CHANGED: The database driver will now only accept jdbc:mariadb: by default in the connection url string. If your connection string is required to be jdbc:mysql:, add the ?permitMysqlScheme parameter. (NEVISADMV4-8689)
• REMOVED: We removed the kubernetes mode from the Generation Engine. (NEVISADMV4-8829)

Main improvement

• NEW: You can now read the logs of nevisAdmin 4 on the UI, if your nevisAdmin 4 instance is running in kubernetes. You can access the feature from the top right context menu by selecting the View Logs option. (NEVISADMV4-9087)

Notable changes and bug fixes

• NEW: MariaDB 10.6 is now officially supported. (NEVISADMV4-8689)
• NEW: Inventory and global constants can now contain yaml maps and sequences. (NEVISADMV4-8973)
• IMPROVED: In kubernetes inventories, specifying service names is now optional, if you do not override any of the default kubernetes attributes. (NEVISADMV4-8617)
• IMPROVED: The inventory editor now warns you if you set a kubernetes version attribute without quoting it. Not quoting these versions may result in unexpected behaviour. (NEVISADMV4-9094)
• IMPROVED: Patterns in the Testing category are no longer hidden by default. (NEVISADMV4-9148)
• IMPROVED: If nevisAdmin 4 runs on kubernetes, it is no longer mandatory to set the kubernetes-cluster.token and kubernetes-cluster.url attributes in inventories. (NEVISADMV4-8829)
• IMPROVED: Kubernetes pods can now be given additional custom labels. For more information see: Inventory YAML file format (NEVISADMV4-9103)
• IMPROVED: We extended the pod security options for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-9104)
• IMPROVED: Editing Global Constants is now done with a rich text editor, which helps in editing structured constants. (NEVISADMV4-9015)
• IMPROVED: It is now possible to delete kubernetes deployment from the nevisAdmin 4 GUI, on the Kubernetes Status screen.
• IMPROVED: The Project Overview is now easier to access on the nevisAdmin 4 GUI, as now it has a top level navigation item on the Configuration tab.
• IMPROVED: Displaying the variable sample value on the Project Variables screen is now not blocked when the usages take longer to load. (NEVISADMV4-9144)
• IMPROVED: On the first screen of the Deployment Wizard, the selected Project and the selected Inventory are scrolled into view if there are many items in these lists, so that you don't need to search for them in the list. (NEVISADMV4-9145)
• IMPROVED: In the Attachment Property, you can now directly create a new file by entering the file name and its content, without having to upload an existing file first. (NEVISADMV4-9107)
• FIXED: Previously, kubernetes database migration failed if the database name contained special characters.
• FIXED: Deploying to a Kubernetes cluster that uses cgroups v2 such as AKS 1.25 could result in increased memory consumption for all Java based Nevis components.
• FIXED: We fixed an issue where updating saml or ldap users could change their type to local. (NEVISADMV4-8956)
• FIXED: The Generation Engine no longer ignores the specified log level. (NEVISADMV4-8994)
• FIXED: We fixed a bug that prevented key stores from having two certificates with the same CN. (NEVISADMV4-9041)
• FIXED: Global constants are now automatically deleted if the tenant they are scoped to is deleted. (NEVISADMV4-9045)
• FIXED: The nevisadmin4 db-migration helper commands now run successfully. (NEVISADMV4-9033)
• FIXED: We improved the performance of the REST APIs for listing resources and secret-resources by optimizing the DB queries. (NEVISADMV4-9182)
• FIXED: We fixed multiple smaller GUI issues related to user and group management: adjusted table ordering, linking to users and groups from the tables, made some labels and messages more intuitive, improved search for permissions, and more. (NEVISADMV4-8980, NEVISADMV4-8979)
• FIXED: We fixed the documentation link in the dialog which notifies if a new version of nevisAdmin 4 is available. (NEVISADMV4-8849)
• FIXED: On the Kubernetes Status screen, when a secondary deployment is in progress, there was an incorrect2 warning message about some possible issues. This warning is now only shown in the correct cases. (NEVISADMV4-9080)

Dependency upgrades

• jackson 2.14.2 (NEVISADMV4-8968)
• jetty-rewrite 9.4.50.v20221201 (NEVISADMV4-8968)
• springdoc-openapi-ui 1.6.14 (NEVISADMV4-8968)
• groovy 3.0.15 (NEVISADMV4-8968)
• aspectjweaver 1.9.19 (NEVISADMV4-8968)
• jaxb-runtime 2.3.8 (NEVISADMV4-8968)
• slf4j-api 2.0.6 (NEVISADMV4-8968)
• spring-security 5.8.3 (NEVISADMV4-9137)
• spring-boot 2.7.11 (NEVISADMV4-9137)
• mariadb-java-client 3.1.2 (NEVISADMV4-8968)
• apache-el 10.1.5 (NEVISADMV4-8968)
• nimbus-jose-jwt 9.31 (NEVISADMV4-8968)
• kubernetes-java-client 17.0.1 (NEVISADMV4-8968)
• micrometer 1.10.4 (NEVISADMV4-8968)
• replaced bcprov-jdk15on:1.70 with bcprov-jdk18on:1.73 (NEVISADMV4-9129)
• replaced bcpkix-jdk15on:1.70 with bcpkix-jdk18on:1.73 (NEVISADMV4-9129)

Patterns 4.19.0 Release Notes - 2023-05-17

Release information

Build Version: 4.19.0.22

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2023 May.

Enter the version in the Search field: 4.19.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

General

The following changes affect multiple components:

• PAT-235: Fixed database patterns to generate the Trust Store when TLS encryption is enabled and Custom Connection URL is set.
• PAT-248: Release patterns as a single ZIP file instead of separate JAR files.
• PAT-291: Improved error handling for ${var.name} expressions.
• PAT-295: Fixed error in database patterns when using a variable without a sample value for the User Name.
• PAT-297: Improved validation for file upload properties.
• PAT-308: Fixed an error with pattern name processing in Kubernetes deployments.
• PAT-328: Fixed TLS hostname verification issues with nevisIDM and nevisMeta and automatic key management in Kubernetes.
• PAT-334: Increased the initial delay for Kubernetes readiness and liveness probes to account for slower startup.
• NEVISADMV4-9070: The default CPU autoscaler will no longer be generated if other scaling options are enabled when deploying to Kubernetes.
• NEVISADMV4-9104: Extended pod security options.

Application Protection

• PAT-193: Added Crash Recovery Strategy setting to nevisProxy Instance pattern.
  • In Kubernetes deployments it is better to let the process crash as the cluster will simply start a new pod.
• PAT-209: Added the RESET_PARAMS modifier flag for the URL Handler pattern.
• PAT-210: The Securosys Keystore pattern now generates the Primus configuration files into the nevisProxy instance folder instead of /etc/primus.
• ⚠️ PAT-230: Removed the deprecated Navajo SSL Cache setting from the Virtual Host pattern.
• PAT-265: Improved help of CA Secret in NGINX Ingress Settings.
• PAT-268: Increased the minimal nevisProxy version to 5.4.0.
• PAT-288: Cleaned up how standard patterns generate filters for handling CORS.
• PAT-293: Prevent inherited authentication for public applications:
  • When you assign an Authentication Realm to an application you get session tracking and authentication on all front-end paths of that application.
  • When you don’t assign any realm then the application is considered public but session tracking and authentication filter may be inherited from parent paths belonging to authenticated applications.
  • To prevent the inheritance you can now assign the Unauthenticated Realm pattern to your public applications.
  • As the Unauthenticated Realm pattern was originally designed to add session tracking to public applications, and we did not change the default, you have to set the Session Tracking drop-down to disabled.
• PAT-340: Prevent different managed databases being used for the same nevisProxy Instance.
  • This is not supported by the Nevis Operator component.
• PAT-344: Improved help for Client Cert Authentication in NGINX Ingress Settings.
• NEVISPROXY-6650: Fixed the setting of paranoia level order in the generated ModSecurity configuration file for nevisProxy.
• ⚠️ PAT-365: nevisProxy upgraded to OpenSSL 3.0, which has a more strict default for security level than OpenSSL version 1.1.1. The default security level 1 now forbids signatures using SHA1 and MD5. In consequence, the following issues may occur:
  1. Connections using TLSv1.1 will fail with the following message in the navajo.log:

     3-ERROR : OpenSSL-failure: 00777CC0137F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2255:0x0a [OSSL-0005]
     We recommend upgrading your configuration to use TLSv1.2 or TLSv1.3. If it is not possible, you can add the suffix :@SECLEVEL=0 to your TLSv1.1 cipher suites to allow their signature algorithms.
  2. Connections using a certificate with a deprecated signature algorithm will fail with the following message in the navajo.log:

     3-ERROR :  [...] error:0A00018E:SSL routines::ca md too weak (must be pem encoded)) [NVCT-0054]
     We recommend renewing your certificates with a stronger signature algorithm. In the meanwhile, you can add the suffix :@SECLEVEL=0 to the cipher suites of the affected filter or servlet. If the issue occurs at several places, or if it affects your EsAuth4ConnectorServlets, you can also modify the default cipher suites to include this suffix. Proceed as follows:
     • Add a Generic nevisProxy Instance Settings pattern to you configuration.
     • Add a bc.property for each cipher suite you want to modify. The keys are:
       • ch.nevis.isiweb4.servlet.connector.http.SSLCipherSuites for the HttpsConnectorServlets
       • ch.nevis.isiweb4.servlet.connector.websocket.SSLCipherSuites for the WebSocketServlets
       • ch.nevis.isiweb4.servlet.connector.soap.esauth4.Transport.SSLCipherSuites for the EsAuth4ConnectorServlets
       • ch.nevis.nevisproxy.servlet.connector.http.BackendConnectorServlet.Secure.CipherSuites for the BackendConnectorServlets
       • ch.nevis.isiweb4.filter.icap.ICAPFilter.SSLCipherSuites for the ICAPFilters
     • The modified default values should be ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:@SECLEVEL=0
     • Attach this pattern to your nevisProxy Instance, under Advanced Settings > Additional Settings.

Authentication

• PAT-132: New key-value style setting for configuring nevisLogrend logrend.properties.
  • You can now add / overwrite just the properties that you have to and don’t have to upload a file.
  • ⚠️ The file upload variant has been marked as deprecated and will be removed in the August 23 release.
• PAT-201: Fixed User input pattern saving a null value if a word containing letter with accent was entered.
• PAT-221: Adapt generation of nevisAuth Event Log generation to compensate for breaking changes in nevisAuth May release.
  • ⚠️ You have to use the May release of nevisAuth when event logging is enabled.
• PAT-249: Fixed an error during generation when Internal SecToken Signer Trust Store is not set.
• PAT-304: Fixed broken language change in some GUIs.
• PAT-337: Support variables in JSON Response step.
• PAT-339: Use new HTTP Client of nevisAuth for scripts.
• ⚠️ PAT-348: Implement eye icon for password input fields.
• PAT-349: Support adding a resend button on Email TAN / Mobile TAN.
• PAT-351: Do not generate Internal SecToken Signer Trust Store unless really required.
• NEVISAUTH-4006: Added advanced setting ID Pregenerate to nevisAuth Instance pattern.

Identity Management

• ⚠️ PAT-72: The nevisIDM Generic Batch Job pattern now raises a warning when Custom Batch Job JAR(s) are uploaded as nevisIDM does not support custom batch jobs since version 2.76.2.63.
• PAT-272: Fixed errors in nevisIDM Second-Factor Selection script.
• PAT-282: New field is added to nevisIDM User Lookup and nevisIDM Password Login to enable automatic selection of default profiles instead of manual selection when the User has multiple profiles.
• PAT-320: Add client trust hash label to the NevisDatabase resource to ensure client cert is imported when nevisFIDO is used.
• PAT-350: Added a setting User Not Found Error in nevisIDM User Lookup.
  • Set to disabled when the absence of a user is the happy case (e.g. in a registration flow).
• PAT-352: Added a new parameter to nevisIDM Create Password pattern to make showing policy violations configurable.

SAML / OAuth / OpenID Connect

• ⚠️ PAT-183: The REST endpoint configuration for OAuth 2.0 / OpenID Connect has been moved to a separate pattern for each endpoint.
  • You have to adapt your configuration and use the new patterns.
• PAT-183: Added REST endpoint for Pushed Authorization Request.
• PAT-226: Fixed a database connection issue for nevisMeta when TLS is enabled.
• PAT-260: Added setting Tenant ID to Microsoft Login pattern.
• PAT-287: Exclude CSRF on token introspection and revocation paths.
• PAT-289: Fixed SAML IDP authorization checks for SPs.
• PAT-306: Allow disabling IDP-initiated authentication in SAML IDP pattern.
  • ⚠️ IDP-initiated authentication is disabled by default. You can opt out of this change by enabling it again.
• PAT-311: Fixed double slash in OAuth 2.0/OpenID Connect metadata service.
• PAT-359: Added missing method to the dispatcher script used by the SAML IDP.

FIDO2 / Passwordless

• PAT-199: The FIDO2 Authentication pattern now uses the new Fido2AuthState by default.
  • ⚠️ A different JavaScript is used (fido2_auth_std.js). If you are using a custom Login Template you have to update the template.
  • The previous implementation can still be used until the August 23 release by setting AuthState Class to ScriptState.
• PAT-269: Adapted the nevisFIDO FIDO2 Database to be compatible with the new MariaDB driver in nevisFIDO.
  • ⚠️ The enabled TLS encryption option is no longer available. Use trust, verify-ca or verify-full instead.
• PAT-307: Added User Verification setting to FIDO2 Authentication and FIDO2 Onboarding.
• PAT-318: Added Attestation setting to FIDO2 Onboarding.
• NEVISFIDO-1828: Allow configuration of android:apk-key-hash:<your-hash> for Relying Party Origins.

Mobile Authentication

• PAT-238: Prevent inheritance of CSRF protection and ModSecurity from applications to nevisFIDO APIs.
• ⚠️ PAT-255: As announced with warning messages, the following deprecated patterns have been removed with this release:
  • Mobile Authentication with Custom URI Link
    • custom URI links have to be configured in the nevisFIDO UAF Instance pattern instead.
  • Mobile Authentication with Deep Link
    • deep links have to be configured in the nevisFIDO UAF Instance pattern instead.
  • Mobile Device Registration
    • use In-band Mobile Registration Service and/or Out-of-band Mobile Registration Service patterns to expose the APIs required by your client.
• PAT-269: Adapted the nevisFIDO FIDO2 Database to be compatible with the new MariaDB driver in nevisFIDO.
  • ⚠️ The enabled TLS encryption option is no longer available. Use trust, verify-ca or verify-full instead.
• PAT-296: Improved error handling of the Out-of-band Mobile Onboarding step.
  • In fatal error cases a System Error screen is now shown instead of an incomplete screen.

Authentication Cloud

• PAT-247: The new Authentication Cloud patterns do not send an extra ping request to Authentication Cloud to validate the configuration.
• ⚠️ PAT-298: Removed Authentication Cloud pattern.
  • Use the new Authentication Cloud Login and Authentication Cloud Onboarding patterns instead.
• PAT-302: Added On Abort exit to Authentication Cloud patterns.
• PAT-303: Added Authentication Cloud Lookup pattern.

User behavior analytics

• NEVISDETECT-1603: Updated nevisAdapt project templates for K8s deployment
• NEVISDETECT-1683: Fixed Oracle JDBC driver could not be found issue.

Patterns 4.18.3 Release Notes - 2023-05-04

Release information

Build Version: 4.18.3.16

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2023 Feb.

Enter the version in the Search field: 4.18.3.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

SAML / OAuth / OpenID Connect

• PAT-254: Fixed SAML SP Connector to set the property out.post.relayStateEncoding to HTML when http-post is selected for Outbound Binding.

FIDO2 / Passwordless

• ⚠️ IDC-2999: The FIDO2 Onboarding pattern now renders a welcome screen.
• PAT-325: Support usage of Dispatcher Button patterns in FIDO2 Onboarding.

Mobile Authentication

• PAT-313: Fixed Out-of-band Device Management App to not set InterceptionRedirect to never in the IdentityCreationFilter of the assigned realm.
• PAT-321: Made In-band Mobile Registration more flexible. Now any realm can be assigned and the non-mobile authentication flow can be disabled.
• PAT-336: Fixed Usernameless Out-of-band Mobile Authentication so that the pattern can be used as the first step of an authentication flow.

Authentication Cloud

• PAT-326: Added a retry button to Authentication Cloud Onboarding.

Patterns 4.18.2 Release Notes - 2023-03-27

Release information

Build Version: 4.18.2.12

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2023 Feb.

Enter the version in the Search field: 4.18.2.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

Authentication

• PAT-280: Added missing password for Default Backend Trust Store of nevisAuth Instance.
• PAT-267: Removed open port check for default nevisLogrend instance.

Identity Management

• PAT-245: Improved Generic nevisIDM Instance Settings so it can handle empty values.

SAML / OAuth / OpenID Connect

• PAT-278: Add Custom Properties setting to OAuth 2.0 Authorization Server pattern.

• PAT-277: New experimental Access Token Consumer step.

• ⚠️ PAT-274: Protection against XML Signature Wrapping (XSW) attacks. By default, the SAML IDP now signs the entire SAML Response.

  This is a breaking change. You have to adapt the configuration of your SAML service providers (SPs) to validate the signature of the Response. If this is not possible, you can opt out of this change by selecting Assertion in the Signed Element drop-down of the SAML SP Connector. If only the Assertion is signed, then your setup may be vulnerable to attacks.

  We recommend to check if your SP applies appropriate mitigations. If you are using a Nevis SP, then upgrade to the latest applicable version of nevisAuth to benefit from additional checks of the ServiceProviderState. Check the release notes of nevisAuth for details. In Kubernetes deployment you have to set the version of the docker in the inventory to use the new nevisAuth version.

  To easily configure which signatures are validated on the SP side, we have added a drop-down Signature Validation to the SAML IDP Connector pattern. The default of this drop-down is both, which means that the signature of the Response and Assertion is checked. This in line with the change of the default on the IDP side. If you can not enable response signing on the IDP site, you can opt out of this change by setting the drop-down to Assertion.

Authentication Cloud

• IDC-2913: New experimental Authentication Cloud Onboarding pattern.
• IDC-2897: Various improvements to the scripts of the Authentication Cloud patterns.
• PAT-247: Removed a ping call which is not required.

Patterns 4.18.1 Release Notes - 2023-03-01

Release information

Build Version: 4.18.1.16

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2023 Feb.

Enter the version in the Search field: 4.18.1.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

This pattern release contains several changes for the Authentication Cloud pattern.

General

The following changes affect multiple components.

• PAT-231: We fixed an issue that caused Kubernetes deployments to fail when database patterns were used with Database Management set to disabled.

Authentication

• PAT-227: We fixed an issue with the User Input pattern which can lead to an exception during cookie parsing.

Mobile Authentication

• PAT-225: We improved the pattern help of the Out-of-band Mobile Device Registration pattern.
• PAT-236: We Adapted the JavaScript used by Out-of-band Mobile Authentication when Channel is set to Link / QR-Code to not render a device list.
• PAT-237: We fixed the failed push dispatching for Out-of-band Mobile Authentication pattern.
• PAT-238: Ensure security features enabled for applications with Frontend Path / won't break APIs provided by nevisFIDO for FIDO UAF.
• PAT-241: Ensure nevisFIDO is accessible on /auth/fidouaf/authenticationresponse/.
  • This path is used by old apps and will be removed in a future release.
• PAT-242: We fixed the missing notification when using push dispatching for Out-of-band Mobile Authentication.
  • New label mobile_auth.push added with defaults translations. You can change them in the realm pattern.

Authentication Cloud

• PAT-244: Use new nevisAuth HTTP client in the Authentication Cloud pattern.

• PAT-224: We added support for authentication with QR-code instead to Authentication Cloud pattern.

  • This pattern now has a drop-down Authentication Type to choose how to interact with the user.
  • The QR code is rendered on client side using a JavaScript library (loaded by js_end.vm).
  • This QR code can also be scanned by the camera app and support access app installation.

• PAT-208: We cleaned up JavaScript and Groovy script used by Authentication Cloud pattern.

  • ⚠️ These changes are breaking if you are using your own login template. Adapt your template as follows:
    • Download the default template in the Authentication Realm, unpack the zip and compare the following files:
      • js_end.vm (includes the JavaScript files)
      • authcloud.js (the new JavaScript expects HTML elements with ID info and error to display status messages)

• PAT-208: The Authentication Cloud pattern now provides translations for status messages in the 4 default languages (EN, DE, FR, IT)

  • Check the deployment preview and adapt the texts as required in the realm pattern.

• PAT-208: The Authentication Cloud pattern now shows status messages underneath the title.

• PAT-208: The Authentication Cloud pattern now has a setting to configure the label used for the title.

• PAT-208: The Authentication Cloud pattern now has settings for separate configuration of Access Key and Instance ID.

nevisAdmin 4.18.0 Release Notes - 2023-02-15

Release information

• RPM: nevisadmin4-4.18.0.10-1.noarch.rpm
• GUI Version: FE 4.18.0-869 - BE 4.18.0.10

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Main improvement

• NEW: Managing users, user permissions and groups is now possible in nevisAdmin 4 UI. (NEVISADMV4-8014)
• NEW: New info filter option is added to filter the patterns with info messages. (NEVISADMV4-8563)
• NEW: Added an option to comply with the restricted Pod Security Standard when deploying to Kubernetes. For more information see: Inventory YAML file format (NEVISADMV4-8905)

Notable changes and bug fixes

• NEW: We added an optional force parameter to the REST endpoint that performs inventory updates from Git. When set to true, the inventory is updated to match the remote, even in cases where the remote git history was overwritten by force. (NEVISADMV4-8820)
• IMPROVED: Project and Inventory settings screens are improved with standard project and inventory selector. (NEVISADMV4-8795)
• IMPROVED: nevisAdmin 4 will no longer apply any default pod resource limits to resources that have a custom resource block defined for them in the inventory. (NEVISADMV4-8782)
• IMPROVED: Publishing projects is now faster. (NEVISADMV4-8819)
• IMPROVED: Improved performance of the Kubernetes deployment preview by optimizing git checkouts. (NEVISADMV4-8822)
• IMPROVED: Improved the capabilities of the PUT /api/v1/permissions endpoint. Now it can assign project/inventory permissions globally, or on tenants. It can also assign tenant permissions globally. (NEVISADMV4-8858)
• IMPROVED: Bulk deleting patterns is now faster. (NEVISADMV4-8864)
• IMPROVED: Reduced the size of the database migration docker image by removing unused drivers. (NEVISADMV4-8874)
• IMPROVED: Inventory constants and global constants can now also be used in the YAML keys of inventories. (NEVISADMV4-8901)
• FIXED: If an LDAP user was not a member of any LDAP groups, then the group synchronization did not run upon user login. This issue is now fixed. (NEVISADMV4-4800)
• FIXED: Projects can no longer be deleted when they are being deployed. (NEVISADMV4-8440)
• FIXED: Project validation was sometimes skipped after deleting pattern(s) or uploading/modifying files in attachment input fields, if the related pattern's type could not be loaded. This no longer happens. (NEVISADMV4-8791)
• FIXED: Fixed an issue that the VIEW_SECRET_CONTENT_INVENTORY operation were not automatically granted for the inventory creator. (NEVISADMV4-8856)
• FIXED: Fixed an issue where you could create multiple users with the same ID by sending the user creation requests very quickly in succession. (NEVISADMV4-8868)
• FIXED: Using a private key with a passphrase caused the Kubernetes deployment to fail. (NEVISADMV4-8853)
• FIXED: Fixed an issue causing key-values defined in the inventory to be displayed as [object Object] on the variables page.
• FIXED: Changed PUT /api/v1/groups/{groupKey} API to take the groupKey from the path variable instead of the request body. (NEVISADMV4-8937)

Dependency upgrades

• Jackson 2.14.1 (NEVISADMV4-8690)
• Springdoc-openapi-ui 1.6.13 (NEVISADMV4-8690)
• Snakeyaml 1.33 (NEVISADMV4-8690)
• Jaxb-runtime 2.3.7 (NEVISADMV4-8690)
• Slf4j-api 2.0.4 (NEVISADMV4-8690)
• Logback-classic 1.3.5 (NEVISADMV4-8690)
• Commonmark 0.21.0 (NEVISADMV4-8690)
• Spring dependency-management-plugin 1.1.0 (NEVISADMV4-8690)
• Spring-security 5.8.0 (NEVISADMV4-8690)
• Mariadb-java-client 2.7.7 (NEVISADMV4-8690)
• Apache-el 10.1.1 (NEVISADMV4-8690)
• Shiro 1.11.0 (NEVISADMV4-8912)
• Nimbus-jose-jwt 9.25.6 (NEVISADMV4-8690)
• Kubernetes-java-client 16.0.2 (NEVISADMV4-8690)
• Micrometer 1.10.1 (NEVISADMV4-8690)

Patterns 4.18.0 Release Notes - 2023-02-15

Release information

Build Version: 4.18.0.24

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2023 Feb.

Enter the version in the Search field: 4.18.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

The following changes affect multiple components.

• PAT-148: Ensure files produced by automatic key stores and trust stores in classic deployment have proper permissions, owner, and group.

• ⚠️ PAT-138: Removed settings and patterns which have been declared as deprecated and produced warning issues.

  • Removed the setting Compat Level in nevisAuth Instance.
  • Removed settings which used a text box when there is a corresponding file upload.

• ⚠️ PAT-118: New Database patterns for all Nevis components which use a database.

  • You can now use the same pattern for classic (VM) and Kubernetes deployments.
  • The drop-down Session Management in Advanced Settings can be set to disabled to opt out of automatic DB schema setup and migration.
  • The existing database patterns have been removed. Adapt your pattern configuration by using the new patterns.
  • The technical property name for assigning the Database pattern has been adapted in:
    • nevisAuth Instance
    • nevisAdapt Instance
    • nevisFIDO UAF Instance
    • nevisDetect Persistency Instance

• PAT-177: Improved type tolerance of key-value style settings when loading from a variable.

  • It is not required any more to put quotes around boolean and numeric values.
  • For instance, the following variable definition is now valid:

  my-var:
  - some-key: 100

• PAT-158: Fixed an issue with the validation of host names (length limitation).

Application Protection

• PAT-169: Fixed usage of full URLs in Root URL Redirect of the Virtual Host pattern.
• PAT-161: Fixed nevisProxy minimal version check for ModSecurity Core Rule Set to only apply when deploying a nevisProxy Instance.
• NEVISPROXY-6376: New Securosys Key Store pattern.
  • For now this pattern can be used in nevisProxy only. Use in Virtual Host patterns for the Frontend Key Store.
  • Upload valid configuration files from a working set up.
  • In case of on-premise set-ups, the installation of the library has to be done manually, for nevisAppliance the target system should be upgraded.
• PAT-161: Fixed nevisProxy version check in classic deployment.
• NEVISPROXY-6257: The servlet mapping elements in the web.xml of nevisProxy are now sorted.
• NEVISPROXY-6270: Added new HTTP/2 category for Virtual Host pattern and added new Early Hints parameter.

Authentication

• PAT-171: Adapted nevisAuth Database pattern for new MariaDB JDBC driver used in nevisAuth.
• PAT-143: nevisAuth Log Settings now has the following default Log Levels:
  • EsAuthStart = INFO: prints messages during startup
  • org.apache.catalina.loader.WebappClassLoader = FATAL
  • org.apache.catalina.startup.HostConfig = ERROR
• PAT-138: Fixed an issue Generic Authentication Step when assigning the step in multiple places.
• PAT-201: Improvements for the User Input pattern.
  • Fix encoding issues when entering special characters.
  • Cache the input in the session in case a cookie has to be returned for the Remember Input feature.
• ⚠️ PAT-174: Adapted the generation of configuration for the nevisAuth session store to be compatible with the new nevisAuth version (4.38).
  • Upgrade nevisAuth as otherwise the instance won’t start.
• ⚠️ PAT-165: Adapted the generation of key stores and trust stores for outgoing TLS connection in nevisAuth.
  • nevisAuth now supports using separate key material for all these connections and can fall back to the system trust store in the JDK.
  • The SwissPhone Connection pattern has been adapted accordingly.
  • If you are using Generic Authentication Step or Groovy Script Step, and you have outgoing TLS connections then you may have to adapt your configuration.
    • Details can be found in the nevisAuth release notes.
    • If a suspicious property name is generated the patterns will produce a warning issue.
      • If this check produces a false positive it is safe to ignore.
      • The check has been implemented to help with the migration and will be removed again in a future release.
• ⚠️ PAT-192: The recommended option in the Synchronize Sessions drop-down in the nevisAuth Database pattern now behaves like the option always in both classic and Kubernetes deployment.
  • In previous releases (previous database patterns) the behavior of recommended was:
    • always in Kubernetes deployment
    • after-successful-authentication in classic deployments
  • This change can increase the number of sessions stored in the remote session store.
  • The benefit is that now the authentication can continue on another line, in case nevisProxy decides to send the user to a different line.
  • You can opt out of this change by selecting the option after-successful-authentication.
• PAT-175: New experimental Role Check Step pattern.
  • You can use this pattern in authentication flows to make decisions based on roles.
  • Role-based access control is usually done in nevisProxy instead. Use the Authorization Policy pattern for that.
• PAT-162: JWT Token extended with kid header parameter option.

Identity Management

• PAT-153: The nevisIDM Administration GUI pattern now has Self Admin GUI set to enabled by default.
• ⚠️ NEVISIDM-8595: The nevisIDM Instance pattern now validates the length of the configured Encryption Key.
• NEVISIDM-8480: The JDBC connection string generated by the nevisIDM Database pattern has been adapted to be compatible with the latest nevisIDM release.
• PAT-142: Fixed nevisIDM Connector to not use settings from Kubernetes tab in a Classic deployment.
• PAT-163: Added experimental nevisIDM Password Create pattern.
  • This pattern is experimental and will be improved in future releases.
• PAT-163: Improved Email TAN and nevisIDM User Create patterns.
  • In combination with the Dispatcher Button and nevisIDM User Lookup these patterns may be used to build a simple self-registration flow.

Mobile Authentication

• ⚠️ PAT-157: The JavaScript used by Out-of-band Mobile Authentication has been rewritten from scratch.
  • If you use a custom login template, adapt the template accordingly.
• PAT-143: nevisFIDO Log Settings now has the following default Log Levels:
  • ch.nevis.auth.fido.application.Application = INFO: prints messages during startup
  • jcan.Op = INFO: 1 line for each request (incoming and outgoing)
• PAT-172: New experimental pattern Usernameless Out-of-band Mobile Authentication.
  • The pattern shows a QR-code and/or link for mobile authentication. It is not required to enter any username.
• ⚠️ PAT-198: New In-band Mobile Device Registration and Out-of-band Mobile Device Registration patterns.
  • The existing Mobile Device Registration pattern has been deprecated and will be removed in May 2023.
  • Use one of the new patterns instead. Check the links above to find out which one fits your use case.
• ⚠️ PAT-198: Improved the Mobile Device Deregistration pattern.
  • The technical property name used for Authentication Realm has changed. Assign your In-band Mobile Authentication Realm to the new setting instead.
  • Rewritten the help text to make clear which APIs are exposed.
• ⚠️ PAT-196: The Out-of-band Device Management App has been simplified.
  • This pattern is provided for demo purposes only. If you want to do mobile device management in production you should implement your own application.
  • The pattern help has been improved. It is now documented which API the example application makes and how the required endpoints may be provided.
  • The FIDO Settings and Userinfo Settings tabs have been removed.
  • The pattern does not automatically expose the required APIs anymore. Instead, you now have to configure additional patterns as described in the help.

SAML / OAuth / OpenID Connect

• PAT-59: Set default value for Setup ID in OAuth 2.0 Authorization Server/OpenID Connect Provider
  • Newly created nevisMeta instances will contain this setup by default. Existing nevisMeta instances are not affected.
• PAT-86: Added Assertion Consume URL Validation setting.
• PAT-206: The OAuth2.0 Authorization Server / OpenID Connect Provider now ensures that CSRF protection from applications running on parent paths are not inherited which would break basic flows.
• PAT-82: Extended SAML SP Realm and IDP Connector with encryption settings.
• PAT-139: Fixed wrong error message when Social Login Create User was reused.
• PAT-140: Support reuse of the following patterns:
  • Social Login Create User
  • Social Login Link User
  • Social Login Done

nevisAdmin 4.17.1 Release Notes - 2023-03-09

Release information

• RPM: nevisadmin4-4.17.1.0-1.noarch.rpm
• GUI Version: FE 4.17.0-805 - BE 4.17.1.0

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

• FIXED: We ensured, that generated JKS/PKCS12 contains all provided PEM certificates. (NEVISADMV4-9041)

nevisAdmin 4.17.0 Release Notes - 2022-11-16

Release information

• RPM: nevisadmin4-4.17.0.14-1.noarch.rpm
• GUI Version: FE 4.17.0-805 - BE 4.17.0.14

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

• The pattern key-value property is changed to separate key-value pair fields, and no longer supports separators, that is = , : , ->. If the legacy property already contains a value, you have to migrate it to a new format. For more details, see Editing Pattern Fields (NEVISADMV4-6823)

Main improvement

• NEW: You can now initiate a nevisAdmin 4 upgrade on Azure from nevisAdmin 4 UI. This is only available for new installations using the November version of the Azure deployment automation. See Azure deployment automation for detailed instructions. (NEVISADMV4-8543)
• NEW: We improved the UX of the screen navigation and actions menu. You can now access the screens from the navigation menu and the settings of the projects, and inventories from the Configuration and Infrastructure tabs. The Resources tab is introduced, which contains the global resources. (NEVISADMV4-8538)
• NEW: The pattern key-value property is changed to separate key-value pair fields. For more details, see Editing Pattern Fields. (NEVISADMV4-8630)
• NEW: We added Helm chart for installing nevisAdmin 4 on Kubernetes. (NEVISADMV4-6823)

Notable changes and bug fixes

• NEW: We added an optional force parameter to the REST endpoint that performs project updates from Git. When set to true, the project is updated to match the remote, even in cases where the remote git history was overwritten by force. (NEVISADMV4-8610)
• NEW: Pod topology spread constraints can now be configured for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-8613)
• NEW: Memory based autoscaling can now be configured for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-8614)
• NEW: We added the command line argument --enable-leader-election to nevisOperator. If leader election is enabled, nevisOperator can be used with multiple replicas. (NEVISADMV4-8764)
• IMPROVED: In case one or more custom resources failed to deploy during Kubernetes deployments, only those will be reported as failed, instead of all custom resources that were deployed to the given service. (NEVISADMV4-7853)
• IMPROVED: NevisAdmin 4 no longer leaves the deployment targets in an inconsistent state if it is shut down when a deployment is still in progress. (NEVISADMV4-8224)
• IMPROVED: You can now disable Generic Deployment patterns in Kubernetes deployments. (NEVISADMV4-8503)
• IMPROVED: We added support for secret references in the GitCredentials resource. For more information see: GitCredentials file format (NEVISADMV4-8686)
• FIXED: The publish modal could run into an error when publishing the deletion of a pattern copied into this project. The issue is now fixed. (NEVISADMV4-8488)
• FIXED: Creating an empty inventory sometimes resulted in a stacktrace being logged. This no longer happens. (NEVISADMV4-8707)
• FIXED: The REST endpoint for listing patterns now correctly includes meta information when the meta parameter is set to true. (NEVISADMV4-8709)
• FIXED: The CertificateRequest is now created by nevisOperator in the same namespace where the cert-manager Issuer resides. This makes it possible to use an Issuer from a different namespace. (NEVISADMV4-8737)
• FIXED: NullPointerException is caused by unrelated README.md changes during project update. (NEVISADMV4-8776)

Patterns 4.17.0 Release Notes - 2022-11-16

Release information

Build Version: 4.17.0.24

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 Nov.

Enter the version in the Search field: 4.17.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

Several changes are included in the 4.16.1, 4.16.2, and 4.16.3 intermediate releases. Check the corresponding release notes.

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

The following changes affect multiple components.

• ⚠️ PAT-75: Added a new widget for map-like settings.
  • Existing configuration must be migrated. Warning issues will be generated for patterns that require attention.
  • The widget will guide you through the migration steps when you visit the pattern. By saving the pattern you complete the migration.
  • In some places several separators where allowed (->,:,=) in previous releases. The old widget used the same parsing order for all lines and thus some separators had to be used the “wrong way round”. Often, the order of the -> was wrong. The new widget will fix this problem. The widget will import existing data using a proper, “natural” reading order (value -> key, key = value, key : value). This can lead to invalid configuration in some cases. Double-check carefully how the migration has interpreted your existing configuration as you may have to switch left and right side in some cases.
• NEVISPROXY-6260: Added new setting Hostname Validation to the following patterns:
  • nevisAdapt REST API
  • nevisDetect Administration GUI
  • nevisDetect Persistency REST API
  • nevisIDM Administration GUI
  • nevisIDM REST Service
  • nevisIDM SOAP Service
  • nevisMeta Web Console
  • REST Service
  • SOAP Service
  • Web Application
• PAT-41: Image version parsing now uses Long instead of Integer to be able to parse long version numbers.
• PAT-28: Improve minimum version checks for Kubernetes deployment.
  • The setting Enforce Target Version in Instance patterns has been renamed to Check Minimum Version.
  • You can now enable / disable all minimum version checks with this drop-down.
• PAT-53: Improved cleanup of rotated log files.
  • Changed the glob expression filename.* to a regex expression to avoid that files which have not been created by the component (e.g. backups or compressed rotated logs) are removed.
• PAT-67: Various improvements to automatic key management in classic deployment:
  • nevisAuth Backend Trust Store now trusts nevisIDM Frontend Key Store instead of falling back on the nevisAdmin 4 CA.

Application Protection

• NEVISPROXY-6396: Changed the default HTTP/2 support to disabled in the Virtual Host pattern.
  • There are incompatibility with certain mod_qos directives.
• PAT-62: Always set Secure flag on proxy session cookies.
  • Having a session on nevisProxy when accessing via plain HTTP is not supported anymore.
• ⚠️ PAT-107: Added OWASP ModSecurity Core Rule Set version 3.3.4 to the available options in the Virtual Host patterns.
  • This is the new default version, and it requires nevisProxy 5.4.0 (November 2022) or newer.
  • We recommend using version 3.3.4, but you can still choose one of the previous versions.
• ⚠️ PAT-36: Added new setting Remote Session Store in the Virtual Host pattern.
  • Use this new setting instead of Additional Resources.
• PAT-36: Prevent invalid assignments:
  • Generic Application Settings to Virtual Host pattern.
  • Generic Virtual Host Settings to application patterns.
• PAT-2: Added new settings Content-Type Mode and Content-Types in the HTTP Error Handling pattern.
• PAT-120: Added new setting Keep Security Headers to the HTTP Error Handling pattern.

Authentication

• PAT-56: Removed unused mermaid.min.js.
• PAT-135: Generate attribute idPregenerate with true.
  • Required for use cases where the nevisAuth session ID needs to be known before AUTH_DONE.
• PAT-40: Improved validation of Transform Variables step.
• PAT-96: Generate KeyObject DefaultSignerTrust for SecToken validation in nevisAuth.
  • nevisAuth validates the SecToken received from nevisProxy when a stepup occurs.
  • In some setups that SecToken may have been signed by a different key store (e.g. a second line of nevisAuth or after cert rollover).
  • In such setups an additional KeyObject will now be generated to ensure the SecToken can be validated.
• PAT-99: Basic support for showing a Gui with AUTH_CONTINUE in Groovy Script Step.
• PAT-117: Added setting Language Cookie Name in Authentication Realm pattern.

Adaptive Authentication

• PAT-39: Fixed data source issues for nevisAdapt Persistency and nevisDetect Persistency.

Identity Management

• ⚠️ PAT-52: Migrated nevisIDM Authorizations pattern to be file based to avoid size restrictions.
• PAT-38: Extended the nevisIDM Prune History Job pattern to a setting for the SkipList property.
• PAT-115: Fixed trust association between SecToken Signer Trust Store in nevisIDM Instance and Signer Key Store of Nevis SecToken patterns.

SAML / OAuth / OpenID Connect

• PAT-122: Allow handling the unlock method using Custom Pre-Processing of SAML SP Realm.
• ⚠️ PAT-57: Changed default paths in OAuth 2.0 Authorization Server / OpenID Connect Provider.
  • Changed default paths to exact:/oauth/<name>. See help for details.
  • Changed /auth endpoint to /authorization based on RFC examples.
• PAT-83: Support to checking Required Roles in the SAML SP Connector.
  • Roles are checked after taking care of the Minimum Required Authentication Level.
  • This is an advanced configuration. We recommend to check roles in your SAML SP instead to not mix authentication and authorization.
• ⚠️ PAT-73: Refactor Social Login patterns for avoid security issues when the user is not linked.
  • You have to upgrade your flows. See the pattern help for details.
• NEVISAUTH-3677: Add custom exits to OAuth 2.0 Authorization Server / OpenID Connect Provider.
  • This is an advanced configuration. We cannot validate that your configuration make sense.

Patterns 4.16.3 Release Notes - 2022-11-02

Release information

Build Version: 4.16.3.9

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 Aug.

Enter the version in the Search field: 4.16.3.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

The following changes affect multiple components.

• PAT-102: The setting Regex Filter in Log Settings patterns is now also applied to Console appenders used in Kubernetes deployments.

Authentication

• PAT-98: We made the lookup of client extId and user extId more reliable in various authentication step patterns.
• PAT-99: We improved the Groovy Script Step so that you can now produce an AUTH_CONTINUE response to render a GUI.

FIDO2 / Passwordless

• IDC-2464: We fixed an exception in FIDO2 Authentication and FIDO2 Onboarding steps.
• PAT-93: We added a new setting On Cancel to the FIDO2 Authentication and FIDO2 Onboarding steps.
  • The error handling in these patterns is considered experimental and further changes are expected in upcoming versions.
  • We recommend testing onboarding and authentication with the expected devices carefully.
• PAT-78: We added registration options to FIDO2 Onboarding.
• PAT-92: We fixed a WARN message about maxLifetime in the nevisfido.log.

SAML / OAuth / OpenID Connect

*⚠️ ️PAT-109: The SAML IDP does not dispatch according to the last used SP anymore.

• In IDP-initiated cases, the SP issuer has to be well-defined, see pattern help for details.

Patterns 4.16.2 Release Notes - 2022-10-07

Release information

Build Version: 4.16.2.8

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 Aug.

Enter the version in the Search field: 4.16.2.

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

The following changes affect multiple components.

• PAT-90: We added a new setting Regex Filter to Log Settings patterns of Log4J2-based components.
  • If configured, messages matching the regular expression are not logged.
  • ⚠️ By default, the following is not generated for nevisLogrend anymore: .*GET /nevislogrend/health.*
• PAT-74: Moved deployment type settings in Instance patterns into tabs:
  • Kubernetes tab: settings for deployment to Kubernetes
    • Liveness Delay
    • Readiness Delay
  • Classic tab: settings for deployment to VMs
    • Line Preference
    • Start Timeout
    • Memory Limit
    • Initial Memory Ratio
    • Instance Rename Detection
    • Start Inactive

Authentication

• PAT-74: We added new settings Liveness Delay and Readiness Delay in nevisAuth Instance pattern.
  • If startup of nevisAuth times out in Kubernetes, you may have to increase the values.
  • These are experimental settings. Changes are expected in a future release.

SAML / OAuth / OpenID Connect

• PAT-70: The SAML SP Connector / User Attributes setting now supports configuration of more than one attribute with the same value or expression.
• PAT-71: We added a drop-down to SAML SP Connector to configure if and how the AudienceRestriction element is generated.
• PAT-65: Various changes in SAML IDP to support customizing / overwriting SAML logout behavior:
  • We added a Custom Pre-Processing hook.
  • We added a drop-down to disable the Logout Configuration feature.
• PAT-65: nevisLogrend was not reachable when using a sub-path of the Frontend Path(s) of the SAML IDP. We fixed the issue.

nevisAdmin 4.16.1 Release Notes - 2022-10-14

Release information

• nevisAppliance: 2.202208.1010
• RPM: nevisadmin4-4.16.1.0-1.noarch.rpm
• GUI Version: FE 4.16.1-758 - BE 4.16.1.0

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

• FIXED: Updating the value of a binary global secret or global file, such as a ZIP in Secret and Files resulted in no change. (NEVISADMV4-8597)

Patterns 4.16.1 Release Notes - 2022-08-31

Release information

Build Version: 4.16.1.3

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 Aug.

Enter the version in the Search field: 4.16.1

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

• ⚠️ PAT-42: Various fixed to Log Settings patterns.
  • The new log format is: *%d{ISO8601} [%thread] %-5level %logger{36} - %msg%n*. In Kubernetes a prefix is added (no change).
  • We have removed *%-4relative*, changed %logger{35} to %logger{36} and added a -.
  • You can change the log format in the Advanced Settings tab of the corresponding Log Settings pattern.
• ⚠️ PAT-26: Deprecated text boxes in patterns which support the same configuration by uploading a file.
• PAT-13: Added time-based log rotation for components that use logback.
• NEVISADMV4-8505: Add Start Inactive setting to Instance patterns.

Application protection

• NEVISADMV4-8507: Fixed link to application patterns in Application Mapping Report.

Authentication

• ⚠️ NEVISADMV4-6224: Improved authentication steps for OATH, for example, Google Authenticator.

Identity Management

• PAT-45: Fixed a bug in the nevisIDM Password Login pattern. When fetching User Properties an invalid configuration was generated.

SAML / OAuth / OpenID Connect

• PAT-20: Fixed a bug in the Social Login patterns (e.g. Google Login) which produced invalid ResultCond elements in some setups.
• ⚠️ PAT-30: Removed Custom Pre-Processing hook in OAuth 2.0 Authorization Server / OpenID Provider pattern.
• PAT-27: Ensure Default Session Upgrade Flow is used by OAuth 2.0 Authorization Server / OpenID Connect Provider pattern.
• NEVISAUTH-3729: Improved the CORS Lua filter generated by OAuth 2.0 Authorization Server / OpenID Connect Provider pattern.
• PAT-29: Added Key Store and Trust Store settings to nevisMeta Web Console.

User behavior analytics

• PAT-39: Fixed various issues with the database connection:
• NEVISDETECT-1575: Upgraded fingerprintjs v3 to 3.3.4.

nevisAdmin 4.16.0 Release Notes - 2022-08-17

Release information

• nevisAppliance: 2.202208.1005
• RPM: nevisadmin4-4.16.0.6-1.noarch.rpm
• GUI Version: FE 4.16.0-714 - BE 4.16.0.6

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

• NEW: Nevisadmin4 now supports login with SAML. (NEVISADMV4-8011)
• NEW: You can now edit the content of an uploaded file from the pattern property, or in the Secret & Files and Certificates screens. (NEVISADMV4-8015)
• NEW: You can now enter multi-line values when creating a global constant. (NEVISADMV4-8421)
• NEW: Patterns to set up FIDO2 are available with the standard pattern libraries. (NEVISADMV4-8439)
• IMPROVED: The deployment of a deleted project is better visualized, with more details in the Deployment History and Kubernetes Status screens. (NEVISADMV4-8324)
• IMPROVED: You can now see who promoted or rolled-back the secondary deployment. (NEVISADMV4-8075)
• IMPROVED: Ongoing deployments are now visualized better in the Deployment History and Kubernetes Status screens. (NEVISADMV4-8390)
• IMPROVED: Improved the issue tooltip which is shown when hovering over the project status. (NEVISADMV4-7892)
• IMPROVED: Display of the date and time format is improved, and shown as such: only time for today, date and time for the current year and full date format for the past year.
• IMPROVED: We improved the Git HTTPS support for Kubernetes deployments. (NEVISADMV4-8409)
• CHANGED: The SUPER_ADMIN permission no longer grants permission to create or modify users. Two new permissions are added for these purposes: CREATE_USER and MODIFY_USER. These new permissions are automatically granted to existing users with SUPER_ADMIN permission. (NEVISADMV4-8146)
• FIXED: Wrong version number of the deployed services was displayed for the promoted deployment in case the secondary deployed version was higher than the primary version. This issue is now fixed. (NEVISADMV4-8396)
• FIXED: Secrets were displayed as Unlinked in Secret and Files, if they were used in a global constant. (NEVISADMV4-8268)
• FIXED: It is no longer possible to delete the local admin user though REST. (NEVISADMV4-8408)
• FIXED: Kubernetes deployment failed if Azure DevOps repository was used. (NEVISADMV4-8377)
• FIXED: The verify client option was always set to on when enabling client certificate authentication with Kubernetes deployment. (NEVISADMV4-8459)
• UPGRADED: Various dependencies are upgraded.

Patterns 4.16.0 Release Notes - 2022-08-17

Release information

Build Version: 4.16.0.14

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 Aug.

Enter the version in the Search field: 4.16.0

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

If you are upgrading from the version included in the May 2022 release (4.15.0), also check the release notes for 4.5.1.

General

• ⚠️ NEVISADMV4-8429: The SameSite flag is now set to None by default for nevisProxy session cookies.
• NEVISADMV4-8298: We renamed several Key Store and Trust Store settings.
• NEVISADMV4-8405: We added time-based log rotation to Log Settings pattern.
  • size-based rotation: %i
  • daily rotation: %d{yyyy-MM-dd}
  • hourly rotation: %d{yyyy-MM-dd-HH}
• NEVISADMV4-8446: Boolean values from inventory variables are now handled in drop-downs with the compatible options showing:

Application protection

• NEVISADMV4-8445: The endpoints required for Kubernetes liveness and readiness checks are now exposed by a separate virtual host which is not exposed to the internet via the ingress.
• ⚠️ NEVISPROXY-6256: The Hosting Service pattern is adapted. The underlying DefaultServlet is replaced by a FileReaderServlet to allow future improvements.
• NEVISPROXY-6121: We added support for HTTP/2 front-end connections in nevisProxy, and introduced a new setting called HTTP/2 Support in the Virtual Host pattern.
• NEVISPROXY-6213: We added the new JWT Access Restriction pattern to verify the JWT of incoming requests in nevisProxy Virtual Host without using nevisAuth.
• NEVISADMV4-8164, NEVISPROXY-6252: We added a new setting to the Web Application, REST Service, and SOAP Service* patterns called Custom Parameters**.
• NEVISPROXY-6114: We added a new parameter Conditional Log Levels to the nevisProxy Log Settings pattern.
• NEVISADMV4-8383, NEVISPROXY-6251: The HTTP Error Handling pattern now supports uploading JSON files.
• NEVISADMV4-8498: Generation now fails when the patterns demand a different servlet-name for the same servlet, instead of silently using the latest value.

Authentication

• NEVISLOG-409: We fixed generic JSON rendering by nevisLogrend.
• NEVISADMV4-8296: We improved the nevisAuth expressions that were generated when using the exact: prefix in Standalone Authentication Flow / Frontend Path(s).
• ⚠️ We renamed several Gui descriptors. If you are using the Gui names in your Login Template, you have to adapt your .vm and.js files:
• NEVISADMV4-8433: The Transform Variables Step now support clearing and removing variables.
• NEVISADMV4-8372: We now support Unit Attributes and Unit Properties in nevisIDM Password Login pattern.
• ⚠️ NEVISADMV4-8369: The nevisIDM Second Factor Selection now supports FIDO2 and recovery code credentials.
  • There is no REST endpoint for OTP credentials, and thus the userDto object is still used for this credential type.
  • We renamed the label method.tan.label to method.mtan.label.
  • We improved the default translations and help texts.
• ⚠️ NEVISIDM-8211: The nevisIDM URL Ticket Consume pattern now shows a GUI with a label and a continue button before validating the ticket.

Identity Management

• NEVISIDM-8139: It is now possible to preload a client into nevisIDM at startup with the new nevisIDM Client pattern.
• NEVISIDM-8120: We reworked the Azure Service Bus pattern, it can mow be used to set the following remote queues with the help of Azure Service Bus Remote Queue pattern(s):

SAML

• NEVISADMV4-8051: We now ensure that automatic signers used by SAML SP Realm or SAML IDP have the correct name in Kubernetes deployments.
• NEVISAUTH-3746: We changed how the SAML IDP dispatches incoming requests.
• NEVISAUTH-3743: We introduced changes to SP Issuer and Audience Restriction of SAML SP Connector.
• NEVISAUTH-3601: We added a setting Custom Transitions to SAML IDP Connector.
  • Use when you have to add or overwrite ResultCond elements in the ServiceProviderState.
  • An example use case is to apply custom error handling.

OAuth / OpenID Connect

• NEVISMETA-1762: We added TLS configuration for nevisMeta Instance pattern with 3 options: requested, required, disabled.
• NEVISMETA-1744: We added a new setting User Info Endpoint to OAuth 2.0 Authorization Server / OpenID Provider.
• NEVISMETA-1750: We added a Terms of Service and Policy display for ConsentState.
• NEVISMETA-1756: We added new advanced settings to the OAuth 2.0 Authorization Server / OpenID Provider:

Mobile authentication

• NEVISADMV4-8471: We removed mauth_include.js..
• NEVISADMV4-8419: We noe use python3 for the startup check of the nevisFIDO Instance pattern.
• NEVISFIDO-1639: We added On Cancel to the Out-of-band Mobile Authentication pattern.
• NEVISADMV4-8364: We fixed the Continue button which is shown in Out-of-band Mobile Authentication, when the authentication is aborted in the mobile app.
• NEVISADMV4-8388: We relaxed validation in mobile authentication patterns. For some cases, a simple info message is shown instead of a warning.

Authentication Cloud

• NEVISADMV4-8471: We removed authcloud_include.js..

FIDO2

• NEVISFIDO-1647: We added experimental patterns for FIDO2.
  • nevisFIDO FIDO2 Instance - It uses the same RPM and Docker image as nevisFIDO Instance but supports FIDO2 use cases only.
  • FIDO2 Authentication
  • FIDO2 Onboarding
  • nevisFIDO FIDO2 Log Settings
  • nevisFIDO FIDO2 Management App - It serves a simple HTML and JavaScript page, which shows how to do registration for FIDO2 WebAuthn. Do not use in production!
  • nevisFIDO FIDO2 REST Service - It exposes the FIDO2 related REST APIs provided by nevisFIDO on a nevisProxy Virtual Host, required by nevisFIDO FIDO2 Management App.
  • For now use Generic Authentication Step to configure FIDO2 WebAuthn authentication.

User behavior analytics

• NEVISDETECT-1510: We added nevisAdapt Logout Connector as a nevisAdapt-related logout step (initiates session termination)
• NEVISDETECT-1536: We added new URL property to nevisAdapt Instance for defining a page redirect after pressing a feedback report link
• NEVISDETECT-1563: We added nevisAuth Instance reference to nevisAdapt Instance to enable reporting untrusted sessions

Patterns 4.15.1 Release Notes - 2022-07-01

Release information

Build Version: 4.15.1.8

How to install and use the plugins

You can download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 May.

Enter the version in the Search field: 4.15.1

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

• NEVISADMV4-8312: We removed the invalid warning message “set 'Kubernetes' to 'other_namespace' or clear this property.”

Application protection

• NEVISADMV4-8302: We resolved the warning issue when attempting to remove a no-existing filter-mapping.
• NEVISADMV4-8348: We removed deprecation warning for syslog forwarding for nevisProxy.
• NEVISADMV4-8338: We prevented the error issue when using a variable for Lua Script in Lua HTTP Processing pattern.
• NEVISADMV4-8399: We added the missing reference for trust store / key store to NevisComponent Kubernetes resources when assigning an Automatic Trust Store or Automatic Key Store pattern for the connection to a backend server in SOAP Service, REST Service and Web Application patterns.

Authentication

• NEVISADMV4-8385: ZIP files uploaded to Translations in realm patterns are now unpacked automatically.
• NEVISADMV4-8370: We now support the configuration of Login Type in OATH Authentication pattern.
• NEVISADMV4-8211: We introduced new experimental patterns nevisAuth Database and Managed nevisAuth Database.
• NEVISADMV4-8305: We now support changing the title in User Information pattern.
• NEVISADMV4-8297: We now support expression ${service.postfix} in Groovy Script Step. Use when referring to Kubernetes services deployed by the same project.
• NEVISADMV4-8395: We now support ${var.name} expressions in Condition(s) of Dispatcher Step.

Mobile authentication

• NEVISADMV4-8393: We prevented an exception during generation when assigning a non-automatic Key Store in the nevisIDM Connection tab of a nevisFIDO Instance.
• NEVISADMV4-8398: We fixed the wrong name being referred to when using In-band Mobile Authentication Realm and assigning Automatic Key Store patterns to the nevisFIDO Instance.
• NEVISADMV4-8291: We set max-text-length for transaction-confirmation in nevisFIDO to 2000.
• NEVISADMV4-8400: We ensured that security features are activated for a Web Application running with Frontend Path, and do not block access to REST APIs exposed by Mobile Registration and Mobile Deregistration patterns.

Identity management

• NEVISIDM-8149, NEVISADMV4-8311: We fixed nevisIDM Generic Batch Job pattern to work in combination with nevisIDM 2.85.x.
• NEVISADMV4-8385: ZIP files uploaded to nevisIDM Instance / Custom Resources are now unpacked automatically. Now you can configure a custom facing for which subdirectories are required.

Federation

• NEVISAUTH-3662: We fixed Google/Microsoft Social Login Pattern having wrong first/last name assignment.
• ⚠️ NEVISADMV4-8359: We improved pre-processing hooks in authentication patterns.
  • SAML SP Realm
  • SAML SP Connector
  • OAuth 2.0 Authorization Server / OpenID Provider
• IDC-2074: We fixed automatic user creation / update during Apple Login.

nevisAdmin 4.15.0 Release Notes - 2022-05-18

Release information

• nevisAppliance: 2.202205.973
• RPM: nevisadmin4-4.15.0.10-1.noarch.rpm
• GUI Version: FE 4.15.0-660 - BE 4.15.0.10

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

• NEW: You can now add descriptions to projects in the Project Overview screen. (NEVISADMV4-8042)
• NEW: When upgrading plugin versions, in case breaking changes were introduced in patterns currently in your project, clear instructions are shown on the pattern's fields about how to adapt your configuration. (NEVISADMV4-8084)
• NEW: We introduced Global constants. They are similar to inventory constants, but they can be referenced from multiple inventories. (NEVISADMV4-8097)
• NEW: You can now view details about nevisOperator and logs on the Kubernetes Status Screen. (NEVISADMV4-8065)
• NEW: YAML literal block style format can be enabled. For details see the nevisadmin.yaml.literal-block-style.enabled property at 'Configuration Properties in the nevisadmin4.yml File' (NEVISADMV4-7813)
• IMPROVED: We improved the audit logs of many REST endpoints. (NEVISADMV4-8033)
• IMPROVED: Dates are now displayed in full format instead of friendly format. (NEVISADMV4-8134)
• IMPROVED: Project and inventory revision updates are now performed directly to head. Previously, this feature iterated through each commit until the head, but this may not be possible if there are problems with the git history. (NEVISADMV4-8045)
• IMPROVED: The generated Kubernetes resources such as Deployments, Services etc. now use the Kubernetes Recommended Labels. This causes the components to restart when nevisOperator is upgraded. (NEVISADMV4-8026)
• FIXED: We fixed an issue where some Kubernetes certificates were sometimes missing from the managed certificates screen. (NEVISADMV4-7851)
• FIXED: An unexpected error message was shown on the inventory host status screen in case a connection error occurred. This issue is now fixed. (NEVISADMV4-8024)
• FIXED: Kubernetes deployments no longer perform queries across all namespaces. This change fixes errors in namespace-restricted scenarios. (NEVISADMV4-8132)
• FIXED: If there was an error in the Managed Kubernetes Certificates screen, for example, connection to Kubernetes cluster failed, the table was not refreshed even if another inventory was selected from the drop-down. The issue is now fixed. (NEVISADMV4-7963).
• FIXED: The Category tab was still shown in the pattern even if there was no visible property. The issue is now fixed. (NEVISADMV4-7992).
• FIXED: Incorrect expiration date was displayed in Attach certificate screen when an existing certificate was selected to insert into an inventory. The issue is now fixed. (NEVISADMV4-8100)
• FIXED: Random ArrayIndexOutOfBoundsException occurred on Inventory edit, caused by a bug in SnakeYAML library. The issue is now fixed. (NEVISADMV4-8114)
• UPGRADED: Various dependencies are upgraded.

Patterns 4.15.0 Release Notes - 2022-05-18

Release information

Build Version: 4.15.0.6

How to install and use the plugins

You can download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 May.

Enter the version in the Search field: 4.15.0

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

• ⚠️ NEVISADMV4-7063: In generated URLs the port is now omitted if it can be deducted from the scheme (e.g. for HTTPS the default port is 443).
• NEVISADMV4-7886: nevisAdmin 4 shows a warning the Nevis docker images used are older than the ones defined in the plugins.
• NEVISADMV4-7771: nevisAdmin 4 is upgraded Groovy to 3.x. The patterns are now compiled against this version.
• NEVISADMV4-8087: We fixed a bug that could result in an invalid PEM being generated when additional trusted certificates were uploaded to an Automatic Trust Store.
• ⚠️ NEVISADMV4-8077: All Generic Log Settings patterns are removed. Change your project configuration to use the high-level Log Settings patterns instead.
• ⚠️ NEVISADMV4-8076: The fields used for Log Levels in Log Settings patterns are aligned. In case you have to adapt your pattern configuration, a message is shown to guide you through the process.
• ⚠️ NEVISADMV4-8076: Log config generation is migrated from Log4J version 1 to Log4J version 2. The following Nevis components are affected:
• ⚠️ NEVISADMV4-8078: The available options for Log Targets in Log Settings patterns are changed.
• ⚠️ NEVISADMV4-8076: The default maximum log file size is aligned. Now all components use 100 MB by default. This means an increase from 10 MB to 100 MB for the following components:
• NEVISADMV4-8101: We fixed a bug in Managed Database patterns, which lead to an error in the DB setup when using variables containing secrets.

Application protection

• NEVISADMV4-8161: We fixed the missing port number in the defaultHost attribute in navajo.xml. The issue occurred when several Virtual Host patterns shared the same Frontend Addresses, and one of these patterns was set as Default Virtual Host in the nevisProxy Instance pattern.
• NEVISPROXY-5987: We added the new settings Session Store Resource and Session Store Access Restriction to the Virtual Host pattern to enable the REST interface for the nevisProxy session stores.
• ⚠️ NEVISPROXY-6145: We improved the nevisProxy patterns to only generate one servlet per web.xml for storing sessions. In addition, the session store servlets now have fixed names:
• NEVISADMV4-8141: The nevisProxy patterns no longer generate SERVER_FDLIMIT, as nevisProxy does not use this instruction since version 4.6.
• NEVISPROXY-6092: We fixed the time interval based log rotation in the nevisProxy Log Settings pattern.
• NEVISPROXY-6073: We added new setting to the Managed MariaDB Remote Session Store pattern called Custom Parameters.

Authentication

• NEVISADMV4-8030: URLs pointing to nevisIDM / nevisMeta instances running outside the Kubernetes cluster no longer get the -web suffix. The suffix is only added, when nevisIDM and nevisMeta run in the same Kubernetes cluster.
• NEVISPROXY-6089: We added a new setting, Forbidden Roles to the Authorization Policy pattern
• NEVISPROXY-6089: We added new settings, Required Roles Mode, Forbidden Roles Mode, and Authentication Level Mode to the Authorization Policy pattern
• ⚠️ NEVISPROXY-6089: The internal property providing the Required Roles of the Authorization Policy pattern is renamed. If you see a text box called “Unknown property: roles” in your Authorization Policy pattern, configure the reported roles or the reported variable in the Required Roles setting. Write one value per line if you set roles directly.
• ⚠️ NEVISPROXY-6089: SecurityRolesFilter generated to enforce mandatory role requirements are now called Authorization_Required_Roles_<roles>_<realm> instead of Authorization_<roles>_<realms>.
• ⚠️ NEVISPROXY-6089: When combining several Authorization Policy patterns for an application, by default the pattern with the most specific mapping overrides the settings of the more general patterns, including the empty values. Empty values were previously ignored. As a consequence, if one of the Required Roles, Forbidden Roles or Authentication Level settings is defined in the most general pattern, but is empty in the most specific one, by default no rule will be enforced for this setting on paths where the specific pattern is mapped.
• NEVISADMV4-7893: We added new settings called Hostname Validation in the nevisAuth Connection and GUI Rendering sections of Realm patterns.
• NEVISADMV4-8023: We improved the help for Template Parameters in Generic Authentication Step.
• NEVISADMV4-8238: When the name of the realm starts with a digit, the name of generated AuthState elements gets a “_” prefix applied to ensure the esauth4.xml complies to the schema.
• NEVISADMV4-8172: We added validation to ensure the SecToken Signer Key Store has a name that is compatible with Kubernetes deployment. This means that the name must end with “Signer”.
• NEVISADMV4-8173: We removed entries for taking heap dumps from the JAVA_OPTS variable found in env.conf of nevisAuth instances.
• NEVISADMV4-8153: We removed ch.nevis.session.jdbc.connector.store.absTo from the env.conf of nevisAuth instances.
• NEVISADMV4-8149: We now use a plain TCP connect check for nevisLogrend readiness endpoint in Kubernetes deployment. This is because the check fails if a HTTPs based check is used, and HTTPs is set to mutual in the nevisLogrend Instance pattern.
• NEVISADMV4-8090: Some patterns add an AuthState to the end of authentication flows.
  • existing tokens are not lost on stepup (required when new tokens are produced).
  • Previously, this logic was part of <realm>_Prepare_Done and thus always executed.
• NEVISADMV4-8009: We improved validation of Groovy scripts for nevisAuth.

Mobile authentication

• NEVISADMV4-8222: We added Generic nevisFIDO Instance Settings pattern. Use this pattern to set JAVA_OPTS.
• NEVISFIDO-1576: For the nevisFIDO Instance, the config key dispatch-target-repository is no longer generated, as the configuration is now taken from the credential-repository key.
• ⚠️ NEVISADMV4-8121: Settings related to logging in the nevisFIDO Instance pattern are moved into a separate nevisFIDO Log Settings pattern.

Identity management

• NEVISADMV4-8174: We added PersistentQueueRetry to the validation of nevisIDM Authorizations.
• ⚠️ NEVISIDM-7872: The nevisIDM Administration GUI pattern enables REST API access by default. As this may conflict with the nevisIDM REST Service pattern, it is mandatory to either manually disable it, or remove the conflicting pattern.
• NEVISIDM-8029: We added new setting to the nevisIDM Password Login pattern called Login Type with a default value of LoginId.
• NEVISADMV4-8101: We fixed the failed validation of nevisIDM Instance / Encryption Key when a secret was used in Kubernetes deployment.
• NEVISIDM-8063: We added a setting SMTP SSL/TLS Mode to the nevisIDM Instance pattern. There are 2 options to choose from: disabled and STARTTLS.
• NEVISADMV4-8196: Do not create a WARNING issue when a variable is used for the JDBC driver in nevisIDM Database Connector pattern during background generation. Variables used to upload files do not have a sample value in the project and thus validation has to be skipped.
• NEVISADMV4-8142: We added settings Regular Expression and Maximum Length to nevisIDM Custom Property.
• NEVISADMV4-8138: We added a new setting Backend Key Store to nevisIDM Administration GUI, nevisIDM SOAP Service and nevisIDM REST Service patterns. Assign a key store pattern if you want to use 2-way TLS between nevisProxy and nevisIDM.
• ⚠️ NEVISADMV4-8126: The IdmPasswordResetState, which is generated by the nevisIDM Password Login pattern when Password Reset is enabled, now shows password policy information.

Federation

• NEVISADMV4-7063: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern can now generate a Metadata Endpoint.
• NEVISADMV4-7063: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern is improved:
  • The new default values are: /oauth2/auth and /oauth2/token.
• IDC-1558: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern now generates configuration for standard OAuth / OpenID scopes by default.
• NEVISMETA-1735: We added the Generic nevisMeta Instance Settings pattern. Use this pattern to set JAVA_OPTS.
• NEVISADMV4-7653: We added the Generic Social Login Step pattern for common OIDC/OAuth 2 social login use cases. Use this pattern only if the more specific social login step patterns are not applicable.
• NEVISAUTH-3586: The SAML SP Connector pattern now uses the SP Issuer as default for Audience Restriction.
• NEVISAUTH-3575: We added two new settings to the OAuth 2.0 Authorization Server / OpenID Provider pattern to protect the token introspection and token revocation endpoints with Basic Authentication.
• NEVISAUTH-3567: We improved the SAML Binding configuration in the SAML SP Connector pattern.

nevisAdmin 4.14.0 Release Notes - 2022-02-16

Release information

• nevisAppliance: 2.202202.963
• RPM: nevisadmin4-4.14.0.5-1.noarch.rpm
• GUI Version: FE 4.14.0-614 - BE 4.14.0.5

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

• NEW: Version controlled projects can now be reverted to a previous commit. Unlike using the deployment history rollback feature, reverting projects are not imported as read-only. (NEVISADMV4-7779)
• NEW: On the REST API, project and inventory revision updates can now also be performed directly to head. Normally, this feature iterates through each commit until the head, but this may not be possible if there are problems with the git history. Skipping straight to the head can alleviate such issues. (NEVISADMV4-7785)
• NEW: Patterns can now be deleted in batch. (NEVISADMV4-7780)
• NEW: You can now edit the descriptions of files and secret files in the Secret & Files screen. (NEVISADMV4-7786)
• NEW: Kubernetes auto-generated certificates can now be accessed under Global Settings. (NEVISADMV4-7781)
• NEW: Date and time format changed from friendly to full format in Deployment History and Kubernetes Status screens. (NEVISADMV4-7881)
• NEW: A new REST API endpoint was added for temporarily disabling project validation. (NEVISADMV4-7980)
• IMPROVED: Improved the visualization performance of the authentication flow. (NEVISADMV4-7856)
• IMPROVED: Improved the content of the error message about the Kubernetes invalid token. (NEVISADMV4-7678)
• IMPROVED: In case an instance pattern was removed, or if the same instance pattern has already been deployed from a different project, the user is warned during the validation of the deployment. (NEVISADMV4-7784)
• IMPROVED: The validation phase of deployments now warns the user if they are using the mixed versions of plugin libraries. (NEVISADMV4-7791)
• IMPROVED: A warning is now displayed during the validation phase of Kubernetes deployments if there are disabled instance patterns in the project. (NEVISADMV4-7879)
• IMPROVED: A warning is now displayed during the validation phase of Kubernetes deployments if the namespace was changed in the inventory since the last successful deployment. (NEVISADMV4-7802)
• IMPROVED: It is no longer possible to create projects, inventories or tenants with lowercase letters in their keys. (NEVISADMV4-7871)
• IMPROVED: Tenant key is no longer added in project name in Deployment History, Host Status and Kubernetes Status screens. (NEVISADMV4-7298)
• FIXED: Fixed compatibility issue with newer nginx versions when using side-by-side deployment. (NEVISADMV4-7901)
• FIXED: The details of the deployed services were not shown properly in Kubernetes Status screen after the service version reached ten (v10). This issue is now fixed. (NEVISADMV4-7871)
• FIXED: Corrected the info text in the Usage section of Variables screen, that is displayed when a variable is not referenced by a pattern. (NEVISADMV4-7841)
• FIXED: The issue on inventory color highlights in Deployment Wizard is fixed. (NEVISADMV4-7852)
• FIXED: The Service object used in the Ingress could be temporary deleted when promoting the canary deployment. (NEVISADMV4-7957)

Deprecations

• DEPRECATED: Using the Kubernetes cluster to sign the certificates when using automatic key management is now deprecated and does not work with Kubernetes 1.22. This feature is to be removed in a future release. It is recommended to use cert-manager for this purpose, for more information, see Migrating to cert-manager.

Standard Patterns 4.14.0 Release Notes - 2022-02-16

Release information

Build version: 4.14.0.17

How to install and use the plugins

You can download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 Feb.

Enter the version in the_Search_field: 4.14.0

On how to use this library, see Editing Project Pattern Libraries.

Changes

info

Changes marked with ⚠️ may be breaking. Check the impact and adapt your project configuration as required.

General

• NEVISADMV4-7906: Changed error message when disabled patterns are assigned for a required reference.
• ⚠️ NEVISADMV4-7765: Generic Log Settings patterns now produce a warning message.
  • The patterns are to be removed in May 2022 in favor of higher-level Log Settings patterns.
  • Contact support if you have a use case that requires these patterns.
• ⚠️ NEVISADMV4-7765: Syslog forwarding is deprecated for all components.
  • Contact support if you have a use case that requires Syslog forwarding.
• ⚠️ NEVISADMV4-7765: The available options for Log Targets in Log Settings patterns are changed.
  • The option file is now called default because in Kubernetes deployments the log is always written to the pod log.
  • The option file + syslog is now called default + syslog for the same reason.
  • If you selected one of the options above you get an error. Select default instead.
• NEVISADMV4-7866: Show an error message when using Generic Deployment in Kubernetes.
  • Generic Deployment is not supported in Kubernetes deployment.
  • Contact support if you have a use case that requires Generic Deployment.
• NEVISADMV4-7840: Generic Instance Settings for Java-based components now support setting all formats of Java properties.
  • Minor differences in sort order are expected.
  • ⚠️ If you use a variable for Java Opts check that the configuration is generated as expected.
• ⚠️NEVISADMV4-7706: Adapted various Log Settings patterns so that assigning them does not lead to an immediate change in the generated log configuration.

Application protection

• NEVISADMV4-7896: The default ModSecurity configuration based on Core Rule Set 3.3.2 now allows the same HTTP methods as the previous release.
  • The HTTP methods are checked by nevisProxy and thus there is no reason to check them in ModSecurity again.
  • The allowed HTTP methods are CHECKOUT, COPY, DELETE, GET, HEAD, LOCK, MERGE, MKACTIVITY, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PATCH, POST, PUT, TRACE, UNLOCK.
• NEVISADMV4-7640: Make NGINX Ingress Settings assignable to Virtual Host.
• NEVISADMV4-7891: Fixed a typo in the VERSION-CONTROL HTTP method.
• NEVISADMV4-7874: Support configuration of Additional HTTP Status Codes for Virtual Host.
• NEVISADMV4-7864: Changed the default for Password Getter in nevisProxy Instance.
  • When recommended is selected a script deployed by nevisAdmin is used which supports all Key Store and Trust Store patterns.
• NEVISADMV4-7827: Allow only *.lua files to be uploaded for Lua Script and Lua Libraries in Lua HTTP Processing.
• NEVISADMV4-7798: The WebSocket Support for Application pattern does not set the parameter KeepAlive.ByClient anymore.
• NEVISADMV4-7858: Added settings for Client Cert Authentication to NGINX Ingress Settings pattern.
• NEVISPROXY-6029: Added new parameter to the RemoteSessionStore pattern called Custom Parameters.
• NEVISADMV4-7936: Fixed NPE in Application Mapping Report.
• NEVISPROXY-6016: The attribute serverAlias of the Connector elements in the navajo.xml file can now be customized using a Generic nevisProxy Instance Settings pattern.
• NEVISADMV4-7812: Added new parameter Mode to the Error Handler pattern, which allows disabling the error handling for the current mapping or some sub-paths.
• ⚠️ NEVISADMV4-7812: When an Error Handler pattern with a sub-paths parameter is added to a Virtual Host, the default error handler of the Virtual Host is now applied to the sub-paths not covered by the attached Error Handler pattern. Previously, the default error handler was disabled as soon as an Error Handler pattern was attached to the Virtual Host. If you want to keep the previous behavior, attach an additional Error Handler pattern with Mode set to disabled to the Virtual Host.

Authentication

• ⚠️ NEVISADMV4-7831: Do not generate Frontend Trust Store when Client Authentication is disabled in nevisAuth Instance patterns.
  • When set to disabled, nevisAuth has to be upgraded to 4.34 or later before deployment.
• ⚠️ NEVISADMV4-7920: Change default of Client Authentication to enabled for nevisAuth Instance.
  • The Frontend Trust Store has to contain the CA certificate which issued the cert of the Client Key Store of associated realm patterns.
• NEVISADMV4-7915: New setting Session Upgrade Flow in Standalone Authentication Flow.
• NEVISADMV4-7826: Refactored startup check for nevisAuth to check if the port is bound only.
  • The previous status check failed when the esauth4sv.log was rotated during startup.
• NEVISADMV4-7910: Support upload of separate text and LitDict files for nevisLogrend and nevisAuth.
  • Set Translation Mode to separate to enable this feature.
  • ⚠️ When Translation Mode is set to “combined” (default) the uploaded files have to be called _labels\_<code>.properties_. Please rename the uploaded files if required.
• NEVISADMV4-7838: Add Log Category for Groovy Script Step.
• NEVISADMV4-7837: Generic Authentication Step now supports adding multiple GuiElem of type submit with the same name as long as the value is different.
  • There are custom AuthState implementations which require such a configuration.
• ⚠️ NEVISADMV4-7836: Detect and prevent changing the LitDict encoding to anything other than UTF-8.
  • A warning message is created when invalid characters are detected.
• NEVISADMV4-7929: New setting Language Cookie Domain in Advanced Settings of Authentication Realm.
• NEVISADMV4-7981: Generic Authentication Step now supports the expression ${var.name} to refer to an existing variable by name.
  • This feature is an alternative to the existing Template Parameters.
  • The feature is experimental as there are some usability constraints:
    • It is not yet possible to create variables in the project directly (without making a pattern property a variable).
    • It is not shown that a variable is used inside the generic configuration.

Mobile authentication

• NEVISADMV4-7627: Added new Android biometric authenticator AAID for Android to nevisFIDO Instance pattern default Policy and Metadata.

User behavior analytics

• NEVISDETECT-1477: Set the session end date by default to the maximum session lifetime to make sure it is never empty.
• NEVISDETECT-1483: New configuration to support the MaxMind IP geolocation database.
• NEVISDETECT-1486: Possibility to configure a new authentication step to handle if timeout occurs.
• NEVISDETECT-1473: Fix the generated configuration to correctly mark the observations as trusted at the end of an authentication flow in case of a successful authentication.
• NEVISDETECT-1498: In case of using risk profile configurations setting at least one threshold is mandatory from now on.
• NEVISDETECT-1493: Fixed the failed case in the TAN patterns to be able to react on if somebody failed to provide the correct code and reached the maximum threshold.
• NEVISDETECT-1495: Improved the help texts for the risk event configurations.
• NEVISDETECT-1502: Fixed the file name for log rotation to match the UNIX standards.

Identity management

• ⚠️ NEVISIDM-7694: Encryption settings are now exposed in nevisIDM Instance.
  • From now on the Encryption Key has to be set.
  • The database should be checked for encrypted content to determine if Encryption Fallback has to be enabled.
    • encrypted properties:
      • select * from tidma_property where encrypted \= 1;
    • unused URL tickets:
      • select * from tidma_credential where CREDENTIAL_TYPE_ID = 14 and STATE_ID = 2;
• NEVISADMV4-7824: New nevisIDM URL Ticket Consume pattern.
  • Use for custom flows which require a link sent to the email address of the user.
  • This pattern establishes an endpoint on a Virtual Host where URL Tickets can be validated. On success the next authentication step is executed.
• IDC-1264: Added additional settings to nevisIDM Property pattern.
  • This pattern is experimental and not feature-complete.
  • If you have a property that cannot be generated, contact support.
• NEVISADMV4-7843: Do not restart nevisIDM Instance when log levels are changed.
  • nevisIDM is configured to check for log level changes every 60 seconds.
  • One restart is still required to activate the polling.
  • This does not apply to Generic nevisIDM Log Settings. When this pattern is used, nevisIDM is still restarted.
• NEVISADMV4-7834: Ensure tmp folder inside nevisIDM instance is not deleted on deployment.
  • Removal of the tmp folder during runtime can lead to outages.
• NEVISDP-328: Allow the upload of multiple Custom JAR Files files for nevisDataPorter Instance.
• NEVISDP-329: The nevisDataPorter Instance now has a tab nevisIDM Connection where you can set a Trust Store and Key Store to establish a 2-way TLS connection.
  • Check the documentation on how to use these stores in your Configuration.
• NEVISADMV4-7928: Support custom redirects during or after Password Reset in nevisIDM Password Login pattern.
• NEVISADMV4-7927: New setting URL Ticket Policy Name for password reset process in nevisIDM Password Login pattern.
• ⚠️ NEVISADMV4-5588: The setting Enabled SOAP WebService Versions in nevisIDM Instance is removed.
  • This setting was not working in recent releases.
  • Use Generic nevisIDM Instance Settings to set the property webservice.versions instead.

Federation

• IDC-1273: The SAML SP Connector now has a new setting Multi Value.
  • When enabled, multiple AttributeValue elements are generated for attributes containing comma- or space-separated Strings.
  • For backward compatibility, the default is disabled.
• NEVISADMV4-7743: New OAuth 2.0 Authorization Server / OpenID Provider pattern.
  • This pattern is still in development and will change significantly in subsequent releases.
  • Consider this to be a preview. Use at your own risk!
• NEVISADMV4-7878: nevisAuth fixed a bug related to the setting SP URL - Single Logout Service in the SAML SP Connector pattern. Upgrade to the latest nevisAuth release.
• NEVISADMV4-7979: Social Login Pattens use the next step correctly when create new user failed.

nevisAdmin 4.13.1 Release Notes - 2021-12-03

Release information

• nevisAppliance: 2.202111.950
• RPM: nevisadmin4-4.13.1.0-1.noarch.rpm
• GUI Version: FE 4.13.0-559 - BE 4.13.1.0

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

• FIXED: The nevisadmin4 rpm package integrity was wrong by default. The issue is now fixed.

Patterns 4.13.1 Release Notes - 2021-12-03

Release information

Build Version: 4.13.1.1

How to Install and Use the Plug-Ins

This version is not supported anymore and cannot be downloaded. Upgrade to a newer version.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

• FIXED: The setting Default Log Level in "Log Settings" patterns now also changes the priority of the root logger.

Application Protection

• NEW: Added experimental Default Service pattern. Use this pattern to map filters to paths when there is no backend, no hosted resources, or authentication flow.
• FIXED: The HTTP Header Customization pattern now allows using constant values for Basic Auth User and Basic Auth Password. Previously you have to add the CONST: prefix as a workaround.

Authentication

• CHANGED: The setting Translations in realm pattern now allows uploading UTF-8 encoded files. Previously only ASCII files with HTML-encoded special characters were supported.
• FIXED: Ensure Email TAN and Mobile TAN patterns take the On Failure exit when all attempts are exhausted.

nevisAdmin 4.13.0 Release Notes - 2021-11-17

Release information

• nevisAppliance: 2.202111.948
• RPM: nevisadmin4-4.13.0.6-1.noarch.rpm
• GUI Version: FE 4.13.0-559 - BE 4.13.0.6

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

• NEW: Patterns are now marked as unused, if they do not contribute anything to the project's configuration. Having unused patterns usually indicates that the project is incomplete, or it contains unnecessary patterns which can be deleted.
• NEW: While making a classic deployment, you can now specify which pattern instances you want to deploy on the Deployment Wizard screen. In addition, we also display the deployed instance pattern ids in the Deployment History.
• NEW: The authentication flow of the projects can now be viewed in a full graph. The animated graph can be opened in a full screen and provides a better overview of the whole authentication flow. For more information, see the "Authentication Graph" section of the Navigating Patterns chapter in the nevisAdmin 4 technical documentation.
• NEW: The authentication graph can be accessed from the Realms in Project Overview screen.
• NEW: Patterns can now be copied as unlinked to the source pattern. With this, the same pattern can be copied multiple times without affecting the content of the already existing pattern. For more information, see the Copying Patterns chapter in the nevisAdmin 4 technical documentation.
• NEW: When copying patterns, you can now copy them with variables.
• NEW: On the REST API, secrets and inventory file attachments can now be created with custom IDs.
• NEW: When you are making a Kubernetes Secondary deployment, you can now split the traffic based on the percentage. For more information, see the Side-by-side Deployment chapter in the nevisAdmin 4 technical documentation.
• NEW: When there is a newer version of the pattern libraries for the project, an indicator icon is displayed next to the project name from where the update can be initiated.
• NEW: Data porter patterns are now available with the standard pattern libraries.
• IMPROVED: Added a new property nevisadmin.generation.engine.smart-error-recovery to make the Generation Engine continue the generation on errors. With this property turned on, the error output of the Generation Engine and the Deployment Wizard will be the same for the same project.
• IMPROVED: The authentication flow tree now loads faster.
• IMPROVED: The authentication flow tree is now generated with breadth-first algorithm instead of depth-first. Once a limit is reached, a warning indicator is displayed next to the patterns which has incomplete steps.
• IMPROVED: On Kubernetes component containers will now start with the runAsNonRoot option, instead of specifying a random UID. This is to improve compatibility with OpenShift.
• IMPROVED: While loading an authentication flow tree, an information message is displayed about the loading tree.
• IMPROVED: The inventory colour and background highlights are improved. The change is affected in Inventory Editor, Deployment wizard and inventory icon colours.
• IMPROVED: Importing a project from zip is improved with a warning message when the user tries to import the existing project. In such case, the project will be overwritten and this has to be confirmed by the user.
• FIXED: There was a flickering issue while scrolling the patterns in Pattern Master List. This issue is now fixed.
• FIXED: The details in Kubernetes Status screen were not displayed properly in a smaller screen size. This issue is now fixed.
• FIXED: The display of error messages is improved on Deployment Wizard and Pattern property editor.
• REMOVED: Patterns to set up monitoring are no longer available in the standard pattern libraries.

Deprecations

• DEPRECATED: Using the Kubernetes cluster to sign the certificates when using automatic key management is now deprecated, and the feature will be removed in a future release. It is recommended to use cert-manager for this purpose, for more information see: Migrating to cert-manager

Patterns 4.13.0 Release Notes - 2021-11-17

Release information

Build Version: 4.13.0.13

How to Install and Use the Plug-Ins

This version is not supported anymore and cannot be downloaded. Upgrade to a newer version.

Changes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.

General

• We do not generate the info issue "Some host addresses do not include port, calculating port based on scheme." anymore.
• A thread-safety issue which can make the generation fail when automatic key management is used has been fixed.
• A chmod to automatic key management scripts to fix a permission issue which occurs in combination with certain versions of openssl has been added.

Application Protection

• NEW: Support for the assignment of multiple Virtual Host patterns in application patterns was added.
• NEW: We added the property "Database Schema Check" to the "nevisProxy MariaDB Remote Session Store" pattern. When enabled, nevisProxy verifies that the database schema and integrity constraints match the requirements of the Remote Session Store at startup. This check is disabled for "Managed nevisProxy Remote Session Store" patterns.
• UPDATED: The "compatible" configuration for the "Frontend TLS Settings" of Virtual Hosts was updated. Refer to the pattern help for the new values.
• UPDATED: Blank fields in "TLS Settings" patterns assigned to a Virtual Host will be now be replaced by the corresponding "recommended" value. The "compatible" value was previously applied.
• UPDATED: We upgraded the default ModSecurity CRS version to 3.3.2 and introduced new property "OWASP ModSecurity CRS version" to the "Virtual Host" pattern to choose CRS version. The new default matches the OWASP recommended configuration, therefore it uses anomaly mode and response body check is enabled. If previously custom CRS was configured, the "custom" option has to be selected.
• UPDATED: The nevisProxy status script for classic VM deployment was improved.
• UPDATED: Generic Application Settings now support the expression ${host.key} which may be used for EntryPointID when declaring a custom IdentityCreationFilter or to point to configuration files within the docBase of the host.
• FIXED: An exception in the Application Mapping Report which made report generation fail was fixed.
• FIXED: We fixed an issue where a Virtual Host could have Frontend TLS Settings set to recommended or compatible and have a TLS Settings pattern assigned at the same time.
  • Now assigning a TLS Settings pattern requires setting Frontend TLS Settings to custom.

Authentication

• NEW: We now have support for additional algorithms to the JWT Token pattern.
• NEW: We now create a WARN issue when multiple files per language are uploaded for Labels in the authentication realm patterns.
• FIXED: A bug in the generation of SectokenVerifierCert when using multiple realm patterns with different configuration for Internal SecToken Trust Store was fixed.

Federation

• NEW: An optional configuration On User Creation Failed in social login patterns was added.
• NEW: We added configuration options to SAML SP Realm and SAML IDP patterns to support logout using SOAP-binding.
• UPDATED: We improved the error handling when social login provider returns an error.

Identity Management

• UPDATED: CSRF protection for nevisIDM was updated.
• NEW: New experimental patterns for the configuration of nevisIDM batch jobs were added.
• NEW: New experimental patterns for the configuration of nevisDataPorter were added.
• CHANGED: Oracle JDBC drivers uploaded in nevisIDM Instance pattern now also get deployed for nevisidmdb.

Monitoring

• As announced in Components Removed from the Rolling Releases as of November 2021, patterns to set up an ELK stack on the nevisAppliance are removed.

Known issues and limitations

See also:

• Restrictions in Kubernetes-Setups
• Sizing and Usage Recommendations

nevisAdmin 4

Since 4.19:

• After deleting a deployment from the Kubernetes Status screen, the overall status of the deployment is not updated automatically, only the pods' status.
• On the Configuration tab, if a library upgrade is available for the selected Project, the upgrade icon should open the upgrade dialog, but if you are on the Project Settings screen, the dialog does not open. As a workaround, you can open the dialog from the Overview or Patterns screens.

Since 4.18:

• When managing users and groups, in some cases the nevisAdmin 4 GUI incorrectly allows assigning permissions for which the currently logged-in user does not have permission to assign. In these cases, an error dialog will be shown and the permission assignment will not be executed.

• The 4.18.0.0 flyway script could fail if the database contains a duplicated user that has groups assigned. To fix this problem, execute these scripts manually.

  1. Remove failed migration history.

     delete from flyway_schema_history where version='4.18.0.0';

  2. Delete group assigments of the duplicated users.

     delete from `group_member` where user_id not in (select min(u.id) from `user` u group by u.user_id);

  3. Restart nevisAdmin 4, the 4.18.0.0 migration script will be executed again.

Since 4.12:

• Updating an inventory attachment with a file that has a new name, does not update the reference in the inventory. This results in an outdated file name shown in the reference (inv-res-secret://<id>#fileName>).
• If there are multiple RPM nevisAdmin 4 installations on a server, the command nevisadmin4 status lists the versions of all installations under the Component field in the nevisAdmin 4 GUI, not only the currently used one.
• You cannot change the case of a letter of an already published variable. This bug does not affect unpublished variables.
• The Project summary report tab can take several seconds to load in case of very large projects.
• Loading the Pattern list can take several seconds in the case of very large projects. In such cases, the Label view or Filters function is a more convenient way to view the patterns.
• The deployment preview phase reports an error if the automatic key management setting is enabled during classic deployments. This issue does not occur if the deployment is initiated by the root user.

Fixed Issues

4.18 only:

• Deploying to a Kubernetes cluster that uses cgroups v2 such as AKS 1.25 could result in increased memory consumption for all Java based Nevis components. This is caused by a bug in the used Java version(JDK-8230305). As a workaround it's recommended to use Generic Instance Setting patterns and set the maximum heap size directly with the -Xmx option.

4.16 only:

• Updating the value of a binary global secret or global file, such as a zip in Secret and Files results in no change. As a workaround, update the value through the Swagger endpoint reachable at /nevisadmin/swagger-ui/index.html#/tenant-secret-resource-resource/update_2 for global secrets, and /nevisadmin/swagger-ui/index.html#/tenant-resource-resource/update_3 for global files.

4.15 only:

• The Used in column on Secret & Files does not contain inventories that use a secret through a global constant.
• The label of the link to access pod logs on the Kubernetes Status screen was mistakenly changed to "view operator logs" though it shows only pod logs.

4.14 only:

• If there is an error in the Managed Kubernetes Certificates screen (for example, connection to Kubernetes cluster fails), the table is not refreshed even if another inventory is selected from the drop-down. If the selected inventory is not default, by refreshing the page the issue can be resolved. Otherwise, the error needs to be fixed first.
• The Project summary report tab can take several seconds to load in case of very large projects.
• The Groovy Script Step pattern script validation does not work with 4.13.x plugins. As a workaround, you can disable the validation under Advanced Settings, or update the plugins version to 4.14+.

4.13 only:

• You can now choose the instance patterns in the Deployment Wizard for Classic deployment. By default, the last selected instance patterns will be deployed in the next deployment. If a new instance pattern is added in the meantime, that pattern is not selected automatically since the last selected option is selected by default. This behaviour will be improved in a future release.

Patterns

Automatic key management - Kubernetes deployment

In Kubernetes deployments, automatic keystores are scoped to a Kubernetes service.

To support side-by-side deployment, a post-fix is appended to Kubernetes service names.

As the service name is included in the certificate subject, it is required to generate new keystores when a service is renamed.

This can be problematic for keystores used to sign a token, because all truststores used to validate the token signature have to be updated as well.

This means that tokens signed by the previous signer are no longer accepted.

For instance, a previous signer may have used to sign a SecToken for the user, which is then stored in the session.

To avoid this problem, the following keystores are not scoped to the Kubernetes service, this applies even if side-by-side deployment is not being used:

• The internal SecToken that nevisAuth issues for itself to access nevisIDM and nevisMeta APIs.
• Application access tokens issued to the user to access applications protected by nevisProxy.

This works when no key management patterns are assigned, but it may fail when assigning an Automatic Key Store pattern. If you use Automatic Key Store patterns to sign tokens, make sure the pattern name ends with -signer.

HTTP error codes cause session loss

By default, the Virtual Host maps an ErrorFilter that handles HTTP error codes.

For security reasons, the filter is configured to remove response headers.

This behavior can lead to the loss of the nevisProxy session when an HTTP error occurs, for example while the session cookie is being renewed after a successful authentication.

For status codes 404 and 502, the headers are not reset, which makes session loss less likely.

You can opt out by adding your own HTTP Error Handling pattern.

This pattern allows you to define which status codes are handled, and for which codes the headers are kept.

You can do this using the property Keep Header Status Codes.

Assign the HTTP Error Handling pattern to relevant locations, for example, the entire Virtual Host or in applications.

Fixed Issues

Up to 4.19:

• When the folder /var/opt/keys/ is completely removed on target hosts in VM deployments, two deployments are required to recreate the key material. This is an exceptional case which occurs only during disaster recovery or nevisAdmin 4 CA renewal.