Release notes
nevisAdmin 4 is the completely overhauled configuration and deployment solution for the Nevis Identity Suite.
nevisAdmin 3 configurations cannot be automatically migrated to nevisAdmin 4. Contact your integration partner, if you need assistance to migrate from nevisAdmin 3 to nevisAdmin 4.
If you are looking for updates to nevisAdmin 3, check the nevisAdmin 3 documentation.
nevisAdmin 8.2411.0 Release Notes - 2024-11-20
Release information
- RPM: nevisadmin4-8.2411.0.17-1.noarch.rpm
- GUI Version: FE 8.2411.0-1459 - BE 8.2411.0.17
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
- CHANGED: The
nevisadmin-plugin-nevisadapt
has been separated from thenevisadmin-plugin-nevisdetect
. The nevisAdapt Patterns, which were previously part of the nevisDetect plugin, have now been moved to the new nevisAdapt plugin. (NEVISADMV4-10229)
Main improvement
- NEW: It is now possible to delete plugin libraries on the Resources / Pattern Libraries page. (NEVISADMV4-9761)
- NEW: You can now add a git tag to the commit that is created when publishing a project, both on the GUI in the publishing dialog, and also using the REST API. (PRODROAD-597)
- NEW: Project variables now can have default values. Compared to the existing sample values, if a default value is not overridden in the inventory, it will not cause an error during deployment, and instead the default value of the project variable will be directly used. (NEVISADMV4-10185)
- NEW: We've introduced a new feature that automatically migrates the project when the
nevisadmin-plugin-base-generation
version is upgraded. This feature attempts to handle breaking changes by updating most project data automatically, reducing the need for manual adjustments, but some cases cannot be handled automatically, and manual intervention may still be required. (NEVISADMV4-10104)
Notable changes and bug fixes
- NEW: Deployments can now be performed using the legacy checkout method by setting the configuration property
nevisadmin.git.shallow-checkout
tofalse
. (NEVISADMV4-10252) - NEW: We added two new properties,
nevisadmin.pki.root-certificate-validity
andnevisadmin.pki.end-certificate-validity
, to configure certificate validity for automatic key management in classic deployments. (NEVISADMV4-10268) - IMPROVED: When publishing a project containing attachment properties where the attached files were changed, the changes can be reviewed in the publish dialog with a new diff view. (NEVISADMV4-10067)
- IMPROVED: The inventory editor has received a number of improvements (NEVISADMV4-10074)
- Errors that are not related to a specific line are shown on the first line.
- Folding controls are now always shown, not only when the gutter (i.e. the line numbers) is hovered.
- When the inventory yaml has issues, an inline peek view pops up showing the details. This can also be triggered from the new menu left to the inventory resource actions, which also has controls to fold/unfold all regions of the yaml file.
- Tooltips in the editor are no longer clipped if they extend beyond the editor.
- IMPROVED: When editing a pattern attachment file, now you can toggle the editor to Fullscreen mode. (NEVISADMV4-10071)
- IMPROVED: Pattern fields of type key-value can now be sorted alphabetically. This helps in finding them when there are many of them, and also, in reviewing the diff during publishing. (NEVISADMV4-10084)
- IMPROVED: If an attachment is renamed in a way that the only difference from the original name is in letter casing, it may cause errors. The errors now include explanations and workarounds for resolving these issues. (NEVISADMV4-10102)
- IMPROVED: Addressed some performance issues that happened when there were a lot of plugin libraries uploaded. (NEVISADMV4-10073)
- CHANGED: The REST endpoints at
/api/v1/jobs
now include thecreationTime
field in their returned data. (NEVISADMV4-10011) - FIXED: The variables screen now also considers
${var.<name>}
references when listing the usages of variables. (NEVISADMV4-10024) - FIXED: Renaming a variable now also updates all references to it that use the
${var.<name>}
format. (NEVISADMV4-10085) - FIXED: When using the main pattern list in grouped by labels mode, the expanded state of the groups was not restored when navigating away and coming back. They are now correctly saved and restored when needed. (NEVISADMV4-10072)
- FIXED: In some rare cases, newly created tenant scoped secrets were not available in the inventory editor to be inserted, until another inventory was opened first. They are now available immediately. (NEVISADMV4-9969)
- FIXED: We fixed a GUI issue, which caused the project validation spinner to sometimes stay spinning even after the project validation has finished, especially if there were new edits before the previous validation has finished. (NEVISADMV4-8559)
- FIXED: We fixed a GUI issue which allowed both the Delete and the Connect to Git actions for projects and inventories to be available, even when the user did not have permission to modify the selected project or inventory, which led to a permission error. These buttons are now disabled if the user does not have the required permission. (NEVISADMV4-8854)
- FIXED: We fixed a GUI issue in the inventory editor, where inserting a secret in the middle of a line replaced the rest of the line instead of inserting the secret at the caret's location. Highlighting secrets in the editor is also fixed. (NEVISADMV4-8441)
- FIXED: The default values for
cors.allowed.methods
,cors.allowed.headers
, andcors.max.age
now align with what is stated in the documentation. (NEVISADMV-10128) - FIXED: We fixed a GUI issue which caused project variables to be imported with an invalid value. (NEVISADMV4-9090)
- FIXED: We fixed a GUI issue in the pattern editor, which caused the navigation to be canceled when clicking through a pattern reference link while having unsaved changes. (NEVISADMV4-10308)
Dependency upgrades
- shiro 2.0.1 (NEVISADMV4-9164)
- org.eclipse.jgit 6.10.0.202406032230-r (NEVISADMV4-10027)
- jsch 0.2.20 (NEVISADMV4-10273)
- jackson 2.18.0 (NEVISADMV4-10273)
- jetty-rewrite 12.0.14 (NEVISADMV4-10273)
- groovy 4.0.23 (NEVISADMV4-10273)
- snakeyaml 2.3 (NEVISADMV4-10273)
- aspectjweaver 1.9.22.1 (NEVISADMV4-10027)
- jakarta-annotation-api 3.0.0 (NEVISADMV4-10027)
- slf4j-api 2.0.16 (NEVISADMV4-10027)
- logback-classic 1.5.9 (NEVISADMV4-10273)
- guava 33.3.1-jre (NEVISADMV4-10273)
- opensaml 4.3.2 (NEVISADMV4-10027)
- spring-boot 3.3.5 (NEVISADMV4-10307)
- spring-dependency-management-plugin 1.1.6 (NEVISADMV4-10027)
- springdoc-openapi-starter-webmvc-ui 2.6.0 (NEVISADMV4-10027)
- mustache 0.9.14 (NEVISADMV4-10027)
- mariadb-java-client 3.4.1 (NEVISADMV4-10027)
- postgresql 42.7.4 (NEVISADMV4-10027)
- nimbus-jose-jwt 9.41.2 (NEVISADMV4-10273)
- bcprov-jdk18on 1.78.1 (NEVISADMV4-10027)
- bcpkix-jdk18on 1.78.1 (NEVISADMV4-10027)
- bcpg-jdk18on 1.78.1 (NEVISADMV4-10027)
- bcutil-jdk18on 1.78.1 (NEVISADMV4-10027)
- kubernetes-java-client 21.0.1 (NEVISADMV4-10027)
Patterns 8.2411.0 Release Notes - 2024-11-20
Release information
- Build Version: 8.2411.0.15
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASE / 2024 November.
Enter the version in the Search field: 8.2411.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
General
- PAT-762: Fixed a bug in
Generic Deployment
which caused unknown files in nested sub-folders to be deleted, even whenPath: Delete Unknown Files
is set todisabled
. - NEVISADMV4-9763: Added new logger
ProductAnalytics
to Nevis components.- The logger is enabled by default, it can be disabled by setting the log level to
WARN
orERROR
.
- The logger is enabled by default, it can be disabled by setting the log level to
Application Protection
- ⚠️ PAT-750 / PAT-754: Refactored the
nevisProxy Observability Settings
pattern:- Renamed the
Trace Resource Service Name
parameter and moved it to theBasic Settings
tab.- This setting now controls the
service.name
key-value pair resource attribute for bothMetrics Mode
andTrace Mode
.
- This setting now controls the
- Removed the experimental label from the pattern.
- New settings:
Sampler
,Deployment Environment
,Capture Request Headers
,Capture Response Headers
- Renamed the
- ⚠️ PAT-751: Added CRS version 4.7.0 to the
OWASP ModSecurity CRS Version
setting in theVirtual Host
pattern.- The oldest, unsupported CRS version 3.0.2 was removed.
- PAT-734: Added
Default File
setting to theHosting Service
pattern. - PAT-678: Added a default template for
Proxy Login Renderer
. - ⚠️ PAT-650: Added the setting
SOAP Schema Validation Mode
to theSOAP Service
pattern.- The default mode is
content-type
, where the SOAP service only analyses requests with Content-Typeapplication/soap+xml
. - Select
enabled
to analyse all requests with a body. - Select
strict
to analyse all requests, which was the previous behaviour.
- The default mode is
- PAT-688: We fixed an unexpected error when using a variable for the
Public Key
of theJWT Access Restriction
pattern. - ⚠️ PAT-755: We improved the
Maintenance Page
pattern:- The
Update Interval
is now configurable. - The pattern now includes its sanitized name in the names of the generated
MaintenanceFilter
andDefaultServlet
.- This prevents naming collisions, and allow linking multiple Maintenance Page patterns to a single
Virtual Host
orApplication
. - Check your configuration if you use
Generic Application Settings
orGeneric Virtual Host Settings
to customize yourMaintenanceFilter
or the relatedDefaultServlet
.
- This prevents naming collisions, and allow linking multiple Maintenance Page patterns to a single
- The
- PAT-759: The
SOAP Service
pattern can now be attached to severalVirtual Host
patterns even whenSOAP Schema Validation
files are configured. - NEVISPROXY-7253: The
HTTP Error Handling
pattern now also replaces placeholders in JSON error pages.- This also applies to the default
ErrorFilter
that is generated by theVirtual Host
.
- This also applies to the default
Authentication
- PAT-756: Set
-Dotel.instrumentation.metro.enabled=false
for nevisAuth.- OpenTelemetry does not support tracing of these SOAP calls.
- ⚠️ PAT-710: Apply
Custom Attributes
toRemoteOutOfContextDataStore
as well.- If you have attributes that should only be applied to the
RemoteSessionStore
use the prefixsession:
in the attribute name.
- If you have attributes that should only be applied to the
- PAT-707: Support configuration of number of worker threads for nevisAuth.
- PAT-693: Updated
JWT Token
pattern to be compatible with latest nevisAuth release.
Identity Management
- PAT-507: Support upload of additional resources for
nevisDataPorter Instance
. - PAT-704: NevisIDM Second Factor pattern now validates if the found credentials are active and during their validity period.
- PAT-722: The
nevisIDM Authorizations
pattern now adds default values to Roles where no setting is defined in the pattern. - PAT-722: The
nevisIDM Authorizations
pattern now acceptsMultiClient
authorization as well. - PAT-726: Password validation displays error correctly when using Self-Registration flow in Simple Sign-in / Sign On Template
- PAT-743: Added SYSLOG formatting option for
nevisIDM
's batch log. - PAT-745: Created pattern for
nevisIDM Create Credential
AuthState. - PAT-763: Path of password reset in nevisIDM Password Login automatically added to the Allowed Application paths.
- PAT-770:
nevisIDM Authorizations
pattern now handles fine-grained authorizations forUserModify
andUserSearch
authorization.
SAML / OAuth / OpenID Connect
- PAT-753: New setting
Remove Empty Claim(s) In Token
inOAuth 2.0 Authorization Server / OpenID Provider
. - PAT-701: Updated the translation text for the OAuth2 / OpenID Connect consent screen.
- PAT-744: Fixed invalid generation of nevisIDM HttpClient in Social Login patterns.
- PAT-742: The
IDP URL
in theSAML IDP Connector
now supports EL expressions. - PAT-716: Fixes in SAML patterns to support logout message via SOAP.
FIDO2 Passwordless
- PAT-729: Support Authenticator allow-listing in
nevisFIDO FIDO2 Instance
.
Mobile Authentication
- PAT-541: Configuration of
fido-uaf.timeout.device-request
. - PAT-730: Support for Android Key Attestation (FIDO UAF Full Basic Attestation).
- PAT-735: Updated default metadata file to support both RSA and new EC algorithms for Android UAF authenticators.
- PAT-748: Support REST-only usage of nevisIDM in nevisFIDO.
- PAT-694: Add new wildcard facetID entries to replace the old specific values.
- PAT-618: New pattern
nevisFIDO UAF Device Service
. - PAT-739: Support assignment of
nevisFIDO UAF Connector
inOut-of-band Mobile Onboarding
pattern. - NEVISAUTH-4768: The mobile authentication JavaScripts now only schedule a single polling request at a time, preventing “parallel polling” in the same session.
User Behavior Analytics
- ⚠️ NEVISDETECT-1874: nevisAdapt patterns were moved to a new nevisAdmin4 plugin:
nevisadmin-plugin-nevisadapt
.- The package name of all related patterns changed, so it is important to run the automatic migrations script to avoid errors.
- Make sure that the new package is enabled when setting up a project with nevisAdapt.
- ⚠️ NEVISDETECT-1954: observation timeframe inside nevisAdapt Instance was moved to its own pattern along with other cleanup related timeframes which can be linked into
nevisAdapt Instance
.- The automatic migration script takes care of this change if any specific value was set in the original project.
Patterns 8.2405.3 Release Notes - 2024-10-17
Release information
- Build Version: 8.2405.3.0
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASE / 2024 May.
Enter the version in the Search field: 8.2405.3.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
Identity Management
- ⚠️ PAT-749: Modified the nevisIDM Password Login pattern to verify whether the URL from which the login page is opened in the Password Reset use case is startable.
The new functionality can be fine-tuned using
Redirection Path Validation Mode
,Application Path Fallback
, andCustom Redirection Path Validation Regexes
properties in the Password Reset tab of the pattern. If new line or carriage return characters can appear in your protected URL paths, fine-tuning of the settings may be required, as the new default settings block them.
Patterns 8.2405.2 Release Notes - 2024-08-30
Release information
- Build Version: 8.2405.2.0
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASE / 2024 May.
Enter the version in the Search field: 8.2405.2.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
Identity Management
- PAT-722: The
nevisIDM Authorizations
pattern now adds default values to Roles where no setting is defined in the pattern. - PAT-722: The
nevisIDM Authorizations
pattern now acceptsMultiClient
authorization as well. - PAT-726: The
nevisIDM Password Create
pattern now correctly checks passwords.
Patterns 8.2405.1 Release Notes - 2024-07-25
Release information
- Build Version: 8.2405.1.x
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASE / 2024 May.
Enter the version in the Search field: 8.2405.1.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
General
- PAT-706: Replace nested
${var
expressions in patterns that support referencing inventory variables.
Application Protection
- PAT-688: Fixed an unexpected error when using a variable for the
Public Key
of theJWT Access Restriction
pattern.
Authentication
- PAT-710: Apply
Custom Attributes
toRemoteOutOfContextDataStore
as well- ⚠️ If you have attributes that should only be applied to the RemoteSessionStore use the prefix
session:
in the attribute name.
- ⚠️ If you have attributes that should only be applied to the RemoteSessionStore use the prefix
Identity Management
- PAT-507: Upload of additional resources for
nevisDataPorter Instance
.
SAML / OAuth / OpenID Connect
- PAT-716: Adapted the Groovy script used by SAML patterns to extract SOAP single logout messages.
nevisAdmin 8.2405.1 Release Notes - 2024-06-26
Release information
- RPM: nevisadmin4-8.2405.1.0-1.noarch.rpm
- GUI Version: FE 8.2405.0-1300 - BE 8.2405.1.0
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- FIXED: CORS preflight requests are no longer rejected. (NEVISADMV4-10021)
nevisAdmin 8.2405.0 Release Notes - 2024-05-15
Release information
- RPM: nevisadmin4-8.2405.0.7-1.noarch.rpm
- GUI Version: FE 8.2405.0-1300 - BE 8.2405.0.7
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
- CHANGED: Due to the shallow checkout feature, Kubernetes deployments no longer work with uninitialized repositories. (NEVISADMV4-10018)
Main improvement
- NEW: Inventory scoped secrets, secret files, and files can now be converted into global scoped secrets, secret files, and files respectively, on the Secrets & Files screen. (NEVISADMV4-9746)
- NEW: nevisAdmin 4 now collects anonymized analytics data. This helps us understand better how nevisAdmin 4 is used. (PRODROAD-402)note
nevisAdmin 4 only collects data, it does not send it to us without explicit user interaction. For more information, see product-analytics.
Notable changes and bug fixes
- IMPROVED: Issues with INFO severity are now logged at DEBUG log level instead of INFO log level, for better log readability. This change only affects issues (mostly the ones created during the validation of configurations), not all log messages. (NEVISADMV4-9878)
- IMPROVED: The deployment process now creates a shallow clone of the deployment repository. (NEVISADMV4-9293)
- IMPROVED: In the Inventory Editor, validation errors that can be traced to specific lines are now displayed inline in the editor instead of only in the page header. (NEVISADMV4-9481)
- IMPROVED: The log viewer dialog (for pod's or nevisAdmin 4's logs) now lets you turn on line wrapping. The preference is sticky among logs. (NEVISADMV4-9890)
- FIXED: Using REST requests, it used to be possible to deploy projects with inventories that are not in the same tenant as the project. Such requests are now rejected. (NEVISADMV4-9556)
- FIXED: We fixed a GUI issue in the pattern editor where an error was thrown when a variable was assigned to a multi-select type of pattern field. (NEVISADMV4-8774)
- FIXED: The file tree in the Generation Results in the Deployment Wizard no longer throws errors or become unresponsive when the tree has a lot of items. Moving the divider between the file tree and the file content previewer also became easier. (NEVISADMV4-9519)
- FIXED: The authentication flow tree (in the right sidebar of the pattern editor) mixed up multiple occurrences of the same pattern when navigating using the links in the tree. Now those links correctly select the expected pattern in the tree. (NEVISADMV4-9778)
Dependency upgrades
- org.eclipse.jgit 6.9.0.202403050737-r (NEVISADMV4-9293)
- jsch 0.2.17 (NEVISADMV4-9812)
- jackson 2.17.0 (NEVISADMV4-9922)
- jetty-rewrite 12.0.8 (NEVISADMV4-9922)
- groovy 4.0.20 (NEVISADMV4-9922)
- aspectjweaver 1.9.22 (NEVISADMV4-9922)
- jakarta-activation-api 2.1.3 (NEVISADMV4-9922)
- jakarta-xml-bind-api 4.0.2 (NEVISADMV4-9922)
- jaxb-runtime 4.0.5 (NEVISADMV4-9922)
- slf4j-api 2.0.12 (NEVISADMV4-9812)
- logback-classic 1.5.3 (NEVISADMV4-9922)
- guava 33.1.0-jre (NEVISADMV4-9922)
- commonmark 0.22.0 (NEVISADMV4-9922)
- opensaml 4.3.1 (NEVISADMV4-9922)
- spring-boot 3.2.5 (NEVISADMV4-9942)
- springdoc-openapi-starter-webmvc-ui 2.5.0 (NEVISADMV4-9922)
- mariadb-java-client 3.3.3 (NEVISADMV4-9812)
- postgresql 42.7.3 (NEVISADMV4-9922)
- nimbus-jose-jwt 9.37.3 (NEVISADMV4-9812)
- bcprov-jdk18on 1.78 (NEVISADMV4-9922)
- bcpkix-jdk18on 1.78 (NEVISADMV4-9922)
- bcpg-jdk18on 1.78 (NEVISADMV4-9922)
- bcutil-jdk18on 1.78 (NEVISADMV4-9922)
- kubernetes-java-client 20.0.1 (NEVISADMV4-9922)
- micrometer 1.12.4 (NEVISADMV4-9922)
Patterns 8.2405.0 Release Notes - 2024-05-15
Release information
- Build Version: 8.2405.0.6
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2024 May.
Enter the version in the Search field: 8.2405.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
General
- ⚠️ The image version encoded in the patterns has been raised to
8.2405.0
for all components. If you are deploying to Kubernetes you have to push all required images to your container registry before deployment. - PAT-639: Added
Deployment Environment
drop-down toJava Observability Settings
pattern. - PAT-657: Ensure errors caused by uploaded XML files are shown in the pattern where the file is uploaded.
- PAT-675: Fixed duplicate Java agent configuration in
env.conf
when usingJava Observability Settings
pattern. - PAT-667: Support generation of
otel
configuration based on inventory variables. - ⚠️ PAT-660: Support 2-way TLS with PostgreSQL for Java components.
- The value
enabled
does not exist anymore, and you have to select a different value. We recommend to useverify-ca
orverify-full
in combination with aTrust Store
instead.
- The value
- ⚠️ PAT-631: Kubernetes deployments will now use startup probes to allow for longer startup times.
- Additionally, the used liveness and readiness probe timings were tightened and the liveness and readiness delay configuration options were removed.
- Make sure to upgrade to the latest version of the nevisOperator and its corresponding CRDs before deploying with the new plugin version.
Application Protection
- PAT-547: The generated dynamic
SecurityRoleFilter
won’t store the intercepted requests by default anymore. - PAT-651: The
StateKey
parameter is no longer generated forSecurityRoleFilter
. - PAT-651: Added option to configure custom parameters for the
SecurityRoleFilter
in realms. - ⚠️ PAT-659: Support 2-way TLS with PostgreSQL for nevisProxy.
- The value
enabled
does not exist anymore, and you have to select a different value. We recommend to useverify-ca
orverify-full
in combination with aTrust Store
instead.
- The value
- PAT-658: Updated
navajo.xml
generation to match the latest navajo DTD version. - PAT-674: Fix error during background generation when using a nevisAdmin
${var
expression and using only a variable asparam-value
in aservlet
orfilter
inGeneric Virtual Host Settings
orGeneric Application Settings
.
Authentication
- PAT-673: Support configuration of arbitrary
KeyObject
elements by allowing thenevisAuth KeyObject
pattern to be assigned tonevisAuth Instance
. - PAT-673: Support configuration of
property
elements forKeyObject
innevisAuth KeyObject
pattern. - PAT-669: Support configuration of custom Audit channels for nevisAuth.
- PAT-657: Support child
Mapping
forMethod
inGeneric nevisAuth Web Service
. - PAT-652: New setting
Shared Groovy Scripts
onnevisAuth Instance
. - PAT-642: Fix requirement clash when reusing
JSON Response Step
. - N/A: Fixed corrupted binary files being deployed when uploading them to
Custom Resources
innevisAuth Instance
.
Identity Management
- PAT-680: For permissions related to credentials (such as CredentialChangeState, CredentialCreate, CredentialDelete, CredentialModify, CredentialPdfView, CredentialSearch, CredentialView, and CredentialViewPlainValue), it is now allowed to reduce the elementary permission to a specific credential type. Example:
CredentialCreate.PASSWORD
- PAT-663: Avoid file clash when creating the same nevisIDM property with different scopes.
Mobile Authentication
- ⚠️ PAT-668: The following 2 values have been removed from the default facets in
nevisFIDO UAF Instance
:android:apk-key-hash:z7Xkw62dAn/BsckOQ9a3OMhmlwhzdr2VkcswIIyJgJE
ios:bundle-id:ch.nevis.accessapp.presales.k8s
- PAT-641: Fix HTTP connection to nevisFIDO for
Out-of-band Mobile Onboarding
.
SAML / OAuth / OpenID Connect
- PAT-644: Allow to configure no scopes for
Generic Social Login Step
. - PAT-643: Fix error when
Schema User Password
is missing in classic deployment. - ⚠️ PAT-635: The
Scope(s)
that can be configured in Social Login patterns (Apple, Google, Facebook, Microsoft) have been adapted.- If you use any of these patterns check the configuration of your pattern. See help for
Scope(s)
for details.
- If you use any of these patterns check the configuration of your pattern. See help for
User behavior analytics
- NEVISDETECT-1827: updated nevisAdapt Demo app in the template.
- NEVISDETECT-1831: Added option to disable private IP filtering and configure default country code in that case.
- NEVISDETECT-1834: Added option to enable
Apache Hostname Verifier
undernevisAdapt Instance
/Advanced Settings
. - NEVISDETECT-1835: Added option to disable nevisAdapt analyzers, either on module or analyzer level.
Patterns 7.2402.2 Release Notes - 2024-10-17
Release information
- Build Version: 7.2402.2.3
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2024 February.
Enter the version in the Search field: 7.2402.2.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
Authentication
- PAT-670: We added the
disabled
andCUSTOM
options to session tracking. - PAT-669: We extended the nevisAuth Log Settings pattern to allow configuration of custom audit services.
Identity Management
- ⚠️ PAT-749: Modified the nevisIDM Password Login pattern to verify whether the URL from which the login page is opened in the Password Reset use case is startable.
The new functionality can be fine-tuned using
Redirection Path Validation Mode
,Application Path Fallback
, andCustom Redirection Path Validation Regexes
properties in the Password Reset tab of the pattern. If new line or carriage return characters can appear in your protected URL paths, fine-tuning of the settings may be required, as the new default settings block them.
Patterns 7.2402.1 Release Notes - 2024-03-08
Release information
- Build Version: 7.2402.1.3
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2024 February.
Enter the version in the Search field: 7.2402.1.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience.
Review these changes carefully, and adapt your pattern configuration as required.
General
- ⚠️ The 7.2402.1 patch release of Nevis includes new docker images. You have to download these as well. The image version encoded in the pattern has been raised to
7.2402.1
for all components which are part of this release:- nevisproxy
- nevisidm
- nevismeta
- nevisfido
- nevisdp
Authentication
- N/A: Fixed corrupted binary files being deployed when uploading them to
Custom Resources
innevisAuth Instance
. - PAT-642: Fix requirement clash when reusing
JSON Response Step
. - PAT-652: New advanced setting
Shared Groovy Scripts
onnevisAuth Instance
. - ⚠️ PAT-654: The default maximum session lifetime has been reduced to 8 hours. This was done to align the realm pattern with the defaults of nevisAuth. The original value of 12 hours has the benefit that sessions for end-users logging into an office account only have to log in once during a business day with the drawback of generating more, longer lasting sessions overall. If you want to go back to the “once a day login”, simply set the maximum session lifetime back to 12 hours in your realm patterns.
- PAT-657: Support child element
Mapping
forMethod
element inGeneric nevisAuth Web Service
pattern. - PAT-657: Ensure errors caused by uploaded XML files are shown where the XML file is uploaded.
Mobile Authentication
- PAT-641: Fix HTTP connection to nevisFIDO for
Out-of-band Mobile Onboarding
.
nevisAdmin 7.2402.0 Release Notes - 2024-02-21
Release information
- RPM: nevisadmin4-7.2402.0.30-1.noarch.rpm
- GUI Version: FE 7.2402.0-1163 - BE 7.2402.0.30
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Main improvement
- NEW: Inactivity timeout can now be set with the
jwt.token.inactivity.timeout
property. Users who are inactive for the amount of time specified by this property, are logged out. (NEVISADMV4-9611) - NEW: Product analytic reports can now be downloaded from the top right context menu. (NEVISADMV4-9729)
- NEW: Local changes to version controlled inventories can now be reverted. (NEVISADMV4-9769)
- NEW: The search feature is extended to content of inventory yamls, and the description and file names of secrets, inventory secret files, and inventory files. (NEVISADMV4-9697)
- NEW: Passkey project template (PRODROAD-431)
Notable changes and bug fixes
- IMPROVED: When viewing logs of Kubernetes pods (also the logs of nevisAdmin4 itself when it is running on Kubernetes), the dialog for that is now bigger, shows up to 100000 lines, and uses the same advanced editor as the inventory editor. This allows for more thorough log inspection without having to download and open them in an external editor. (NEVISADMV4-9187)
- IMPROVED: When using the recently released Search feature, the search term is now highlighted in the result snippets, making it easier to identify the correct search result. (NEVISADMV4-9648)
- IMPROVED: Validation messages in multiple places (Pattern Editor, Deployment Wizard) now force wrap their content if it is long without spaces thus making it readable without scrolling, but keep the normal wrapping for non-technical messages. (NEVISADMV4-9291)
- IMPROVED: The pattern category filter buttons above the pattern list are now ordered alphabetically. When there are many of them, it is easier to find the correct one. (NEVISADMV4-9501)
- IMPROVED: It is now possible to use percentage based autoscaling for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-9792)
Dependency upgrades
- org.eclipse.jgit 6.8.0.202311291450-r (NEVISADMV4-9675)
- jsch 0.2.13 (NEVISADMV4-9675)
- jackson 2.16.0 (NEVISADMV4-9675)
- jetty-rewrite 11.0.18 (NEVISADMV4-9675)
- groovy 4.0.16 (NEVISADMV4-9675)
- jaxb-runtime 4.0.4 (NEVISADMV4-9675)
- logback-classic 1.4.14 (NEVISADMV4-9675)
- spring-boot 3.1.6 (NEVISADMV4-9675)
- spring-dependency-management-plugin 1.1.4 (NEVISADMV4-9675)
- springdoc-openapi-starter-webmvc-ui 2.3.0 (NEVISADMV4-9675)
- mariadb-java-client 3.3.1 (NEVISADMV4-9675)
- postgresql 42.7.1 (NEVISADMV4-9675)
- shiro 1.13.0 (NEVISADMV4-9675)
- nimbus-jose-jwt 9.37.2 (NEVISADMV4-9675)
- bcprov-jdk18on 1.77 (NEVISADMV4-9675)
- bcpkix-jdk18on 1.77 (NEVISADMV4-9675)
- bcpg-jdk18on 1.77 (NEVISADMV4-9675)
- bcutil-jdk18on 1.77 (NEVISADMV4-9675)
- kubernetes-java-client 19.0.0 (NEVISADMV4-9675)
- micrometer 1.12.0 (NEVISADMV4-9675)
Patterns 7.2402.0 Release Notes - 2024-02-21
Release information
- Build Version: 7.2402.0.7
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2024 February.
Enter the version in the Search field: 7.2402.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience.
Review these changes carefully, and adapt your pattern configuration as required.
General
- PAT-576: Adapted the default log format of all components to include the
trace_id
andspan_id
provided by OpenTelemetry. If OpenTelemetry is disabled, the log format will still work but these IDs will be missing. - PAT-599: Fixed duplication within
JAVA_OPTS
when using space as a separator. - PAT-607: Support tracing with OpenTelemetry out of the box by loading the agent by default.
Application Protection
- PAT-492: Added setting
Overwrite Status Codes
in theError Handling
pattern. - PAT-520/PAT-585: Support serving content from subdirectories in
Hosting Service
pattern. - PAT-572: Added
Country IP
filtering to theAccess Restriction
nevisProxy pattern. - PAT-600: Added
Liveness Delay
,Readiness Delay
andProbe Periodicity
settings to thenevisProxy Instance
pattern. - ⚠ PAT-621: Updated the generation of the
AutoRewrite
init-param for theHttp(s)ConnectorServlet
to the supported values. - NEVISPROXY-6945: Updated the
nevisProxy Observability Settings
pattern to generate the OpenTelemetry configuration innavajo.xml
instead of theTelemetryFilter
. The pattern settings stay the same. - ⚠ NEVISPROXY-6945: Removed the
Virtual Host Observability Settings
pattern. Due to the refactoring of the OpenTelemetry integration in nevisProxy, the configuration now applies to the whole instance.
Authentication
- ⚠️ PAT-364: Updated the generation of the
RenewIdentification
init-param for theIdentityCreationFilter
to its new Boolean type. - PAT-574: Support resolving inventory variables in resources uploaded to
Generic Authentication Step
. - PAT-578: Added session setting
Update Session Timestamp Interval
in realm patterns. - PAT-594: Added setting to configure
init-param
values forEsauth4ConnectorServlet
in realm patterns. - PAT-608: Improve issue text when attempting to configure
-Dfile.encoding
. Only UTF-8 is allowed. - PAT-609: Support
connectionMaxLifeTime
configuration. - PAT-610: Removed
lodash.js
from pattern JAR as it is unused. - PAT-628: Support dynamic expressions in
JSON Response Step
.
Identity Management
- PAT-579: Improved
nevisIDM Custom Property
pattern help. - PAT-611: Adapted
nevisIDM URL Ticket Consume
to not consume ticket with reload or language change. - PAT-615: Extend
nevisIDM User Lookup
pattern withButtons
setting. - PAT-620: Support 2-way TLS for
nevisIDM Database
.- ⚠️ The value
enabled
does not exist anymore, and you have to select a different value. We recommend to useverify-ca
orverify-full
in combination with aTrust Store
instead.
- ⚠️ The value
Mobile Authentication
- PAT-601:
Transaction Confirmation
now exposes the/nevisfido/token/dispatch/authentication
endpoint. - PAT-632: Use nevisIDM SOAP service version
v1_46
because of new requirements in mobile authentication. - PAT-663: Expose new nevisFIDO endpoints
/nevisfido/devices/credentials
and/nevisfido/devices/oobOperations
in mobile auth patterns.
SAML / OAuth / OpenID Connect
- PAT-562: Improved
Hosting Service
configuration in Social Login project templates. - PAT-565: Adapt script used for
Apple Login
to be compatible with the latest release of nevisAuth. - PAT-577: Fixed
OAuth2 UserInfo Signer
keystore missing signer usage. - PAT-630: Fixed
OAuth 2.0 / OpenID Connect User Info
to generate correctMappingType
andURIPrefix
when using anexact:/
path asEndpoint
. - IDC-3892: Fixed an issue with the CORS filter generated by
OAuth2 Client
pattern (Identity Cloud only).
User behavior analytics
- PAT-582: Ensure untrained step is invoked during generation.
- PAT-584: Cleanups in nevisAdapt / nevisDetect Instance patterns, log settings, addons and observability patterns.
nevisAdmin 7.2311.1 Release Notes - 2024-01-16
Release information
- RPM: nevisadmin4-7.2311.1.0-1.noarch.rpm
- GUI Version: FE 7.2311.1-1116 - BE 7.2311.1.0
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- FIXED: We fixed an issue with the Authentication Flow Graph that caused the graph to crash and not display. (NEVISADMV4-9678)
nevisAdmin 7.2311.0 Release Notes - 2023-11-15
Release information
- RPM: nevisadmin4-7.2311.0.10-1.noarch.rpm
- GUI Version: FE 7.2311.0-1066 - BE 7.2311.0.10
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
- CHANGED: We upgraded to java 17 and groovy 4 so the old plugins version are not compatible with this version. The usual one version backward compatibility can not be provided. (PRODROAD-321) (PRODROAD-322)
- CHANGED: New Jetty version used in nevisAdmin 4 performs more strict validation for TLS connections. The SNI will be checked for matching the hostname in the configured certificate. (NEVISADMV4-9142)
- CHANGED: The Git deployment repository is now seperated to namespace folders when using Git deployments. (NEVISADMV4-9506)
Main improvement
- NEW: The GUI editor of the attachment property now displays line numbers, and also applies syntax highlight to some common file types if it can identify the file type based on the extension. (NEVISADMV4-9403)
- NEW: We added a new search window. You can use it to search in all patterns, attachments, and more. (NEVISADMV4-9465)
- NEW: We added the possibility to compare inventories, which makes it easier to work with multiple stages of infrastructure, like dev, QA, prod. (NEVISADMV4-9457)
- NEW: We added multiple ways to get informed about how others work on the same resource. On the configuration tab near the project name, a user icon signals if others changed the project since you worked on, and it also notifies with a subtle real-time animation if there's a change in the same project. The Deploy button and the deployment wizard now signals in real-time with spinners when a deployment is going on. (NEVISADMV4-9488)
- NEW: Git deployments can now be performed with side-by-side deployment strategy. (NEVISADMV4-9506)
- NEW: Git deployments can now be deleted. (NEVISADMV4-9593)
Notable changes and bug fixes
- IMPROVED: The inventory validation now detects invalid characters in the kubernetes token. (NEVISADMV4-9444)
- IMPROVED: Pod affinity settings will now apply to the migration jobs when using Kubernetes deployment. (NEVISADMV4-9595)
- IMPROVED: The default
imagePullPolicy
can now be configured in the inventory for Kubernetes deployments.(NEVISADMV4-9446) - FIXED: The deployment preview no longer considers all nevisComponents unchanged if the git tag for the upstream is not found. Now these components are considered new. (NEVISADMV4-9244)
- FIXED: We fixed a bug that sometimes caused patterns with attachments to have an inaccurate timestamp. (NEVISADMV4-9436)
- FIXED: Hibernate ddl validation is now disabled by default for PostgreSQL because it does not work when the schema username contains uppercase letters. (NEVISADMV4-9443)
- FIXED: Improved validation on operations that can create project variables, to better prevent inconsistent states. (NEVISADMV4-9485)
- FIXED: The name of the remote temporary upload directory is randomized for classic deployments to avoid naming conflicts.(NEVISADMV4-9587)
Dependency upgrades
- jaxb-runtime 4.0.3 (NEVISADMV4-9406)
- jsch 0.2.11 (NEVISADMV4-9406)
- jetty-rewrite 11.0.16 (NEVISADMV4-9533)
- groovy 4.0.15 (NEVISADMV4-9533)
- jakarta-annotation-api 2.1.1 (NEVISADMV4-9142)
- jakarta-activation-api 2.1.2 (NEVISADMV4-9172)
- jakarta-xml-bind-api 4.0.1 (NEVISADMV4-9533)
- spring-boot 3.1.4 (NEVISADMV4-9533)
- spring-dependency-management-plugin 1.1.3 (NEVISADMV4-9406)
- opensaml 4.3.0 (NEVISADMV4-9126)
- apache-el is removed (NEVISADMV4-9126)
- springdoc-openapi-starter-webmvc-ui 2.2.0 (replacing springdoc-openapi-ui) (NEVISADMV4-9406)
- org.eclipse.jgit 6.6.0.202305301015-r (NEVISADMV4-9406)
- jackson 2.15.3 (NEVISADMV4-9533)
- logback-classic 1.4.11 (NEVISADMV4-9406)
- guava 32.1.3-jre (NEVISADMV4-9533)
- snakeyaml 2.2 (NEVISADMV4-9533)
- aspectjweaver 1.9.20.1 (NEVISADMV4-9533)
- postgresql 42.6.0 (NEVISADMV4-9406)
- shiro 1.12.0 (NEVISADMV4-9406)
- bcprov-jdk18on 1.76 (NEVISADMV4-9406)
- bcpkix-jdk18on 1.76 (NEVISADMV4-9406)
- bcpg-jdk18on 1.76 (NEVISADMV4-9406)
- bcutil-jdk18on 1.76 (NEVISADMV4-9406)
- slf4j-api 2.0.9 (NEVISADMV4-9533)
- mustache 0.9.11 (NEVISADMV4-9533)
- mariadb-java-client 3.2.0 (NEVISADMV4-9533)
- nimbus-jose-jwt 9.37 (NEVISADMV4-9533)
- spring-security 5.8.7 (NEVISADMV4-9533)
- jetty 9.4.53.v20231009 (NEVISADMV4-9552)
Patterns 7.2311.0 Release Notes - 2023-11-15
Release information
- Build Version: 7.2311.0.12
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2023 November.
Enter the version in the Search field: 7.2311.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience.
Review these changes carefully, and adapt your pattern configuration as required.
General
- PAT-478/PAT-521: Added support for TLS encrypted database connection for PostgreSQL to all database patterns.
Application Protection
- ⚠️ PAT-421: Improved
Maintenance Page
pattern:- The status code is now
503
by default. We recommend503
as this status code is intended for service unavailable. You can opt out of this change by selecting200
. - The
Base Path
where the maintenance page is hosted can now be configured. As the path is not exposed with aservlet-mapping
this has no user impact, but it may be required to change the path in case of clashes with other hosted resources.
- The status code is now
- PAT-555: Included
Hosting Service
patterns inApplication Mapping Report
.- Only the
Frontend Path
will be reported, not all hosted resources. As there is no backend theBackend Addresses
column will have the textn/a
.
- Only the
- PAT-528: Escape
(
and)
in generatedexclude-url-regex
elements. - PAT-502: Removed the generation of deprecated
navajo.xml
elements and attributes in nevisProxy, such asHttpSession
,UserAgent
,DocumentRoot
,MemorySize
. - PAT-503: Increased the maximum allowed value for
Session Timeout
in theUnauthenticated Realm
pattern.- We advise against raising the value as this increases the DoS attack surface.
- PAT-530: Added setting
Send Certificate Chain
toWeb Application
,REST Service
andSOAP Service
patterns. - PAT-532: Added the
Crash Recovery Strategy
kill
to thenevisProxy Instance
pattern.- The default for Kubernetes deployments is
kill
as Kubernetes automatically starts a new pod.
- The default for Kubernetes deployments is
- PAT-534: Fixed the validation of the
ModSecurity Rule Set
ofVirtual Host
to allow using a variable. - PAT-542: Added metrics settings to the
nevisProxy Observability
pattern.
Authentication
- PAT-544: Changed
nevisAuth Database
pattern to allow specification of whether a password is provided or a command that echos the password. - PAT-535: Support configuration of
Allowed HTTP Methods
in authentication service patterns, such asStandalone Authentication Flow
. - PAT-497: Removed the
JAVA_OPTS
-XX:+UseConcMarkSweepGC
and-XX:+UseParNewGC
from the default configuration of nevisAuth. - PAT-485: Moved configuration of Out-of-context Data Store to
esauth4.xml
as required by the latest nevisAuth version. - PAT-551: Aligned configuration generated by
Generic SMTP
with the latest nevisAuth version.
Identity Management
- ⚠️ PAT-309: The
nevisIDM User Update
step now supports overwriting user attributes and properties.- Overwrite is allowed by default. You can opt out by setting
Allow Overwrite
todisabled
in theAdvanced Settings
tab.
- Overwrite is allowed by default. You can opt out by setting
- PAT-529:
nevisIDM Administration GUI
pattern now allows all methods used by the nevisIDM REST API. - NEVISIDM-8916: The
nevisIDM Instance
pattern now handles Oracle drivers fornevisidmdb
correctly.
Mobile Authentication
- ⚠️ PAT-559: The
nevisFIDO UAF Instance
now uses the REST API of nevisIDM for some operations. This requires a configuration change:- The setting
Client
innevisFIDO UAF Instance
has been changed toClient ID
. Adapt your configuration and enter the ID instead of the name there.
- The setting
- PAT-223: Added support for number matching for out-of-band push notifications.
- PAT-506: Migrated
nevisFIDO UAF Instance
logging from logback to log4j2.
FIDO2 Passwordless
- PAT-506: Migrated
nevisFIDO FIDO2 Instance
logging from logback to log4j2. - PAT-489: Fixed small issue in the JavaScript used for usernameless authentication.
- PAT-539: Extended
nevisFIDO FIDO2 Instance
pattern for username / display mapping support.
SAML / OAuth / OpenID Connect
- PAT-478: You can now set all properties for
nevismeta.properties
with theCustom Properties
setting innevisMeta Instance
. - ⚠️ PAT-357: Refactored the
Signature Validation
inSAML IDP Connector
andSigned Element
inSAML SP Connector
to provide more options. Adapt your configuration as required.- Removed
both
option inSAML SP Connector
- Replaced
both
option withrecommended
inSAML IDP Connector
- Removed
- N/A: Consent management can now be disabled in
OAuth 2.0 Authorization Server / OpenID Provider
by settingConsent Screen
todisabled
.
User behavior analytics
- PAT-305: Added support for automatic schema setup for nevisAdapt when using Oracle and PostgreSQL databases.
Patterns 4.20.1 Release Notes - 2023-09-30
Release information
- Build Version: 4.20.1.8
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2023 Aug.
Enter the version in the Search field: 4.20.1.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience.
Review these changes carefully, and adapt your pattern configuration as required.
General
- PAT-478: Apart from
nevisProxy Remote / Hybrid Session Store
, database patterns now support TLS encryption when using PostgreSQL. - PAT-495: Support overwrite of
-XX:MaxRAMPercentage
inJAVA_OPTS
. - PAT-498: Fixed a bug that has caused multiple
Checking if %s instance '%s' had a different name before
triggers to be generated for the same instance.
Application Protection
- PAT-500: Fixed the generation of
DynamicConfigFilter
in nevisProxy patterns. - PAT-509: Fixed the
class-name
of theRewriteFilter
generated byHosting Service
when configuringRewrite Rules
. - PAT-512: Fixed the generation of the
ConnectString
parameter when using PostgreSQL innevisProxy Remote / Hybrid Session Store
.
Authentication
- PAT-480: Removed
Authentication Flow
category from step patterns.- The corresponding settings can now be found in the
Basic Settings
tab. - This makes navigation between steps easier as you don't have to switch tabs.
- The corresponding settings can now be found in the
- PAT-486: Support setting a
Custom Classpath
forGroovy Script Step
. - PAT-488: Fixed wrong schema user password generation for the nevisAuth OOCDS.
- N/A: The
Groovy Script Step
now validates that steps assigned toOn Success
,On Failure
, andCustom Follow-up Steps
are used in the script.- As the validation could produce false positives, the generated issues are
INFO
level issues for now.
- As the validation could produce false positives, the generated issues are
Identity Management
- PAT-409: nevisIDM batch jobs now use a proper value for
org.quartz.jobStore.driverDelegateClass
when PostgreSQL is used. - PAT-501: Fixed a
NullPointerException
caused bynevisIDM Password Login
whenLogin Type
is set toAUTO
orEMAIL
. - NEVISIDM-8916: Fixed issue with Oracle driver deployment where empty file was copied for
nevisIDMDB
.
SAML / OAuth / OpenID Connect
- PAT-471: Removed setting
ID Token Lifetime
inOAuth 2.0 Authorization Server / OpenID Provider
pattern.- This setting does not have any effect in setups which use nevisMeta as the ID token lifetime is configured there.
- PAT-482: Exclude
CSRF protection
onSAML IDP
Frontend Path(s)
. - N/A:
Consent Management
can now be disabled inOAuth 2.0 Authorization Server / OpenID Provider
.
User behavior analytics
- PAT-515: Fixed ubi tool version for nevisAdapt.
- NEVISDETECT-1729: Removed validation check for maximum value for
Medium Risk Threshold
andHigh Risk Threshold
. - NEVISDETECT-1754: Added default browser fingerprint risk scores.
nevisAdmin 4.20.0 Release Notes - 2023-08-16
Release information
- RPM: nevisadmin4-4.20.0.13-1.noarch.rpm
- GUI Version: FE 4.20.0-995 - BE 4.20.0.13
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
CHANGED: The REST endpoint
GET /api/v1/tenants/{tenantKey}/constants
does not return theusedIn
field anymore by default, due to its computational complexity. If you need this field, call the API with?usedIn=true
query parameter. (NEVISADMV4-9332)CHANGED: The RSA/SHA1 signature algorithm is disabled by default for the ssh connection used for classic deployments and git. (NEVISADMV4-9136)
If you still need this unsecure signature algorithm you have to either:
- Edit the
var/opt/nevisadmin4/conf/env.conf
and add these system properties:-Djsch.server_host_key=ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
-Djsch.client_pubkey=ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 - Or edit the ssh config of the user, typically
~/.ssh/config
, see more details.Host {old-host}
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
- Edit the
CHANGED: During kubernetes deployments, git metadata and the list of secret references used are now added to nevis components. This will show up as a change in the deployment preview screen when they are deployed for the first time after upgrading to this version. (NEVISADMV4-9354)
Main improvement
- NEW: Projects can now be jumpstarted from predefined project templates in the newly added marketplace tab. (NEVISADMV4-8522)
- NEW: You can also define your own custom project templates. (NEVISADMV4-9003)
- NEW: In the pattern editor, on the Usage tab on the right, you can now see which other projects the currently selected pattern was copied to. (NEVISADMV4-9074)
- NEW: After the validation phase of a deployment completes, the generation results can be downloaded as a zip file. (NEVISADMV4-9355)
- NEW: Added experimental support for PostgreSQL database. (NEVISADMV4-9118)
- NEW: During deployment, the git configuration can now be saved to a persistent volume using the
kubernetes.git-init.mirror
attribute in the inventory. This can be used as a fallback source for pods when they restart, in case the connection to git is down. (NEVISADMV4-9276) - NEW: Git deployments have been introduced. During git deployments, the generated configuration is uploaded to the specified git repository without performing any furthers steps. This can be used to integrate nevisAdmin 4 with GitOps continuous delivery tools. (NEVISADMV4-9354)
Notable changes and bug fixes
- NEW: Added a new property
nevisadmin.git.commit.name-format
for changing the format of the username on commits made by nevisAdmin 4. (NEVISADMV4-9325) - NEW: The ssh connection for classic deployment and git now supports Ed25519 keys. (NEVISADMV4-9136)
- NEW: The default
imagePullPolicy
can now be configured for Kubernetes deployments. For more information see: Configuration Properties in the nevisoperator.yml file (NEVISADMV4-9378) - NEW: The used time zone can now be configured for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-9071)
- CHANGED: On the GUI, attachment properties now only allow variables to be assigned if there are no attachments. This is to prevent some edge cases, where attachments could unexpectedly disappear and re-appear when you assign or unassign a variable to the property. (NEVISADMV4-9188)
- IMPROVED: Secrets are now only mounted to pods that actually need them. (NEVISADMV4-9292)
- IMPROVED: We improved the loading time of the inventory GUI and decreased the load this screen puts on the backend. This will be more noticeable if you have many inventories that reference a lot of resources, secrets and global constants. (NEVISADMV4-9185)
- FIXED: We fixed a GUI issue in the pattern editor that in certain cases caused a KeyValue property to request an empty string to be migrated instead of displaying an empty value. (NEVISADMV4-9351)
- FIXED: We fixed a GUI issue that caused the project or the inventory selector to be out of sync from the actually selected project or inventory, if you tried to switch project/inventory when there were unsaved changes, and you selected Cancel in the confirmation dialog. (NEVISADMV4-8761)
- FIXED: We fixed a GUI issue that happened sometimes when the validation data was being loaded after a pattern change. Now pattern items' version info tooltip and the filters above the pattern list are more robust. (NEVISADMV4-8985)
- FIXED: We fixed a GUI issue related to multiline text pattern properties that occurred when un-assigning a variable and caused a technical pattern reference (
var://
) to be displayed as the value, instead of the actual value of the unassigned variable. (NEVISADMV4-9304) - FIXED: We fixed a GUI issue that could cause deleted Kubernetes deployments to be shown on the Kubernetes Status page. (NEVISADMV4-9169)
- FIXED: We fixed a GUI issue that caused the secondary deployment option to be visible even when there was no primary deployment. (NEVISADMV4-9169)
- FIXED: We fixed a GUI issue, where deleted variables were still shown as a link in the pattern editor, instead of a text label. (NEVISADMV4-9223)
- FIXED: Pressing the Validate button quickly no longer causes the deployment Preview page to be empty. (NEVISADMV4-9000)
- FIXED: We fixed a GUI issue on the Managed Kubernetes Certificates screen that caused some columns to permanently disappear from the dropdown list, if any change was made to the selected columns. (NEVISADMV4-9296)
- FIXED: We fixed a GUI issue that allowed users with usernames containing invalid characters to be created. In such cases, now a validation message is displayed and the user is not created. (NEVISADMV4-9215)
- FIXED: We improved the performance of the REST API for listing inventories (
GET inventories?tenantKey={tenantKey}
). (NEVISADMV4-9257) - FIXED: We improved the performance of the REST APIs for listing secrets, resources, secret-resources, and global constants. (NEVISADMV4-9257)
- FIXED: On the validation step of deployments, an incorrect warning was shown for each k8s-secret in the inventory that had a key that was at least 24 characters long. These warnings are no longer shown. (NEVISADMV4-9245)
- FIXED: Global constants no longer have their scalar values double-quoted upon being saved. The error message shown when the submitted global constant has invalid yaml syntax is also improved. (NEVISADMV4-9327)
- FIXED: Files that had no extensions when uploaded to patterns as attachments used to be given a
.json
extension upon being downloaded. Now, they are downloaded without an extension. (NEVISADMV4-9275) - FIXED: We fixed an issue that errors during the Ingress creation did not cause the Deployment to fail. (NEVISADMV4-8982)
Dependency upgrades
- jackson 2.15.0 (NEVISADMV4-9199)
- jetty-rewrite 9.4.51.v2023021 (NEVISADMV4-9199)
- springdoc-openapi-ui 1.7.0 (NEVISADMV4-9199)
- groovy 3.0.17 (NEVISADMV4-9199)
- snakeyaml 2.0 (NEVISADMV4-9199)
- slf4j-api 2.0.7 (NEVISADMV4-9199)
- Logback-classic 1.3.7 (NEVISADMV4-9199)
- mariadb-java-client 3.1.4 (NEVISADMV4-9199)
- apache-el was removed (NEVISADMV4-9199)
- kubernetes-java-client 18.0.1 (NEVISADMV4-9368)
- spring-boot 2.7.14 (NEVISADMV4-9368)
- guava 32.0.1-jre (NEVISADMV4-9311)
- bcprov-jdk18on 1.75 (NEVISADMV4-9311)
- bcpkix-jdk18on 1.75 (NEVISADMV4-9311)
- spring-security 5.8.5 (NEVISADMV4-9368)
- shiro 1.12.0 (NEVISADMV4-9368)
Patterns 4.20.0 Release Notes - 2023-08-16
Release information
- Build Version: 4.20.0.9
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2023 Aug.
Enter the version in the Search field: 4.20.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
General
- ⚠️ PAT-369: Refactored automatic key management for classic deployments.
- The master for all key material is now generated during project generation and deployed to target hosts as
.pem
files. - Only
.jks
and.p12
files are still assembled on the target hosts by running script during deployment. - The overall solution is now much simpler and more reliable.
- However, if automatic key management was used with an earlier release, you have to perform some manual clean up operations:
- remove
/var/opt/keys
folder on target hosts - run the following SQL commands in the nevisadmin4 database:
delete from pki_store_content;
delete from pki_store;
commit;
- remove
- The master for all key material is now generated during project generation and deployed to target hosts as
Application Protection
- PAT-361: Added
Static Content Cache
pattern. - PAT-368: Removed a check which may produce invalid warning messages when using certain authentication steps in a realm assigned to a
SOAP Service
pattern. - PAT-394: Added
Peer Servlet Strategy
setting to thenevisProxy Remote/Hybrid Session Store
pattern. - PAT-406: Added
nevisProxy Observability Settings
andVirtual Host Observability Settings
patterns to support tracing with OpenTelemetry in nevisProxy. - PAT-407: Fix the missing
html
mime mapping when using theMaintenance Page
pattern. - PAT-418: Fixed an unexpected warning when trying to remove the default error handler mapping of a
Virtual Host
usingGeneric Virtual Host Settings
.- Note: The default error handler can also be disabled by linking an
HTTP Error Handling
pattern to your Virtual Host and setting Mode todisabled
.
- Note: The default error handler can also be disabled by linking an
- ⚠️ PAT-419: Upgraded the default ModSecurity CRS to
3.3.5
and removed the previous version3.3.4
.
Authentication
- PAT-167: Added support for the
renderElement
attribute inGuiElem
elements. - PAT-299: Added pre-selected
profileId
to session when consuming an access token inAccess Token Consumer
step. - PAT-342: Use
request.getHttpHeader
method in generated Groovy scripts. - PAT-372: Fix error
Upload a keytab file or enter the path of an existing keytab file on the target host(s)
when using a variable for the keytab file inFrontend Kerberos Login
pattern. - PAT-386: Updated the
nevisAuth Database
pattern to use the new Hikari-based connection provider. - ⚠️ PAT-388: Added a new
Kerberos Login
pattern which uses the newKerberosLoginAuthState
and marked the existingFrontend Kerberos Login
as deprecated.- The existing pattern will be removed in the November 2023 release.
- ⚠️ PAT-390: Changes to
logrend.properties
.- Fixed usage of expressions in
logrend.properties
configuration. - Removed the file-based configuration which has been marked as deprecated in the May 23 release. Use the key-value based configuration instead.
- Fixed usage of expressions in
- PAT-391: New setting
Login Template Mode
in realm patterns. - PAT-399: Do not return
403
forAUTH_CONTINUE
inGroovy Script Step
. - PAT-401: Support
AUTH_CONTINUE
inJSON Response Step
. - PAT-408: Made
SMTP User
andSMTP Password
optional inGeneric SMTP
pattern.
Identity Management
- IDC-3166: Support
UNIT_GLOBAL
fornevisIDM Custom Property
. - N/A: Updated the list of supported nevisIDM permissions which can be configured in
Role Permissions
in thenevisIDM Authorizations
pattern. - PAT-343: Replaced SecToken creation in authentication step patterns with use of
IdmRestClient
. - PAT-384: Fixed
Oracle database requires a volume to be prepared
warning during background generation. - PAT-395: The
nevisIDM Custom Property
pattern now allows to define properties which are notREAD_ONLY
.
SAML / OAuth / OpenID Connect
- PAT-284: Fixed access denied when calling
OAuth 2.0 / OpenID Connect User Info
endpoint. - PAT-392: Added a
Custom Pre-Processing
hook toOAuth2.0 Authorization Server / OpenID Connect Provider
. - PAT-397: Fix the generation of the
Claims Request
setting in the social login steps. - PAT-412: Support configuration of trust store and proxy in
OAuth2.0 Authorization Server / OpenID Connect Provider
for outbound connection to JWK Set endpoint for ID token encryption. - PAT-413: Added refresh token rotation configuration for
OAuth2.0 Authorization Server / OpenID Connect Provider
.
User behavior analytics
- ⚠️ NEVISDETECT-1704: Refactored configuration of feedback configuration:
- Added setting
nevisAdapt Feedback Configuration
toAdvanced Settings
ofnevisAdapt Instance
. - Added new pattern
nevisAdapt Feedback Configuration
to keep all related configurations. - Removed settings from
nevisAdapt Instance
:- nevisAuth reference
- JWE key config
- Removed settings from
nevisAdapt Authentication Connector
:- nevisProxy reference
Distrust Token Behavior
Feedback Token Lifetime
- Added setting
- NEVISDETECT-1699: Internal changes how the conversation is wrapped up when authentication is done.
nevisAdmin 4.19.1 Release Notes - 2023-06-05
Release information
- RPM: nevisadmin4-4.19.1.0-1.noarch.rpm
- GUI Version: FE 4.19.0-910 - BE 4.19.1.0
Notable changes and bug fixes
- FIXED: The report generation no longer fails when the project has a variable that references a secret, secret file, or file attachment.
- FIXED: Wrong
autoscaling
API version in nevisOperator caused deployments to fail on Kubernetes v1.26+ unless autoscaling was enabled.
nevisAdmin 4.19.0 Release Notes - 2023-05-17
Release information
- RPM: nevisadmin4-4.19.0.14-1.noarch.rpm
- GUI Version: FE 4.19.0-910 - BE 4.19.0.14
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
- CHANGED: When updating a user with
PUT /api/v1/users/{userKey}
, sending the user type is now mandatory. (NEVISADMV4-8956) - CHANGED: The database connector no longer enables autocommit automatically. If you are using a custom database and need this feature, ensure that your database has autocommit enabled. (NEVISADMV4-8689)
- CHANGED: The database driver will now only accept
jdbc:mariadb:
by default in the connection url string. If your connection string is required to bejdbc:mysql:
, add the?permitMysqlScheme
parameter. (NEVISADMV4-8689) - REMOVED: We removed the kubernetes mode from the Generation Engine. (NEVISADMV4-8829)
Main improvement
- NEW: You can now read the logs of nevisAdmin 4 on the UI, if your nevisAdmin 4 instance is running in kubernetes. You can access the feature from the top right context menu by selecting the View Logs option. (NEVISADMV4-9087)
Notable changes and bug fixes
- NEW: MariaDB 10.6 is now officially supported. (NEVISADMV4-8689)
- NEW: Inventory and global constants can now contain yaml maps and sequences. (NEVISADMV4-8973)
- IMPROVED: In kubernetes inventories, specifying service names is now optional, if you do not override any of the default kubernetes attributes. (NEVISADMV4-8617)
- IMPROVED: The inventory editor now warns you if you set a kubernetes version attribute without quoting it. Not quoting these versions may result in unexpected behaviour. (NEVISADMV4-9094)
- IMPROVED: Patterns in the Testing category are no longer hidden by default. (NEVISADMV4-9148)
- IMPROVED: If nevisAdmin 4 runs on kubernetes, it is no longer mandatory to set the
kubernetes-cluster.token
andkubernetes-cluster.url
attributes in inventories. (NEVISADMV4-8829) - IMPROVED: Kubernetes pods can now be given additional custom labels. For more information see: Inventory YAML file format (NEVISADMV4-9103)
- IMPROVED: We extended the pod security options for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-9104)
- IMPROVED: Editing Global Constants is now done with a rich text editor, which helps in editing structured constants. (NEVISADMV4-9015)
- IMPROVED: It is now possible to delete kubernetes deployment from the nevisAdmin 4 GUI, on the Kubernetes Status screen.
- IMPROVED: The Project Overview is now easier to access on the nevisAdmin 4 GUI, as now it has a top level navigation item on the Configuration tab.
- IMPROVED: Displaying the variable sample value on the Project Variables screen is now not blocked when the usages take longer to load. (NEVISADMV4-9144)
- IMPROVED: On the first screen of the Deployment Wizard, the selected Project and the selected Inventory are scrolled into view if there are many items in these lists, so that you don't need to search for them in the list. (NEVISADMV4-9145)
- IMPROVED: In the Attachment Property, you can now directly create a new file by entering the file name and its content, without having to upload an existing file first. (NEVISADMV4-9107)
- FIXED: Previously, kubernetes database migration failed if the database name contained special characters.
- FIXED: Deploying to a Kubernetes cluster that uses cgroups v2 such as AKS 1.25 could result in increased memory consumption for all Java based Nevis components.
- FIXED: We fixed an issue where updating saml or ldap users could change their type to local. (NEVISADMV4-8956)
- FIXED: The Generation Engine no longer ignores the specified log level. (NEVISADMV4-8994)
- FIXED: We fixed a bug that prevented key stores from having two certificates with the same CN. (NEVISADMV4-9041)
- FIXED: Global constants are now automatically deleted if the tenant they are scoped to is deleted. (NEVISADMV4-9045)
- FIXED: The
nevisadmin4 db-migration
helper commands now run successfully. (NEVISADMV4-9033) - FIXED: We improved the performance of the REST APIs for listing
resources
andsecret-resources
by optimizing the DB queries. (NEVISADMV4-9182) - FIXED: We fixed multiple smaller GUI issues related to user and group management: adjusted table ordering, linking to users and groups from the tables, made some labels and messages more intuitive, improved search for permissions, and more. (NEVISADMV4-8980, NEVISADMV4-8979)
- FIXED: We fixed the documentation link in the dialog which notifies if a new version of nevisAdmin 4 is available. (NEVISADMV4-8849)
- FIXED: On the Kubernetes Status screen, when a secondary deployment is in progress, there was an incorrect2 warning message about some possible issues. This warning is now only shown in the correct cases. (NEVISADMV4-9080)
Dependency upgrades
- jackson 2.14.2 (NEVISADMV4-8968)
- jetty-rewrite 9.4.50.v20221201 (NEVISADMV4-8968)
- springdoc-openapi-ui 1.6.14 (NEVISADMV4-8968)
- groovy 3.0.15 (NEVISADMV4-8968)
- aspectjweaver 1.9.19 (NEVISADMV4-8968)
- jaxb-runtime 2.3.8 (NEVISADMV4-8968)
- slf4j-api 2.0.6 (NEVISADMV4-8968)
- spring-security 5.8.3 (NEVISADMV4-9137)
- spring-boot 2.7.11 (NEVISADMV4-9137)
- mariadb-java-client 3.1.2 (NEVISADMV4-8968)
- apache-el 10.1.5 (NEVISADMV4-8968)
- nimbus-jose-jwt 9.31 (NEVISADMV4-8968)
- kubernetes-java-client 17.0.1 (NEVISADMV4-8968)
- micrometer 1.10.4 (NEVISADMV4-8968)
- replaced bcprov-jdk15on:1.70 with bcprov-jdk18on:1.73 (NEVISADMV4-9129)
- replaced bcpkix-jdk15on:1.70 with bcpkix-jdk18on:1.73 (NEVISADMV4-9129)
Patterns 4.19.0 Release Notes - 2023-05-17
Release information
Build Version: 4.19.0.22
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2023 May.
Enter the version in the Search field: 4.19.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
General
The following changes affect multiple components:
- PAT-235: Fixed database patterns to generate the
Trust Store
when TLS encryption is enabled andCustom Connection URL
is set. - PAT-248: Release patterns as a single ZIP file instead of separate JAR files.
- PAT-291: Improved error handling for
${var.name}
expressions. - PAT-295: Fixed error in database patterns when using a variable without a sample value for the
User Name
. - PAT-297: Improved validation for file upload properties.
- PAT-308: Fixed an error with pattern name processing in Kubernetes deployments.
- PAT-328: Fixed TLS hostname verification issues with nevisIDM and nevisMeta and automatic key management in Kubernetes.
- PAT-334: Increased the initial delay for Kubernetes readiness and liveness probes to account for slower startup.
- NEVISADMV4-9070: The default CPU autoscaler will no longer be generated if other scaling options are enabled when deploying to Kubernetes.
- NEVISADMV4-9104: Extended pod security options.
Application Protection
- PAT-193: Added
Crash Recovery Strategy
setting tonevisProxy Instance
pattern.- In Kubernetes deployments it is better to let the process crash as the cluster will simply start a new pod.
- PAT-209: Added the
RESET_PARAMS
modifier flag for theURL Handler
pattern. - PAT-210: The
Securosys Keystore
pattern now generates the Primus configuration files into the nevisProxy instance folder instead of/etc/primus
. - ⚠️ PAT-230: Removed the deprecated
Navajo SSL Cache
setting from theVirtual Host
pattern. - PAT-265: Improved help of
CA Secret
inNGINX Ingress Settings
. - PAT-268: Increased the minimal nevisProxy version to
5.4.0
. - PAT-288: Cleaned up how standard patterns generate filters for handling CORS.
- PAT-293: Prevent inherited authentication for public applications:
- When you assign an
Authentication Realm
to an application you get session tracking and authentication on all front-end paths of that application. - When you don’t assign any realm then the application is considered public but session tracking and authentication filter may be inherited from parent paths belonging to authenticated applications.
- To prevent the inheritance you can now assign the
Unauthenticated Realm
pattern to your public applications. - As the
Unauthenticated Realm
pattern was originally designed to add session tracking to public applications, and we did not change the default, you have to set theSession Tracking
drop-down todisabled
.
- When you assign an
- PAT-340: Prevent different managed databases being used for the same nevisProxy Instance.
- This is not supported by the Nevis Operator component.
- PAT-344: Improved help for
Client Cert Authentication
inNGINX Ingress Settings
. - NEVISPROXY-6650: Fixed the setting of paranoia level order in the generated ModSecurity configuration file for nevisProxy.
- ⚠️ PAT-365: nevisProxy upgraded to OpenSSL 3.0, which has a more strict default for security level than OpenSSL version 1.1.1. The default security level 1 now forbids signatures using SHA1 and MD5.
In consequence, the following issues may occur:
- Connections using TLSv1.1 will fail with the following message in the
navajo.log
:We recommend upgrading your configuration to use TLSv1.2 or TLSv1.3. If it is not possible, you can add the suffix3-ERROR : OpenSSL-failure: 00777CC0137F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2255:0x0a [OSSL-0005]
:@SECLEVEL=0
to your TLSv1.1 cipher suites to allow their signature algorithms. - Connections using a certificate with a deprecated signature algorithm will fail with the following message in the
navajo.log
:We recommend renewing your certificates with a stronger signature algorithm. In the meanwhile, you can add the suffix3-ERROR : [...] error:0A00018E:SSL routines::ca md too weak (must be pem encoded)) [NVCT-0054]
:@SECLEVEL=0
to the cipher suites of the affected filter or servlet. If the issue occurs at several places, or if it affects your EsAuth4ConnectorServlets, you can also modify the default cipher suites to include this suffix. Proceed as follows:- Add a
Generic nevisProxy Instance Settings
pattern to you configuration. - Add a
bc.property
for each cipher suite you want to modify. The keys are:ch.nevis.isiweb4.servlet.connector.http.SSLCipherSuites
for the HttpsConnectorServletsch.nevis.isiweb4.servlet.connector.websocket.SSLCipherSuites
for the WebSocketServletsch.nevis.isiweb4.servlet.connector.soap.esauth4.Transport.SSLCipherSuites
for the EsAuth4ConnectorServletsch.nevis.nevisproxy.servlet.connector.http.BackendConnectorServlet.Secure.CipherSuites
for the BackendConnectorServletsch.nevis.isiweb4.filter.icap.ICAPFilter.SSLCipherSuites
for the ICAPFilters
- The modified default values should be
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:@SECLEVEL=0
- Attach this pattern to your
nevisProxy Instance
, underAdvanced Settings
>Additional Settings
.
- Add a
- Connections using TLSv1.1 will fail with the following message in the
Authentication
- PAT-132: New key-value style setting for configuring nevisLogrend
logrend.properties
.- You can now add / overwrite just the properties that you have to and don’t have to upload a file.
- ⚠️ The file upload variant has been marked as deprecated and will be removed in the August 23 release.
- PAT-201: Fixed User input pattern saving a null value if a word containing letter with accent was entered.
- PAT-221: Adapt generation of nevisAuth
Event Log
generation to compensate for breaking changes in nevisAuth May release.- ⚠️ You have to use the May release of nevisAuth when event logging is enabled.
- PAT-249: Fixed an error during generation when
Internal SecToken Signer Trust Store
is not set. - PAT-304: Fixed broken language change in some GUIs.
- PAT-337: Support variables in
JSON Response
step. - PAT-339: Use new HTTP Client of nevisAuth for scripts.
- ⚠️ PAT-348: Implement eye icon for password input fields.
- PAT-349: Support adding a resend button on
Email TAN
/Mobile TAN
. - PAT-351: Do not generate
Internal SecToken Signer Trust Store
unless really required. - NEVISAUTH-4006: Added advanced setting
ID Pregenerate
tonevisAuth Instance
pattern.
Identity Management
- ⚠️ PAT-72: The
nevisIDM Generic Batch Job
pattern now raises a warning whenCustom Batch Job JAR(s)
are uploaded as nevisIDM does not support custom batch jobs since version 2.76.2.63. - PAT-272: Fixed errors in nevisIDM Second-Factor Selection script.
- PAT-282: New field is added to
nevisIDM User Lookup
andnevisIDM Password Login
to enable automatic selection of default profiles instead of manual selection when the User has multiple profiles. - PAT-320: Add client trust hash label to the
NevisDatabase
resource to ensure client cert is imported when nevisFIDO is used. - PAT-350: Added a setting
User Not Found Error
innevisIDM User Lookup
.- Set to
disabled
when the absence of a user is the happy case (e.g. in a registration flow).
- Set to
- PAT-352: Added a new parameter to
nevisIDM Create Password
pattern to make showing policy violations configurable.
SAML / OAuth / OpenID Connect
- ⚠️ PAT-183: The REST endpoint configuration for OAuth 2.0 / OpenID Connect has been moved to a separate pattern for each endpoint.
- You have to adapt your configuration and use the new patterns.
- PAT-183: Added REST endpoint for Pushed Authorization Request.
- PAT-226: Fixed a database connection issue for nevisMeta when TLS is enabled.
- PAT-260: Added setting
Tenant ID
toMicrosoft Login
pattern. - PAT-287: Exclude CSRF on token introspection and revocation paths.
- PAT-289: Fixed
SAML IDP
authorization checks for SPs. - PAT-306: Allow disabling IDP-initiated authentication in
SAML IDP
pattern.- ⚠️ IDP-initiated authentication is disabled by default. You can opt out of this change by enabling it again.
- PAT-311: Fixed double slash in OAuth 2.0/OpenID Connect metadata service.
- PAT-359: Added missing method to the dispatcher script used by the
SAML IDP
.
FIDO2 / Passwordless
- PAT-199: The
FIDO2 Authentication
pattern now uses the newFido2AuthState
by default.- ⚠️ A different JavaScript is used (
fido2_auth_std.js
). If you are using a customLogin Template
you have to update the template. - The previous implementation can still be used until the August 23 release by setting
AuthState Class
toScriptState
.
- ⚠️ A different JavaScript is used (
- PAT-269: Adapted the
nevisFIDO FIDO2 Database
to be compatible with the new MariaDB driver in nevisFIDO.- ⚠️ The
enabled
TLS encryption option is no longer available. Usetrust
,verify-ca
orverify-full
instead.
- ⚠️ The
- PAT-307: Added
User Verification
setting toFIDO2 Authentication
andFIDO2 Onboarding
. - PAT-318: Added
Attestation
setting toFIDO2 Onboarding
. - NEVISFIDO-1828: Allow configuration of
android:apk-key-hash:<your-hash>
forRelying Party Origins
.
Mobile Authentication
- PAT-238: Prevent inheritance of CSRF protection and ModSecurity from applications to nevisFIDO APIs.
- ⚠️ PAT-255: As announced with warning messages, the following deprecated patterns have been removed with this release:
Mobile Authentication with Custom URI Link
- custom URI links have to be configured in the
nevisFIDO UAF Instance
pattern instead.
- custom URI links have to be configured in the
Mobile Authentication with Deep Link
- deep links have to be configured in the
nevisFIDO UAF Instance
pattern instead.
- deep links have to be configured in the
Mobile Device Registration
- use
In-band Mobile Registration Service
and/orOut-of-band Mobile Registration Service
patterns to expose the APIs required by your client.
- use
- PAT-269: Adapted the
nevisFIDO FIDO2 Database
to be compatible with the new MariaDB driver in nevisFIDO.- ⚠️ The
enabled
TLS encryption option is no longer available. Usetrust
,verify-ca
orverify-full
instead.
- ⚠️ The
- PAT-296: Improved error handling of the
Out-of-band Mobile Onboarding
step.- In fatal error cases a
System Error
screen is now shown instead of an incomplete screen.
- In fatal error cases a
Authentication Cloud
- PAT-247: The new Authentication Cloud patterns do not send an extra ping request to Authentication Cloud to validate the configuration.
- ⚠️ PAT-298: Removed
Authentication Cloud
pattern.- Use the new
Authentication Cloud Login
andAuthentication Cloud Onboarding
patterns instead.
- Use the new
- PAT-302: Added
On Abort
exit to Authentication Cloud patterns. - PAT-303: Added
Authentication Cloud Lookup
pattern.
User behavior analytics
- NEVISDETECT-1603: Updated nevisAdapt project templates for K8s deployment
- NEVISDETECT-1683: Fixed Oracle JDBC driver could not be found issue.
Patterns 4.18.3 Release Notes - 2023-05-04
Release information
Build Version: 4.18.3.16
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2023 Feb.
Enter the version in the Search field: 4.18.3.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
SAML / OAuth / OpenID Connect
- PAT-254: Fixed
SAML SP Connector
to set the propertyout.post.relayStateEncoding
toHTML
whenhttp-post
is selected forOutbound Binding
.
FIDO2 / Passwordless
- ⚠️ IDC-2999: The
FIDO2 Onboarding
pattern now renders a welcome screen. - PAT-325: Support usage of
Dispatcher Button
patterns inFIDO2 Onboarding
.
Mobile Authentication
- PAT-313: Fixed
Out-of-band Device Management App
to not setInterceptionRedirect
tonever
in theIdentityCreationFilter
of the assigned realm. - PAT-321: Made
In-band Mobile Registration
more flexible. Now any realm can be assigned and the non-mobile authentication flow can be disabled. - PAT-336: Fixed
Usernameless Out-of-band Mobile Authentication
so that the pattern can be used as the first step of an authentication flow.
Authentication Cloud
- PAT-326: Added a retry button to
Authentication Cloud Onboarding
.
Patterns 4.18.2 Release Notes - 2023-03-27
Release information
Build Version: 4.18.2.12
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2023 Feb.
Enter the version in the Search field: 4.18.2.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
Authentication
- PAT-280: Added missing password for
Default Backend Trust Store
ofnevisAuth Instance
. - PAT-267: Removed open port check for default nevisLogrend instance.
Identity Management
- PAT-245: Improved
Generic nevisIDM Instance Settings
so it can handle empty values.
SAML / OAuth / OpenID Connect
PAT-278: Add
Custom Properties
setting toOAuth 2.0 Authorization Server
pattern.PAT-277: New experimental
Access Token Consumer
step.⚠️ PAT-274: Protection against XML Signature Wrapping (XSW) attacks. By default, the SAML IDP now signs the entire SAML
Response
.This is a breaking change. You have to adapt the configuration of your SAML service providers (SPs) to validate the signature of the
Response
. If this is not possible, you can opt out of this change by selectingAssertion
in theSigned Element
drop-down of theSAML SP Connector
. If only theAssertion
is signed, then your setup may be vulnerable to attacks.We recommend to check if your SP applies appropriate mitigations. If you are using a Nevis SP, then upgrade to the latest applicable version of nevisAuth to benefit from additional checks of the
ServiceProviderState
. Check the release notes of nevisAuth for details. In Kubernetes deployment you have to set the version of the docker in the inventory to use the new nevisAuth version.To easily configure which signatures are validated on the SP side, we have added a drop-down
Signature Validation
to theSAML IDP Connector
pattern. The default of this drop-down isboth
, which means that the signature of theResponse
andAssertion
is checked. This in line with the change of the default on the IDP side. If you can not enable response signing on the IDP site, you can opt out of this change by setting the drop-down toAssertion
.
Authentication Cloud
- IDC-2913: New experimental
Authentication Cloud Onboarding
pattern. - IDC-2897: Various improvements to the scripts of the Authentication Cloud patterns.
- PAT-247: Removed a ping call which is not required.
Patterns 4.18.1 Release Notes - 2023-03-01
Release information
Build Version: 4.18.1.16
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2023 Feb.
Enter the version in the Search field: 4.18.1.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
This pattern release contains several changes for the Authentication Cloud
pattern.
General
The following changes affect multiple components.
- PAT-231: We fixed an issue that caused Kubernetes deployments to fail when database patterns were used with
Database Management
set todisabled
.
Authentication
- PAT-227: We fixed an issue with the
User Input
pattern which can lead to an exception during cookie parsing.
Mobile Authentication
- PAT-225: We improved the pattern help of the
Out-of-band Mobile Device Registration
pattern. - PAT-236: We Adapted the JavaScript used by
Out-of-band Mobile Authentication
whenChannel
is set toLink / QR-Code
to not render a device list. - PAT-237: We fixed the failed push dispatching for
Out-of-band Mobile Authentication
pattern. - PAT-238: Ensure security features enabled for applications with
Frontend Path
/
won't break APIs provided by nevisFIDO for FIDO UAF. - PAT-241: Ensure nevisFIDO is accessible on
/auth/fidouaf/authenticationresponse/
.- This path is used by old apps and will be removed in a future release.
- PAT-242: We fixed the missing notification when using push dispatching for
Out-of-band Mobile Authentication
.- New label
mobile_auth.push
added with defaults translations. You can change them in the realm pattern.
- New label
Authentication Cloud
PAT-244: Use new nevisAuth HTTP client in the
Authentication Cloud
pattern.PAT-224: We added support for authentication with QR-code instead to
Authentication Cloud
pattern.- This pattern now has a drop-down
Authentication Type
to choose how to interact with the user. - The QR code is rendered on client side using a JavaScript library (loaded by
js_end.vm
). - This QR code can also be scanned by the camera app and support access app installation.
- This pattern now has a drop-down
PAT-208: We cleaned up JavaScript and Groovy script used by
Authentication Cloud
pattern.- ⚠️ These changes are breaking if you are using your own login template. Adapt your template as follows:
- Download the default template in the
Authentication Realm
, unpack the zip and compare the following files:js_end.vm
(includes the JavaScript files)authcloud.js
(the new JavaScript expects HTML elements with IDinfo
anderror
to display status messages)
- Download the default template in the
- ⚠️ These changes are breaking if you are using your own login template. Adapt your template as follows:
PAT-208: The
Authentication Cloud
pattern now provides translations for status messages in the 4 default languages (EN, DE, FR, IT)- Check the deployment preview and adapt the texts as required in the realm pattern.
PAT-208: The
Authentication Cloud
pattern now shows status messages underneath the title.PAT-208: The
Authentication Cloud
pattern now has a setting to configure the label used for the title.PAT-208: The
Authentication Cloud
pattern now has settings for separate configuration ofAccess Key
andInstance ID
.
nevisAdmin 4.18.0 Release Notes - 2023-02-15
Release information
- RPM: nevisadmin4-4.18.0.10-1.noarch.rpm
- GUI Version: FE 4.18.0-869 - BE 4.18.0.10
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Main improvement
- NEW: Managing users, user permissions and groups is now possible in nevisAdmin 4 UI. (NEVISADMV4-8014)
- NEW: New info filter option is added to filter the patterns with info messages. (NEVISADMV4-8563)
- NEW: Added an option to comply with the
restricted
Pod Security Standard when deploying to Kubernetes. For more information see: Inventory YAML file format (NEVISADMV4-8905)
Notable changes and bug fixes
- NEW: We added an optional
force
parameter to the REST endpoint that performs inventory updates from Git. When set totrue
, the inventory is updated to match the remote, even in cases where the remote git history was overwritten by force. (NEVISADMV4-8820) - IMPROVED: Project and Inventory settings screens are improved with standard project and inventory selector. (NEVISADMV4-8795)
- IMPROVED: nevisAdmin 4 will no longer apply any default pod resource limits to resources that have a custom resource block defined for them in the inventory. (NEVISADMV4-8782)
- IMPROVED: Publishing projects is now faster. (NEVISADMV4-8819)
- IMPROVED: Improved performance of the Kubernetes deployment preview by optimizing git checkouts. (NEVISADMV4-8822)
- IMPROVED: Improved the capabilities of the
PUT /api/v1/permissions
endpoint. Now it can assign project/inventory permissions globally, or on tenants. It can also assign tenant permissions globally. (NEVISADMV4-8858) - IMPROVED: Bulk deleting patterns is now faster. (NEVISADMV4-8864)
- IMPROVED: Reduced the size of the database migration docker image by removing unused drivers. (NEVISADMV4-8874)
- IMPROVED: Inventory constants and global constants can now also be used in the YAML keys of inventories. (NEVISADMV4-8901)
- FIXED: If an LDAP user was not a member of any LDAP groups, then the group synchronization did not run upon user login. This issue is now fixed. (NEVISADMV4-4800)
- FIXED: Projects can no longer be deleted when they are being deployed. (NEVISADMV4-8440)
- FIXED: Project validation was sometimes skipped after deleting pattern(s) or uploading/modifying files in attachment input fields, if the related pattern's type could not be loaded. This no longer happens. (NEVISADMV4-8791)
- FIXED: Fixed an issue that the VIEW_SECRET_CONTENT_INVENTORY operation were not automatically granted for the inventory creator. (NEVISADMV4-8856)
- FIXED: Fixed an issue where you could create multiple users with the same ID by sending the user creation requests very quickly in succession. (NEVISADMV4-8868)
- FIXED: Using a private key with a passphrase caused the Kubernetes deployment to fail. (NEVISADMV4-8853)
- FIXED: Fixed an issue causing key-values defined in the inventory to be displayed as
[object Object]
on the variables page. - FIXED: Changed
PUT /api/v1/groups/{groupKey}
API to take the groupKey from the path variable instead of the request body. (NEVISADMV4-8937)
Dependency upgrades
- Jackson 2.14.1 (NEVISADMV4-8690)
- Springdoc-openapi-ui 1.6.13 (NEVISADMV4-8690)
- Snakeyaml 1.33 (NEVISADMV4-8690)
- Jaxb-runtime 2.3.7 (NEVISADMV4-8690)
- Slf4j-api 2.0.4 (NEVISADMV4-8690)
- Logback-classic 1.3.5 (NEVISADMV4-8690)
- Commonmark 0.21.0 (NEVISADMV4-8690)
- Spring dependency-management-plugin 1.1.0 (NEVISADMV4-8690)
- Spring-security 5.8.0 (NEVISADMV4-8690)
- Mariadb-java-client 2.7.7 (NEVISADMV4-8690)
- Apache-el 10.1.1 (NEVISADMV4-8690)
- Shiro 1.11.0 (NEVISADMV4-8912)
- Nimbus-jose-jwt 9.25.6 (NEVISADMV4-8690)
- Kubernetes-java-client 16.0.2 (NEVISADMV4-8690)
- Micrometer 1.10.1 (NEVISADMV4-8690)
Patterns 4.18.0 Release Notes - 2023-02-15
Release information
Build Version: 4.18.0.24
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2023 Feb.
Enter the version in the Search field: 4.18.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
The following changes affect multiple components.
PAT-148: Ensure files produced by automatic key stores and trust stores in classic deployment have proper permissions, owner, and group.
⚠️ PAT-138: Removed settings and patterns which have been declared as deprecated and produced warning issues.
- Removed the setting Compat Level in nevisAuth Instance.
- Removed settings which used a text box when there is a corresponding file upload.
⚠️ PAT-118: New Database patterns for all Nevis components which use a database.
- You can now use the same pattern for classic (VM) and Kubernetes deployments.
- The drop-down Session Management in Advanced Settings can be set to
disabled
to opt out of automatic DB schema setup and migration. - The existing database patterns have been removed. Adapt your pattern configuration by using the new patterns.
- The technical property name for assigning the Database pattern has been adapted in:
- nevisAuth Instance
- nevisAdapt Instance
- nevisFIDO UAF Instance
- nevisDetect Persistency Instance
PAT-177: Improved type tolerance of key-value style settings when loading from a variable.
- It is not required any more to put quotes around boolean and numeric values.
- For instance, the following variable definition is now valid:
my-var:
- some-key: 100PAT-158: Fixed an issue with the validation of host names (length limitation).
Application Protection
- PAT-169: Fixed usage of full URLs in Root URL Redirect of the Virtual Host pattern.
- PAT-161: Fixed nevisProxy minimal version check for ModSecurity Core Rule Set to only apply when deploying a nevisProxy Instance.
- NEVISPROXY-6376: New Securosys Key Store pattern.
- For now this pattern can be used in nevisProxy only. Use in Virtual Host patterns for the Frontend Key Store.
- Upload valid configuration files from a working set up.
- In case of on-premise set-ups, the installation of the library has to be done manually, for nevisAppliance the target system should be upgraded.
- PAT-161: Fixed nevisProxy version check in classic deployment.
- NEVISPROXY-6257: The servlet mapping elements in the
web.xml
of nevisProxy are now sorted. - NEVISPROXY-6270: Added new HTTP/2 category for Virtual Host pattern and added new Early Hints parameter.
Authentication
- PAT-171: Adapted nevisAuth Database pattern for new MariaDB JDBC driver used in nevisAuth.
- PAT-143: nevisAuth Log Settings now has the following default Log Levels:
EsAuthStart = INFO
: prints messages during startuporg.apache.catalina.loader.WebappClassLoader = FATAL
org.apache.catalina.startup.HostConfig = ERROR
- PAT-138: Fixed an issue Generic Authentication Step when assigning the step in multiple places.
- PAT-201: Improvements for the User Input pattern.
- Fix encoding issues when entering special characters.
- Cache the input in the session in case a cookie has to be returned for the Remember Input feature.
- ⚠️ PAT-174: Adapted the generation of configuration for the nevisAuth session store to be compatible with the new nevisAuth version (4.38).
- Upgrade nevisAuth as otherwise the instance won’t start.
- ⚠️ PAT-165: Adapted the generation of key stores and trust stores for outgoing TLS connection in nevisAuth.
- nevisAuth now supports using separate key material for all these connections and can fall back to the system trust store in the JDK.
- The SwissPhone Connection pattern has been adapted accordingly.
- If you are using Generic Authentication Step or Groovy Script Step, and you have outgoing TLS connections then you may have to adapt your configuration.
- Details can be found in the nevisAuth release notes.
- If a suspicious property name is generated the patterns will produce a warning issue.
- If this check produces a false positive it is safe to ignore.
- The check has been implemented to help with the migration and will be removed again in a future release.
- ⚠️ PAT-192: The
recommended
option in the Synchronize Sessions drop-down in the nevisAuth Database pattern now behaves like the optionalways
in both classic and Kubernetes deployment.- In previous releases (previous database patterns) the behavior of recommended was:
always
in Kubernetes deploymentafter-successful-authentication
in classic deployments
- This change can increase the number of sessions stored in the remote session store.
- The benefit is that now the authentication can continue on another line, in case nevisProxy decides to send the user to a different line.
- You can opt out of this change by selecting the option
after-successful-authentication
.
- In previous releases (previous database patterns) the behavior of recommended was:
- PAT-175: New experimental Role Check Step pattern.
- You can use this pattern in authentication flows to make decisions based on roles.
- Role-based access control is usually done in nevisProxy instead. Use the Authorization Policy pattern for that.
- PAT-162: JWT Token extended with kid header parameter option.
Identity Management
- PAT-153: The nevisIDM Administration GUI pattern now has Self Admin GUI set to
enabled
by default. - ⚠️ NEVISIDM-8595: The nevisIDM Instance pattern now validates the length of the configured Encryption Key.
- NEVISIDM-8480: The JDBC connection string generated by the nevisIDM Database pattern has been adapted to be compatible with the latest nevisIDM release.
- PAT-142: Fixed nevisIDM Connector to not use settings from Kubernetes tab in a Classic deployment.
- PAT-163: Added experimental nevisIDM Password Create pattern.
- This pattern is experimental and will be improved in future releases.
- PAT-163: Improved Email TAN and nevisIDM User Create patterns.
- In combination with the Dispatcher Button and nevisIDM User Lookup these patterns may be used to build a simple self-registration flow.
Mobile Authentication
- ⚠️ PAT-157: The JavaScript used by Out-of-band Mobile Authentication has been rewritten from scratch.
- If you use a custom login template, adapt the template accordingly.
- PAT-143: nevisFIDO Log Settings now has the following default Log Levels:
ch.nevis.auth.fido.application.Application = INFO
: prints messages during startupjcan.Op = INFO
: 1 line for each request (incoming and outgoing)
- PAT-172: New experimental pattern Usernameless Out-of-band Mobile Authentication.
- The pattern shows a QR-code and/or link for mobile authentication. It is not required to enter any username.
- ⚠️ PAT-198: New In-band Mobile Device Registration and Out-of-band Mobile Device Registration patterns.
- The existing Mobile Device Registration pattern has been deprecated and will be removed in May 2023.
- Use one of the new patterns instead. Check the links above to find out which one fits your use case.
- ⚠️ PAT-198: Improved the Mobile Device Deregistration pattern.
- The technical property name used for Authentication Realm has changed. Assign your In-band Mobile Authentication Realm to the new setting instead.
- Rewritten the help text to make clear which APIs are exposed.
- ⚠️ PAT-196: The Out-of-band Device Management App has been simplified.
- This pattern is provided for demo purposes only. If you want to do mobile device management in production you should implement your own application.
- The pattern help has been improved. It is now documented which API the example application makes and how the required endpoints may be provided.
- The FIDO Settings and Userinfo Settings tabs have been removed.
- The pattern does not automatically expose the required APIs anymore. Instead, you now have to configure additional patterns as described in the help.
SAML / OAuth / OpenID Connect
- PAT-59: Set default value for Setup ID in OAuth 2.0 Authorization Server/OpenID Connect Provider
- Newly created nevisMeta instances will contain this setup by default. Existing nevisMeta instances are not affected.
- PAT-86: Added Assertion Consume URL Validation setting.
- PAT-206: The OAuth2.0 Authorization Server / OpenID Connect Provider now ensures that CSRF protection from applications running on parent paths are not inherited which would break basic flows.
- PAT-82: Extended SAML SP Realm and IDP Connector with encryption settings.
- PAT-139: Fixed wrong error message when Social Login Create User was reused.
- PAT-140: Support reuse of the following patterns:
- Social Login Create User
- Social Login Link User
- Social Login Done
nevisAdmin 4.17.1 Release Notes - 2023-03-09
Release information
- RPM: nevisadmin4-4.17.1.0-1.noarch.rpm
- GUI Version: FE 4.17.0-805 - BE 4.17.1.0
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- FIXED: We ensured, that generated JKS/PKCS12 contains all provided PEM certificates. (NEVISADMV4-9041)
nevisAdmin 4.17.0 Release Notes - 2022-11-16
Release information
- RPM: nevisadmin4-4.17.0.14-1.noarch.rpm
- GUI Version: FE 4.17.0-805 - BE 4.17.0.14
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
- The pattern
key-value
property is changed to separate key-value pair fields, and no longer supports separators, that is=
,:
,->
. If the legacy property already contains a value, you have to migrate it to a new format. For more details, see Editing Pattern Fields (NEVISADMV4-6823)
Main improvement
- NEW: You can now initiate a nevisAdmin 4 upgrade on Azure from nevisAdmin 4 UI. This is only available for new installations using the November version of the Azure deployment automation. See Azure deployment automation for detailed instructions. (NEVISADMV4-8543)
- NEW: We improved the UX of the screen navigation and actions menu. You can now access the screens from the navigation menu and the settings of the projects, and inventories from the Configuration and Infrastructure tabs. The Resources tab is introduced, which contains the global resources. (NEVISADMV4-8538)
- NEW: The pattern
key-value
property is changed to separate key-value pair fields. For more details, see Editing Pattern Fields. (NEVISADMV4-8630) - NEW: We added Helm chart for installing nevisAdmin 4 on Kubernetes. (NEVISADMV4-6823)
Notable changes and bug fixes
- NEW: We added an optional
force
parameter to the REST endpoint that performs project updates from Git. When set totrue
, the project is updated to match the remote, even in cases where the remote git history was overwritten by force. (NEVISADMV4-8610) - NEW: Pod topology spread constraints can now be configured for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-8613)
- NEW: Memory based autoscaling can now be configured for Kubernetes deployments. For more information see: Inventory YAML file format (NEVISADMV4-8614)
- NEW: We added the command line argument
--enable-leader-election
to nevisOperator. If leader election is enabled, nevisOperator can be used with multiple replicas. (NEVISADMV4-8764) - IMPROVED: In case one or more custom resources failed to deploy during Kubernetes deployments, only those will be reported as failed, instead of all custom resources that were deployed to the given service. (NEVISADMV4-7853)
- IMPROVED: NevisAdmin 4 no longer leaves the deployment targets in an inconsistent state if it is shut down when a deployment is still in progress. (NEVISADMV4-8224)
- IMPROVED: You can now disable Generic Deployment patterns in Kubernetes deployments. (NEVISADMV4-8503)
- IMPROVED: We added support for secret references in the
GitCredentials
resource. For more information see: GitCredentials file format (NEVISADMV4-8686) - FIXED: The publish modal could run into an error when publishing the deletion of a pattern copied into this project. The issue is now fixed. (NEVISADMV4-8488)
- FIXED: Creating an empty inventory sometimes resulted in a stacktrace being logged. This no longer happens. (NEVISADMV4-8707)
- FIXED: The REST endpoint for listing patterns now correctly includes meta information when the
meta
parameter is set totrue
. (NEVISADMV4-8709) - FIXED: The
CertificateRequest
is now created by nevisOperator in the same namespace where the cert-managerIssuer
resides. This makes it possible to use anIssuer
from a different namespace. (NEVISADMV4-8737) - FIXED: NullPointerException is caused by unrelated README.md changes during project update. (NEVISADMV4-8776)
Patterns 4.17.0 Release Notes - 2022-11-16
Release information
Build Version: 4.17.0.24
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2022 Nov.
Enter the version in the Search field: 4.17.0.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Several changes are included in the 4.16.1, 4.16.2, and 4.16.3 intermediate releases. Check the corresponding release notes.
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
The following changes affect multiple components.
- ⚠️ PAT-75: Added a new widget for map-like settings.
- Existing configuration must be migrated. Warning issues will be generated for patterns that require attention.
- The widget will guide you through the migration steps when you visit the pattern. By saving the pattern you complete the migration.
- In some places several separators where allowed (
->
,:
,=
) in previous releases. The old widget used the same parsing order for all lines and thus some separators had to be used the “wrong way round”. Often, the order of the -> was wrong. The new widget will fix this problem. The widget will import existing data using a proper, “natural” reading order (value -> key, key = value, key : value). This can lead to invalid configuration in some cases. Double-check carefully how the migration has interpreted your existing configuration as you may have to switch left and right side in some cases.
- NEVISPROXY-6260: Added new setting Hostname Validation to the following patterns:
- nevisAdapt REST API
- nevisDetect Administration GUI
- nevisDetect Persistency REST API
- nevisIDM Administration GUI
- nevisIDM REST Service
- nevisIDM SOAP Service
- nevisMeta Web Console
- REST Service
- SOAP Service
- Web Application
- PAT-41: Image version parsing now uses Long instead of Integer to be able to parse long version numbers.
- PAT-28: Improve minimum version checks for Kubernetes deployment.
- The setting Enforce Target Version in Instance patterns has been renamed to Check Minimum Version.
- You can now enable / disable all minimum version checks with this drop-down.
- PAT-53: Improved cleanup of rotated log files.
- Changed the glob expression
filename.*
to a regex expression to avoid that files which have not been created by the component (e.g. backups or compressed rotated logs) are removed.
- Changed the glob expression
- PAT-67: Various improvements to automatic key management in classic deployment:
- nevisAuth Backend Trust Store now trusts nevisIDM Frontend Key Store instead of falling back on the nevisAdmin 4 CA.
Application Protection
- NEVISPROXY-6396: Changed the default HTTP/2 support to
disabled
in the Virtual Host pattern.- There are incompatibility with certain
mod_qos
directives.
- There are incompatibility with certain
- PAT-62: Always set
Secure
flag on proxy session cookies.- Having a session on nevisProxy when accessing via plain HTTP is not supported anymore.
- ⚠️ PAT-107: Added OWASP ModSecurity Core Rule Set version
3.3.4
to the available options in the Virtual Host patterns.- This is the new default version, and it requires nevisProxy
5.4.0
(November 2022) or newer. - We recommend using version 3.3.4, but you can still choose one of the previous versions.
- This is the new default version, and it requires nevisProxy
- ⚠️ PAT-36: Added new setting Remote Session Store in the Virtual Host pattern.
- Use this new setting instead of Additional Resources.
- PAT-36: Prevent invalid assignments:
- Generic Application Settings to Virtual Host pattern.
- Generic Virtual Host Settings to application patterns.
- PAT-2: Added new settings Content-Type Mode and Content-Types in the HTTP Error Handling pattern.
- PAT-120: Added new setting Keep Security Headers to the HTTP Error Handling pattern.
Authentication
- PAT-56: Removed unused
mermaid.min.js
. - PAT-135: Generate attribute
idPregenerate
withtrue
.- Required for use cases where the nevisAuth session ID needs to be known before
AUTH_DONE
.
- Required for use cases where the nevisAuth session ID needs to be known before
- PAT-40: Improved validation of Transform Variables step.
- PAT-96: Generate
KeyObject
DefaultSignerTrust
for SecToken validation in nevisAuth.- nevisAuth validates the SecToken received from nevisProxy when a stepup occurs.
- In some setups that SecToken may have been signed by a different key store (e.g. a second line of nevisAuth or after cert rollover).
- In such setups an additional
KeyObject
will now be generated to ensure the SecToken can be validated.
- PAT-99: Basic support for showing a Gui with
AUTH_CONTINUE
in Groovy Script Step. - PAT-117: Added setting Language Cookie Name in Authentication Realm pattern.
Adaptive Authentication
- PAT-39: Fixed data source issues for nevisAdapt Persistency and nevisDetect Persistency.
Identity Management
- ⚠️ PAT-52: Migrated nevisIDM Authorizations pattern to be file based to avoid size restrictions.
- PAT-38: Extended the nevisIDM Prune History Job pattern to a setting for the
SkipList
property. - PAT-115: Fixed trust association between SecToken Signer Trust Store in nevisIDM Instance and Signer Key Store of Nevis SecToken patterns.
SAML / OAuth / OpenID Connect
- PAT-122: Allow handling the
unlock
method using Custom Pre-Processing of SAML SP Realm. - ⚠️ PAT-57: Changed default paths in OAuth 2.0 Authorization Server / OpenID Connect Provider.
- Changed default paths to
exact:/oauth/<name>
. See help for details. - Changed
/auth
endpoint to/authorization
based on RFC examples.
- Changed default paths to
- PAT-83: Support to checking Required Roles in the SAML SP Connector.
- Roles are checked after taking care of the Minimum Required Authentication Level.
- This is an advanced configuration. We recommend to check roles in your SAML SP instead to not mix authentication and authorization.
- ⚠️ PAT-73: Refactor Social Login patterns for avoid security issues when the user is not linked.
- You have to upgrade your flows. See the pattern help for details.
- NEVISAUTH-3677: Add custom exits to OAuth 2.0 Authorization Server / OpenID Connect Provider.
- This is an advanced configuration. We cannot validate that your configuration make sense.
Patterns 4.16.3 Release Notes - 2022-11-02
Release information
Build Version: 4.16.3.9
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2022 Aug.
Enter the version in the Search field: 4.16.3.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
The following changes affect multiple components.
- PAT-102: The setting Regex Filter in Log Settings patterns is now also applied to
Console
appenders used in Kubernetes deployments.
Authentication
- PAT-98: We made the lookup of client
extId
and userextId
more reliable in various authentication step patterns. - PAT-99: We improved the Groovy Script Step so that you can now produce an
AUTH_CONTINUE
response to render a GUI.
FIDO2 / Passwordless
- IDC-2464: We fixed an exception in FIDO2 Authentication and FIDO2 Onboarding steps.
- PAT-93: We added a new setting On Cancel to the FIDO2 Authentication and FIDO2 Onboarding steps.
- The error handling in these patterns is considered experimental and further changes are expected in upcoming versions.
- We recommend testing onboarding and authentication with the expected devices carefully.
- PAT-78: We added registration options to FIDO2 Onboarding.
- PAT-92: We fixed a
WARN
message aboutmaxLifetime
in thenevisfido.log
.
SAML / OAuth / OpenID Connect
*⚠️ ️PAT-109: The SAML IDP does not dispatch according to the last used SP anymore.
- In IDP-initiated cases, the SP issuer has to be well-defined, see pattern help for details.
Patterns 4.16.2 Release Notes - 2022-10-07
Release information
Build Version: 4.16.2.8
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2022 Aug.
Enter the version in the Search field: 4.16.2.
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
The following changes affect multiple components.
- PAT-90: We added a new setting Regex Filter to Log Settings patterns of Log4J2-based components.
- If configured, messages matching the regular expression are not logged.
- ⚠️ By default, the following is not generated for nevisLogrend anymore:
.*GET /nevislogrend/health.*
- PAT-74: Moved deployment type settings in Instance patterns into tabs:
- Kubernetes tab: settings for deployment to Kubernetes
- Liveness Delay
- Readiness Delay
- Classic tab: settings for deployment to VMs
- Line Preference
- Start Timeout
- Memory Limit
- Initial Memory Ratio
- Instance Rename Detection
- Start Inactive
- Kubernetes tab: settings for deployment to Kubernetes
Authentication
- PAT-74: We added new settings Liveness Delay and Readiness Delay in nevisAuth Instance pattern.
- If startup of nevisAuth times out in Kubernetes, you may have to increase the values.
- These are experimental settings. Changes are expected in a future release.
SAML / OAuth / OpenID Connect
- PAT-70: The SAML SP Connector / User Attributes setting now supports configuration of more than one attribute with the same value or expression.
- PAT-71: We added a drop-down to SAML SP Connector to configure if and how the
AudienceRestriction
element is generated. - PAT-65: Various changes in SAML IDP to support customizing / overwriting SAML logout behavior:
- We added a Custom Pre-Processing hook.
- We added a drop-down to disable the Logout Configuration feature.
- PAT-65: nevisLogrend was not reachable when using a sub-path of the Frontend Path(s) of the SAML IDP. We fixed the issue.
nevisAdmin 4.16.1 Release Notes - 2022-10-14
Release information
- nevisAppliance: 2.202208.1010
- RPM: nevisadmin4-4.16.1.0-1.noarch.rpm
- GUI Version: FE 4.16.1-758 - BE 4.16.1.0
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- FIXED: Updating the value of a binary global secret or global file, such as a ZIP in Secret and Files resulted in no change. (NEVISADMV4-8597)
Patterns 4.16.1 Release Notes - 2022-08-31
Release information
Build Version: 4.16.1.3
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2022 Aug.
Enter the version in the Search field: 4.16.1
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
- ⚠️ PAT-42: Various fixed to Log Settings patterns.
- The new log format is:
*%d{ISO8601} [%thread] %-5level %logger{36} - %msg%n*
. In Kubernetes a prefix is added (no change). - We have removed
*%-4relative*
, changed%logger{35}
to%logger{36}
and added a-
. - You can change the log format in the Advanced Settings tab of the corresponding Log Settings pattern.
- The new log format is:
- ⚠️ PAT-26: Deprecated text boxes in patterns which support the same configuration by uploading a file.
- PAT-13: Added time-based log rotation for components that use logback.
- NEVISADMV4-8505: Add Start Inactive setting to Instance patterns.
Application protection
- NEVISADMV4-8507: Fixed link to application patterns in Application Mapping Report.
Authentication
- ⚠️ NEVISADMV4-6224: Improved authentication steps for OATH, for example, Google Authenticator.
Identity Management
- PAT-45: Fixed a bug in the nevisIDM Password Login pattern. When fetching User Properties an invalid configuration was generated.
SAML / OAuth / OpenID Connect
- PAT-20: Fixed a bug in the Social Login patterns (e.g. Google Login) which produced invalid
ResultCond
elements in some setups. - ⚠️ PAT-30: Removed Custom Pre-Processing hook in OAuth 2.0 Authorization Server / OpenID Provider pattern.
- PAT-27: Ensure Default Session Upgrade Flow is used by OAuth 2.0 Authorization Server / OpenID Connect Provider pattern.
- NEVISAUTH-3729: Improved the CORS Lua filter generated by OAuth 2.0 Authorization Server / OpenID Connect Provider pattern.
- PAT-29: Added Key Store and Trust Store settings to nevisMeta Web Console.
User behavior analytics
- PAT-39: Fixed various issues with the database connection:
- NEVISDETECT-1575: Upgraded
fingerprintjs
v3 to 3.3.4.
nevisAdmin 4.16.0 Release Notes - 2022-08-17
Release information
- nevisAppliance: 2.202208.1005
- RPM: nevisadmin4-4.16.0.6-1.noarch.rpm
- GUI Version: FE 4.16.0-714 - BE 4.16.0.6
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- NEW: Nevisadmin4 now supports login with SAML. (NEVISADMV4-8011)
- NEW: You can now edit the content of an uploaded file from the pattern property, or in the Secret & Files and Certificates screens. (NEVISADMV4-8015)
- NEW: You can now enter multi-line values when creating a global constant. (NEVISADMV4-8421)
- NEW: Patterns to set up FIDO2 are available with the standard pattern libraries. (NEVISADMV4-8439)
- IMPROVED: The deployment of a deleted project is better visualized, with more details in the Deployment History and Kubernetes Status screens. (NEVISADMV4-8324)
- IMPROVED: You can now see who promoted or rolled-back the secondary deployment. (NEVISADMV4-8075)
- IMPROVED: Ongoing deployments are now visualized better in the Deployment History and Kubernetes Status screens. (NEVISADMV4-8390)
- IMPROVED: Improved the issue tooltip which is shown when hovering over the project status. (NEVISADMV4-7892)
- IMPROVED: Display of the date and time format is improved, and shown as such: only time for today, date and time for the current year and full date format for the past year.
- IMPROVED: We improved the Git HTTPS support for Kubernetes deployments. (NEVISADMV4-8409)
- CHANGED: The
SUPER_ADMIN
permission no longer grants permission to create or modify users. Two new permissions are added for these purposes:CREATE_USER
andMODIFY_USER
. These new permissions are automatically granted to existing users withSUPER_ADMIN
permission. (NEVISADMV4-8146) - FIXED: Wrong version number of the deployed services was displayed for the promoted deployment in case the secondary deployed version was higher than the primary version. This issue is now fixed. (NEVISADMV4-8396)
- FIXED: Secrets were displayed as Unlinked in Secret and Files, if they were used in a global constant. (NEVISADMV4-8268)
- FIXED: It is no longer possible to delete the local admin user though REST. (NEVISADMV4-8408)
- FIXED: Kubernetes deployment failed if Azure DevOps repository was used. (NEVISADMV4-8377)
- FIXED: The
verify client
option was always set to on when enabling client certificate authentication with Kubernetes deployment. (NEVISADMV4-8459) - UPGRADED: Various dependencies are upgraded.
Patterns 4.16.0 Release Notes - 2022-08-17
Release information
Build Version: 4.16.0.14
How to install and use the plugins
Download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2022 Aug.
Enter the version in the Search field: 4.16.0
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
If you are upgrading from the version included in the May 2022 release (4.15.0), also check the release notes for 4.5.1.
General
- ⚠️ NEVISADMV4-8429: The
SameSite
flag is now set toNone
by default for nevisProxy session cookies. - NEVISADMV4-8298: We renamed several Key Store and Trust Store settings.
- NEVISADMV4-8405: We added time-based log rotation to Log Settings pattern.
- size-based rotation:
%i
- daily rotation:
%d{yyyy-MM-dd}
- hourly rotation:
%d{yyyy-MM-dd-HH}
- size-based rotation:
- NEVISADMV4-8446: Boolean values from inventory variables are now handled in drop-downs with the compatible options showing:
Application protection
- NEVISADMV4-8445: The endpoints required for Kubernetes liveness and readiness checks are now exposed by a separate virtual host which is not exposed to the internet via the ingress.
- ⚠️ NEVISPROXY-6256: The Hosting Service pattern is adapted. The underlying
DefaultServlet
is replaced by aFileReaderServlet
to allow future improvements. - NEVISPROXY-6121: We added support for HTTP/2 front-end connections in nevisProxy, and introduced a new setting called HTTP/2 Support in the Virtual Host pattern.
- NEVISPROXY-6213: We added the new JWT Access Restriction pattern to verify the JWT of incoming requests in nevisProxy Virtual Host without using nevisAuth.
- NEVISADMV4-8164, NEVISPROXY-6252: We added a new setting to the Web Application, REST Service, and SOAP Service* patterns called Custom Parameters**.
- NEVISPROXY-6114: We added a new parameter Conditional Log Levels to the nevisProxy Log Settings pattern.
- NEVISADMV4-8383, NEVISPROXY-6251: The HTTP Error Handling pattern now supports uploading JSON files.
- NEVISADMV4-8498: Generation now fails when the patterns demand a different servlet-name for the same servlet, instead of silently using the latest value.
Authentication
- NEVISLOG-409: We fixed generic JSON rendering by nevisLogrend.
- NEVISADMV4-8296: We improved the nevisAuth expressions that were generated when using the
exact:
prefix in Standalone Authentication Flow / Frontend Path(s). - ⚠️ We renamed several Gui descriptors. If you are using the Gui names in your Login Template, you have to adapt your .vm and.js files:
- NEVISADMV4-8433: The Transform Variables Step now support clearing and removing variables.
- NEVISADMV4-8372: We now support Unit Attributes and Unit Properties in nevisIDM Password Login pattern.
- ⚠️ NEVISADMV4-8369: The nevisIDM Second Factor Selection now supports FIDO2 and recovery code credentials.
- There is no REST endpoint for OTP credentials, and thus the userDto object is still used for this credential type.
- We renamed the label
method.tan.label
tomethod.mtan.label
. - We improved the default translations and help texts.
- ⚠️ NEVISIDM-8211: The nevisIDM URL Ticket Consume pattern now shows a GUI with a label and a continue button before validating the ticket.
Identity Management
- NEVISIDM-8139: It is now possible to preload a client into nevisIDM at startup with the new nevisIDM Client pattern.
- NEVISIDM-8120: We reworked the Azure Service Bus pattern, it can mow be used to set the following remote queues with the help of Azure Service Bus Remote Queue pattern(s):
SAML
- NEVISADMV4-8051: We now ensure that automatic signers used by SAML SP Realm or SAML IDP have the correct name in Kubernetes deployments.
- NEVISAUTH-3746: We changed how the SAML IDP dispatches incoming requests.
- NEVISAUTH-3743: We introduced changes to SP Issuer and Audience Restriction of SAML SP Connector.
- NEVISAUTH-3601: We added a setting Custom Transitions to SAML IDP Connector.
- Use when you have to add or overwrite ResultCond elements in the ServiceProviderState.
- An example use case is to apply custom error handling.
OAuth / OpenID Connect
- NEVISMETA-1762: We added TLS configuration for nevisMeta Instance pattern with 3 options:
requested
,required
,disabled
. - NEVISMETA-1744: We added a new setting User Info Endpoint to OAuth 2.0 Authorization Server / OpenID Provider.
- NEVISMETA-1750: We added a Terms of Service and Policy display for
ConsentState
. - NEVISMETA-1756: We added new advanced settings to the OAuth 2.0 Authorization Server / OpenID Provider:
Mobile authentication
- NEVISADMV4-8471: We removed
mauth_include.js.
. - NEVISADMV4-8419: We noe use python3 for the startup check of the nevisFIDO Instance pattern.
- NEVISFIDO-1639: We added On Cancel to the Out-of-band Mobile Authentication pattern.
- NEVISADMV4-8364: We fixed the Continue button which is shown in Out-of-band Mobile Authentication, when the authentication is aborted in the mobile app.
- NEVISADMV4-8388: We relaxed validation in mobile authentication patterns. For some cases, a simple info message is shown instead of a warning.
Authentication Cloud
- NEVISADMV4-8471: We removed
authcloud_include.js.
.
FIDO2
- NEVISFIDO-1647: We added experimental patterns for FIDO2.
- nevisFIDO FIDO2 Instance - It uses the same RPM and Docker image as nevisFIDO Instance but supports FIDO2 use cases only.
- FIDO2 Authentication
- FIDO2 Onboarding
- nevisFIDO FIDO2 Log Settings
- nevisFIDO FIDO2 Management App - It serves a simple HTML and JavaScript page, which shows how to do registration for FIDO2 WebAuthn. Do not use in production!
- nevisFIDO FIDO2 REST Service - It exposes the FIDO2 related REST APIs provided by nevisFIDO on a nevisProxy Virtual Host, required by nevisFIDO FIDO2 Management App.
- For now use Generic Authentication Step to configure FIDO2 WebAuthn authentication.
User behavior analytics
- NEVISDETECT-1510: We added nevisAdapt Logout Connector as a nevisAdapt-related logout step (initiates session termination)
- NEVISDETECT-1536: We added new URL property to nevisAdapt Instance for defining a page redirect after pressing a feedback report link
- NEVISDETECT-1563: We added nevisAuth Instance reference to nevisAdapt Instance to enable reporting untrusted sessions
Patterns 4.15.1 Release Notes - 2022-07-01
Release information
Build Version: 4.15.1.8
How to install and use the plugins
You can download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2022 May.
Enter the version in the Search field: 4.15.1
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
- NEVISADMV4-8312: We removed the invalid warning message “set 'Kubernetes' to 'other_namespace' or clear this property.”
Application protection
- NEVISADMV4-8302: We resolved the warning issue when attempting to remove a no-existing
filter-mapping
. - NEVISADMV4-8348: We removed deprecation warning for syslog forwarding for nevisProxy.
- NEVISADMV4-8338: We prevented the error issue when using a variable for Lua Script in Lua HTTP Processing pattern.
- NEVISADMV4-8399: We added the missing reference for trust store / key store to
NevisComponent
Kubernetes resources when assigning an Automatic Trust Store or Automatic Key Store pattern for the connection to a backend server in SOAP Service, REST Service and Web Application patterns.
Authentication
- NEVISADMV4-8385: ZIP files uploaded to Translations in realm patterns are now unpacked automatically.
- NEVISADMV4-8370: We now support the configuration of Login Type in OATH Authentication pattern.
- NEVISADMV4-8211: We introduced new experimental patterns nevisAuth Database and Managed nevisAuth Database.
- NEVISADMV4-8305: We now support changing the title in User Information pattern.
- NEVISADMV4-8297: We now support expression ${service.postfix} in Groovy Script Step. Use when referring to Kubernetes services deployed by the same project.
- NEVISADMV4-8395: We now support ${var.name} expressions in Condition(s) of Dispatcher Step.
Mobile authentication
- NEVISADMV4-8393: We prevented an exception during generation when assigning a non-automatic Key Store in the nevisIDM Connection tab of a nevisFIDO Instance.
- NEVISADMV4-8398: We fixed the wrong name being referred to when using In-band Mobile Authentication Realm and assigning Automatic Key Store patterns to the nevisFIDO Instance.
- NEVISADMV4-8291: We set max-text-length for transaction-confirmation in nevisFIDO to 2000.
- NEVISADMV4-8400: We ensured that security features are activated for a Web Application running with Frontend Path, and do not block access to REST APIs exposed by Mobile Registration and Mobile Deregistration patterns.
Identity management
- NEVISIDM-8149, NEVISADMV4-8311: We fixed nevisIDM Generic Batch Job pattern to work in combination with nevisIDM 2.85.x.
- NEVISADMV4-8385: ZIP files uploaded to nevisIDM Instance / Custom Resources are now unpacked automatically. Now you can configure a custom facing for which subdirectories are required.
Federation
- NEVISAUTH-3662: We fixed Google/Microsoft Social Login Pattern having wrong first/last name assignment.
- ⚠️ NEVISADMV4-8359: We improved pre-processing hooks in authentication patterns.
- SAML SP Realm
- SAML SP Connector
- OAuth 2.0 Authorization Server / OpenID Provider
- IDC-2074: We fixed automatic user creation / update during Apple Login.
nevisAdmin 4.15.0 Release Notes - 2022-05-18
Release information
- nevisAppliance: 2.202205.973
- RPM: nevisadmin4-4.15.0.10-1.noarch.rpm
- GUI Version: FE 4.15.0-660 - BE 4.15.0.10
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- NEW: You can now add descriptions to projects in the Project Overview screen. (NEVISADMV4-8042)
- NEW: When upgrading plugin versions, in case breaking changes were introduced in patterns currently in your project, clear instructions are shown on the pattern's fields about how to adapt your configuration. (NEVISADMV4-8084)
- NEW: We introduced Global constants. They are similar to inventory constants, but they can be referenced from multiple inventories. (NEVISADMV4-8097)
- NEW: You can now view details about nevisOperator and logs on the Kubernetes Status Screen. (NEVISADMV4-8065)
- NEW: YAML literal block style format can be enabled. For details see the nevisadmin.yaml.literal-block-style.enabled property at 'Configuration Properties in the nevisadmin4.yml File' (NEVISADMV4-7813)
- IMPROVED: We improved the audit logs of many REST endpoints. (NEVISADMV4-8033)
- IMPROVED: Dates are now displayed in full format instead of friendly format. (NEVISADMV4-8134)
- IMPROVED: Project and inventory revision updates are now performed directly to head. Previously, this feature iterated through each commit until the head, but this may not be possible if there are problems with the git history. (NEVISADMV4-8045)
- IMPROVED: The generated Kubernetes resources such as Deployments, Services etc. now use the Kubernetes Recommended Labels. This causes the components to restart when nevisOperator is upgraded. (NEVISADMV4-8026)
- FIXED: We fixed an issue where some Kubernetes certificates were sometimes missing from the managed certificates screen. (NEVISADMV4-7851)
- FIXED: An unexpected error message was shown on the inventory host status screen in case a connection error occurred. This issue is now fixed. (NEVISADMV4-8024)
- FIXED: Kubernetes deployments no longer perform queries across all namespaces. This change fixes errors in namespace-restricted scenarios. (NEVISADMV4-8132)
- FIXED: If there was an error in the Managed Kubernetes Certificates screen, for example, connection to Kubernetes cluster failed, the table was not refreshed even if another inventory was selected from the drop-down. The issue is now fixed. (NEVISADMV4-7963).
- FIXED: The Category tab was still shown in the pattern even if there was no visible property. The issue is now fixed. (NEVISADMV4-7992).
- FIXED: Incorrect expiration date was displayed in Attach certificate screen when an existing certificate was selected to insert into an inventory. The issue is now fixed. (NEVISADMV4-8100)
- FIXED: Random
ArrayIndexOutOfBoundsException
occurred on Inventory edit, caused by a bug in SnakeYAML library. The issue is now fixed. (NEVISADMV4-8114) - UPGRADED: Various dependencies are upgraded.
Patterns 4.15.0 Release Notes - 2022-05-18
Release information
Build Version: 4.15.0.6
How to install and use the plugins
You can download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2022 May.
Enter the version in the Search field: 4.15.0
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
- ⚠️ NEVISADMV4-7063: In generated URLs the port is now omitted if it can be deducted from the scheme (e.g. for HTTPS the default port is 443).
- NEVISADMV4-7886: nevisAdmin 4 shows a warning the Nevis docker images used are older than the ones defined in the plugins.
- NEVISADMV4-7771: nevisAdmin 4 is upgraded Groovy to 3.x. The patterns are now compiled against this version.
- NEVISADMV4-8087: We fixed a bug that could result in an invalid PEM being generated when additional trusted certificates were uploaded to an Automatic Trust Store.
- ⚠️ NEVISADMV4-8077: All Generic Log Settings patterns are removed. Change your project configuration to use the high-level Log Settings patterns instead.
- ⚠️ NEVISADMV4-8076: The fields used for Log Levels in Log Settings patterns are aligned. In case you have to adapt your pattern configuration, a message is shown to guide you through the process.
- ⚠️ NEVISADMV4-8076: Log config generation is migrated from Log4J version 1 to Log4J version 2. The following Nevis components are affected:
- ⚠️ NEVISADMV4-8078: The available options for Log Targets in Log Settings patterns are changed.
- ⚠️ NEVISADMV4-8076: The default maximum log file size is aligned. Now all components use 100 MB by default. This means an increase from 10 MB to 100 MB for the following components:
- NEVISADMV4-8101: We fixed a bug in Managed Database patterns, which lead to an error in the DB setup when using variables containing secrets.
Application protection
- NEVISADMV4-8161: We fixed the missing port number in the
defaultHost
attribute innavajo.xml
. The issue occurred when several Virtual Host patterns shared the same Frontend Addresses, and one of these patterns was set as Default Virtual Host in the nevisProxy Instance pattern. - NEVISPROXY-5987: We added the new settings Session Store Resource and Session Store Access Restriction to the Virtual Host pattern to enable the REST interface for the nevisProxy session stores.
- ⚠️ NEVISPROXY-6145: We improved the nevisProxy patterns to only generate one servlet per web.xml for storing sessions. In addition, the session store servlets now have fixed names:
- NEVISADMV4-8141: The nevisProxy patterns no longer generate SERVER_FDLIMIT, as nevisProxy does not use this instruction since version 4.6.
- NEVISPROXY-6092: We fixed the time interval based log rotation in the nevisProxy Log Settings pattern.
- NEVISPROXY-6073: We added new setting to the Managed MariaDB Remote Session Store pattern called Custom Parameters.
Authentication
- NEVISADMV4-8030: URLs pointing to nevisIDM / nevisMeta instances running outside the Kubernetes cluster no longer get the -web suffix. The suffix is only added, when nevisIDM and nevisMeta run in the same Kubernetes cluster.
- NEVISPROXY-6089: We added a new setting, Forbidden Roles to the Authorization Policy pattern
- NEVISPROXY-6089: We added new settings, Required Roles Mode, Forbidden Roles Mode, and Authentication Level Mode to the Authorization Policy pattern
- ⚠️ NEVISPROXY-6089: The internal property providing the Required Roles of the Authorization Policy pattern is renamed. If you see a text box called “Unknown property: roles” in your Authorization Policy pattern, configure the reported roles or the reported variable in the Required Roles setting. Write one value per line if you set roles directly.
- ⚠️ NEVISPROXY-6089:
SecurityRolesFilter
generated to enforce mandatory role requirements are now calledAuthorization_Required_Roles_<roles>_<realm>
instead ofAuthorization_<roles>_<realms>
. - ⚠️ NEVISPROXY-6089: When combining several Authorization Policy patterns for an application, by default the pattern with the most specific mapping overrides the settings of the more general patterns, including the empty values. Empty values were previously ignored. As a consequence, if one of the Required Roles, Forbidden Roles or Authentication Level settings is defined in the most general pattern, but is empty in the most specific one, by default no rule will be enforced for this setting on paths where the specific pattern is mapped.
- NEVISADMV4-7893: We added new settings called Hostname Validation in the nevisAuth Connection and GUI Rendering sections of Realm patterns.
- NEVISADMV4-8023: We improved the help for Template Parameters in Generic Authentication Step.
- NEVISADMV4-8238: When the name of the realm starts with a digit, the name of generated AuthState elements gets a “_” prefix applied to ensure the esauth4.xml complies to the schema.
- NEVISADMV4-8172: We added validation to ensure the SecToken Signer Key Store has a name that is compatible with Kubernetes deployment. This means that the name must end with “Signer”.
- NEVISADMV4-8173: We removed entries for taking heap dumps from the JAVA_OPTS variable found in env.conf of nevisAuth instances.
- NEVISADMV4-8153: We removed ch.nevis.session.jdbc.connector.store.absTo from the env.conf of nevisAuth instances.
- NEVISADMV4-8149: We now use a plain TCP connect check for nevisLogrend readiness endpoint in Kubernetes deployment. This is because the check fails if a HTTPs based check is used, and HTTPs is set to
mutual
in the nevisLogrend Instance pattern. - NEVISADMV4-8090: Some patterns add an AuthState to the end of authentication flows.
- existing tokens are not lost on stepup (required when new tokens are produced).
- Previously, this logic was part of
<realm>_Prepare_Done
and thus always executed.
- NEVISADMV4-8009: We improved validation of Groovy scripts for nevisAuth.
Mobile authentication
- NEVISADMV4-8222: We added Generic nevisFIDO Instance Settings pattern. Use this pattern to set JAVA_OPTS.
- NEVISFIDO-1576: For the nevisFIDO Instance, the config key dispatch-target-repository is no longer generated, as the configuration is now taken from the credential-repository key.
- ⚠️ NEVISADMV4-8121: Settings related to logging in the nevisFIDO Instance pattern are moved into a separate nevisFIDO Log Settings pattern.
Identity management
- NEVISADMV4-8174: We added
PersistentQueueRetry
to the validation of nevisIDM Authorizations. - ⚠️ NEVISIDM-7872: The nevisIDM Administration GUI pattern enables REST API access by default. As this may conflict with the nevisIDM REST Service pattern, it is mandatory to either manually disable it, or remove the conflicting pattern.
- NEVISIDM-8029: We added new setting to the nevisIDM Password Login pattern called Login Type with a default value of LoginId.
- NEVISADMV4-8101: We fixed the failed validation of nevisIDM Instance / Encryption Key when a secret was used in Kubernetes deployment.
- NEVISIDM-8063: We added a setting SMTP SSL/TLS Mode to the nevisIDM Instance pattern. There are 2 options to choose from: disabled and STARTTLS.
- NEVISADMV4-8196: Do not create a WARNING issue when a variable is used for the JDBC driver in nevisIDM Database Connector pattern during background generation. Variables used to upload files do not have a sample value in the project and thus validation has to be skipped.
- NEVISADMV4-8142: We added settings Regular Expression and Maximum Length to nevisIDM Custom Property.
- NEVISADMV4-8138: We added a new setting Backend Key Store to nevisIDM Administration GUI, nevisIDM SOAP Service and nevisIDM REST Service patterns. Assign a key store pattern if you want to use 2-way TLS between nevisProxy and nevisIDM.
- ⚠️ NEVISADMV4-8126: The IdmPasswordResetState, which is generated by the nevisIDM Password Login pattern when Password Reset is enabled, now shows password policy information.
Federation
- NEVISADMV4-7063: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern can now generate a Metadata Endpoint.
- NEVISADMV4-7063: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern is improved:
- The new default values are: /oauth2/auth and /oauth2/token.
- IDC-1558: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern now generates configuration for standard OAuth / OpenID scopes by default.
- NEVISMETA-1735: We added the Generic nevisMeta Instance Settings pattern. Use this pattern to set JAVA_OPTS.
- NEVISADMV4-7653: We added the Generic Social Login Step pattern for common OIDC/OAuth 2 social login use cases. Use this pattern only if the more specific social login step patterns are not applicable.
- NEVISAUTH-3586: The SAML SP Connector pattern now uses the SP Issuer as default for Audience Restriction.
- NEVISAUTH-3575: We added two new settings to the OAuth 2.0 Authorization Server / OpenID Provider pattern to protect the token introspection and token revocation endpoints with Basic Authentication.
- NEVISAUTH-3567: We improved the SAML Binding configuration in the SAML SP Connector pattern.
nevisAdmin 4.14.0 Release Notes - 2022-02-16
Release information
- nevisAppliance: 2.202202.963
- RPM: nevisadmin4-4.14.0.5-1.noarch.rpm
- GUI Version: FE 4.14.0-614 - BE 4.14.0.5
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- NEW: Version controlled projects can now be reverted to a previous commit. Unlike using the deployment history rollback feature, reverting projects are not imported as read-only. (NEVISADMV4-7779)
- NEW: On the REST API, project and inventory revision updates can now also be performed directly to head. Normally, this feature iterates through each commit until the head, but this may not be possible if there are problems with the git history. Skipping straight to the head can alleviate such issues. (NEVISADMV4-7785)
- NEW: Patterns can now be deleted in batch. (NEVISADMV4-7780)
- NEW: You can now edit the descriptions of files and secret files in the Secret & Files screen. (NEVISADMV4-7786)
- NEW: Kubernetes auto-generated certificates can now be accessed under Global Settings. (NEVISADMV4-7781)
- NEW: Date and time format changed from friendly to full format in Deployment History and Kubernetes Status screens. (NEVISADMV4-7881)
- NEW: A new REST API endpoint was added for temporarily disabling project validation. (NEVISADMV4-7980)
- IMPROVED: Improved the visualization performance of the authentication flow. (NEVISADMV4-7856)
- IMPROVED: Improved the content of the error message about the Kubernetes invalid token. (NEVISADMV4-7678)
- IMPROVED: In case an instance pattern was removed, or if the same instance pattern has already been deployed from a different project, the user is warned during the validation of the deployment. (NEVISADMV4-7784)
- IMPROVED: The validation phase of deployments now warns the user if they are using the mixed versions of plugin libraries. (NEVISADMV4-7791)
- IMPROVED: A warning is now displayed during the validation phase of Kubernetes deployments if there are disabled instance patterns in the project. (NEVISADMV4-7879)
- IMPROVED: A warning is now displayed during the validation phase of Kubernetes deployments if the namespace was changed in the inventory since the last successful deployment. (NEVISADMV4-7802)
- IMPROVED: It is no longer possible to create projects, inventories or tenants with lowercase letters in their keys. (NEVISADMV4-7871)
- IMPROVED: Tenant key is no longer added in project name in Deployment History, Host Status and Kubernetes Status screens. (NEVISADMV4-7298)
- FIXED: Fixed compatibility issue with newer nginx versions when using side-by-side deployment. (NEVISADMV4-7901)
- FIXED: The details of the deployed services were not shown properly in Kubernetes Status screen after the service version reached ten (v10). This issue is now fixed. (NEVISADMV4-7871)
- FIXED: Corrected the info text in the Usage section of Variables screen, that is displayed when a variable is not referenced by a pattern. (NEVISADMV4-7841)
- FIXED: The issue on inventory color highlights in Deployment Wizard is fixed. (NEVISADMV4-7852)
- FIXED: The Service object used in the Ingress could be temporary deleted when promoting the canary deployment. (NEVISADMV4-7957)
Deprecations
- DEPRECATED: Using the Kubernetes cluster to sign the certificates when using automatic key management is now deprecated and does not work with Kubernetes 1.22. This feature is to be removed in a future release. It is recommended to use cert-manager for this purpose, for more information, see Migrating to cert-manager.
Standard Patterns 4.14.0 Release Notes - 2022-02-16
Release information
Build version: 4.14.0.17
How to install and use the plugins
You can download the plugin JAR files from the Nevis Portal.
Go to the Downloads section, and select ROLLING RELEASES / 2022 Feb.
Enter the version in the_Search_field: 4.14.0
On how to use this library, see Editing Project Pattern Libraries.
Changes
Changes marked with ⚠️ may be breaking. Check the impact and adapt your project configuration as required.
General
- NEVISADMV4-7906: Changed error message when disabled patterns are assigned for a required reference.
- ⚠️ NEVISADMV4-7765: Generic Log Settings patterns now produce a warning message.
- The patterns are to be removed in May 2022 in favor of higher-level Log Settings patterns.
- Contact support if you have a use case that requires these patterns.
- ⚠️ NEVISADMV4-7765: Syslog forwarding is deprecated for all components.
- Contact support if you have a use case that requires Syslog forwarding.
- ⚠️ NEVISADMV4-7765: The available options for Log Targets in Log Settings patterns are changed.
- The option file is now called default because in Kubernetes deployments the log is always written to the pod log.
- The option file + syslog is now called default + syslog for the same reason.
- If you selected one of the options above you get an error. Select default instead.
- NEVISADMV4-7866: Show an error message when using Generic Deployment in Kubernetes.
- Generic Deployment is not supported in Kubernetes deployment.
- Contact support if you have a use case that requires Generic Deployment.
- NEVISADMV4-7840: Generic Instance Settings for Java-based components now support setting all formats of Java properties.
- Minor differences in sort order are expected.
- ⚠️ If you use a variable for Java Opts check that the configuration is generated as expected.
- ⚠️NEVISADMV4-7706: Adapted various Log Settings patterns so that assigning them does not lead to an immediate change in the generated log configuration.
Application protection
- NEVISADMV4-7896: The default ModSecurity configuration based on Core Rule Set 3.3.2 now allows the same HTTP methods as the previous release.
- The HTTP methods are checked by nevisProxy and thus there is no reason to check them in ModSecurity again.
- The allowed HTTP methods are CHECKOUT, COPY, DELETE, GET, HEAD, LOCK, MERGE, MKACTIVITY, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PATCH, POST, PUT, TRACE, UNLOCK.
- NEVISADMV4-7640: Make NGINX Ingress Settings assignable to Virtual Host.
- NEVISADMV4-7891: Fixed a typo in the VERSION-CONTROL HTTP method.
- NEVISADMV4-7874: Support configuration of Additional HTTP Status Codes for Virtual Host.
- NEVISADMV4-7864: Changed the default for Password Getter in nevisProxy Instance.
- When recommended is selected a script deployed by nevisAdmin is used which supports all Key Store and Trust Store patterns.
- NEVISADMV4-7827: Allow only *.lua files to be uploaded for Lua Script and Lua Libraries in Lua HTTP Processing.
- NEVISADMV4-7798: The WebSocket Support for Application pattern does not set the parameter KeepAlive.ByClient anymore.
- NEVISADMV4-7858: Added settings for Client Cert Authentication to NGINX Ingress Settings pattern.
- NEVISPROXY-6029: Added new parameter to the RemoteSessionStore pattern called Custom Parameters.
- NEVISADMV4-7936: Fixed NPE in Application Mapping Report.
- NEVISPROXY-6016: The attribute serverAlias of the Connector elements in the navajo.xml file can now be customized using a Generic nevisProxy Instance Settings pattern.
- NEVISADMV4-7812: Added new parameter Mode to the Error Handler pattern, which allows disabling the error handling for the current mapping or some sub-paths.
- ⚠️ NEVISADMV4-7812: When an Error Handler pattern with a sub-paths parameter is added to a Virtual Host, the default error handler of the Virtual Host is now applied to the sub-paths not covered by the attached Error Handler pattern. Previously, the default error handler was disabled as soon as an Error Handler pattern was attached to the Virtual Host. If you want to keep the previous behavior, attach an additional Error Handler pattern with Mode set to disabled to the Virtual Host.
Authentication
- ⚠️ NEVISADMV4-7831: Do not generate Frontend Trust Store when Client Authentication is disabled in nevisAuth Instance patterns.
- When set to disabled, nevisAuth has to be upgraded to 4.34 or later before deployment.
- ⚠️ NEVISADMV4-7920: Change default of Client Authentication to enabled for nevisAuth Instance.
- The Frontend Trust Store has to contain the CA certificate which issued the cert of the Client Key Store of associated realm patterns.
- NEVISADMV4-7915: New setting Session Upgrade Flow in Standalone Authentication Flow.
- NEVISADMV4-7826: Refactored startup check for nevisAuth to check if the port is bound only.
- The previous status check failed when the esauth4sv.log was rotated during startup.
- NEVISADMV4-7910: Support upload of separate text and LitDict files for nevisLogrend and nevisAuth.
- Set Translation Mode to separate to enable this feature.
- ⚠️ When Translation Mode is set to “combined” (default) the uploaded files have to be called
_labels\_<code>.properties_
. Please rename the uploaded files if required.
- NEVISADMV4-7838: Add Log Category for Groovy Script Step.
- NEVISADMV4-7837: Generic Authentication Step now supports adding multiple GuiElem of type submit with the same name as long as the value is different.
- There are custom AuthState implementations which require such a configuration.
- ⚠️ NEVISADMV4-7836: Detect and prevent changing the LitDict encoding to anything other than UTF-8.
- A warning message is created when invalid characters are detected.
- NEVISADMV4-7929: New setting Language Cookie Domain in Advanced Settings of Authentication Realm.
- NEVISADMV4-7981: Generic Authentication Step now supports the expression ${var.name} to refer to an existing variable by name.
- This feature is an alternative to the existing Template Parameters.
- The feature is experimental as there are some usability constraints:
- It is not yet possible to create variables in the project directly (without making a pattern property a variable).
- It is not shown that a variable is used inside the generic configuration.
Mobile authentication
- NEVISADMV4-7627: Added new Android biometric authenticator AAID for Android to nevisFIDO Instance pattern default Policy and Metadata.
User behavior analytics
- NEVISDETECT-1477: Set the session end date by default to the maximum session lifetime to make sure it is never empty.
- NEVISDETECT-1483: New configuration to support the MaxMind IP geolocation database.
- NEVISDETECT-1486: Possibility to configure a new authentication step to handle if timeout occurs.
- NEVISDETECT-1473: Fix the generated configuration to correctly mark the observations as trusted at the end of an authentication flow in case of a successful authentication.
- NEVISDETECT-1498: In case of using risk profile configurations setting at least one threshold is mandatory from now on.
- NEVISDETECT-1493: Fixed the failed case in the TAN patterns to be able to react on if somebody failed to provide the correct code and reached the maximum threshold.
- NEVISDETECT-1495: Improved the help texts for the risk event configurations.
- NEVISDETECT-1502: Fixed the file name for log rotation to match the UNIX standards.
Identity management
- ⚠️ NEVISIDM-7694: Encryption settings are now exposed in nevisIDM Instance.
- From now on the Encryption Key has to be set.
- The database should be checked for encrypted content to determine if Encryption Fallback has to be enabled.
- encrypted properties:
- select * from tidma_property where encrypted \= 1;
- unused URL tickets:
- select * from tidma_credential where CREDENTIAL_TYPE_ID = 14 and STATE_ID = 2;
- encrypted properties:
- NEVISADMV4-7824: New nevisIDM URL Ticket Consume pattern.
- Use for custom flows which require a link sent to the email address of the user.
- This pattern establishes an endpoint on a Virtual Host where URL Tickets can be validated. On success the next authentication step is executed.
- IDC-1264: Added additional settings to nevisIDM Property pattern.
- This pattern is experimental and not feature-complete.
- If you have a property that cannot be generated, contact support.
- NEVISADMV4-7843: Do not restart nevisIDM Instance when log levels are changed.
- nevisIDM is configured to check for log level changes every 60 seconds.
- One restart is still required to activate the polling.
- This does not apply to Generic nevisIDM Log Settings. When this pattern is used, nevisIDM is still restarted.
- NEVISADMV4-7834: Ensure tmp folder inside nevisIDM instance is not deleted on deployment.
- Removal of the tmp folder during runtime can lead to outages.
- NEVISDP-328: Allow the upload of multiple Custom JAR Files files for nevisDataPorter Instance.
- NEVISDP-329: The nevisDataPorter Instance now has a tab nevisIDM Connection where you can set a Trust Store and Key Store to establish a 2-way TLS connection.
- Check the documentation on how to use these stores in your Configuration.
- NEVISADMV4-7928: Support custom redirects during or after Password Reset in nevisIDM Password Login pattern.
- NEVISADMV4-7927: New setting URL Ticket Policy Name for password reset process in nevisIDM Password Login pattern.
- ⚠️ NEVISADMV4-5588: The setting Enabled SOAP WebService Versions in nevisIDM Instance is removed.
- This setting was not working in recent releases.
- Use Generic nevisIDM Instance Settings to set the property webservice.versions instead.
Federation
- IDC-1273: The SAML SP Connector now has a new setting Multi Value.
- When enabled, multiple AttributeValue elements are generated for attributes containing comma- or space-separated Strings.
- For backward compatibility, the default is disabled.
- NEVISADMV4-7743: New OAuth 2.0 Authorization Server / OpenID Provider pattern.
- This pattern is still in development and will change significantly in subsequent releases.
- Consider this to be a preview. Use at your own risk!
- NEVISADMV4-7878: nevisAuth fixed a bug related to the setting SP URL - Single Logout Service in the SAML SP Connector pattern. Upgrade to the latest nevisAuth release.
- NEVISADMV4-7979: Social Login Pattens use the next step correctly when create new user failed.
nevisAdmin 4.13.1 Release Notes - 2021-12-03
Release information
- nevisAppliance: 2.202111.950
- RPM: nevisadmin4-4.13.1.0-1.noarch.rpm
- GUI Version: FE 4.13.0-559 - BE 4.13.1.0
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- FIXED: The nevisadmin4 rpm package integrity was wrong by default. The issue is now fixed.
Patterns 4.13.1 Release Notes - 2021-12-03
Release information
Build Version: 4.13.1.1
How to Install and Use the Plug-Ins
This version is not supported anymore and cannot be downloaded. Upgrade to a newer version.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
- FIXED: The setting Default Log Level in "Log Settings" patterns now also changes the
priority
of theroot
logger.
Application Protection
- NEW: Added experimental Default Service pattern. Use this pattern to map filters to paths when there is no backend, no hosted resources, or authentication flow.
- FIXED: The HTTP Header Customization pattern now allows using constant values for Basic Auth User and Basic Auth Password. Previously you have to add the CONST: prefix as a workaround.
Authentication
- CHANGED: The setting Translations in realm pattern now allows uploading UTF-8 encoded files. Previously only ASCII files with HTML-encoded special characters were supported.
- FIXED: Ensure Email TAN and Mobile TAN patterns take the On Failure exit when all attempts are exhausted.
nevisAdmin 4.13.0 Release Notes - 2021-11-17
Release information
- nevisAppliance: 2.202111.948
- RPM: nevisadmin4-4.13.0.6-1.noarch.rpm
- GUI Version: FE 4.13.0-559 - BE 4.13.0.6
Upgrade instructions and breaking changes
Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.
Notable changes and bug fixes
- NEW: Patterns are now marked as unused, if they do not contribute anything to the project's configuration. Having unused patterns usually indicates that the project is incomplete, or it contains unnecessary patterns which can be deleted.
- NEW: While making a classic deployment, you can now specify which pattern instances you want to deploy on the Deployment Wizard screen. In addition, we also display the deployed instance pattern ids in the Deployment History.
- NEW: The authentication flow of the projects can now be viewed in a full graph. The animated graph can be opened in a full screen and provides a better overview of the whole authentication flow. For more information, see the "Authentication Graph" section of the Navigating Patterns chapter in the nevisAdmin 4 technical documentation.
- NEW: The authentication graph can be accessed from the Realms in Project Overview screen.
- NEW: Patterns can now be copied as unlinked to the source pattern. With this, the same pattern can be copied multiple times without affecting the content of the already existing pattern. For more information, see the Copying Patterns chapter in the nevisAdmin 4 technical documentation.
- NEW: When copying patterns, you can now copy them with variables.
- NEW: On the REST API, secrets and inventory file attachments can now be created with custom IDs.
- NEW: When you are making a Kubernetes Secondary deployment, you can now split the traffic based on the percentage. For more information, see the Side-by-side Deployment chapter in the nevisAdmin 4 technical documentation.
- NEW: When there is a newer version of the pattern libraries for the project, an indicator icon is displayed next to the project name from where the update can be initiated.
- NEW: Data porter patterns are now available with the standard pattern libraries.
- IMPROVED: Added a new property
nevisadmin.generation.engine.smart-error-recovery
to make the Generation Engine continue the generation on errors. With this property turned on, the error output of the Generation Engine and the Deployment Wizard will be the same for the same project. - IMPROVED: The authentication flow tree now loads faster.
- IMPROVED: The authentication flow tree is now generated with breadth-first algorithm instead of depth-first. Once a limit is reached, a warning indicator is displayed next to the patterns which has incomplete steps.
- IMPROVED: On Kubernetes component containers will now start with the
runAsNonRoot
option, instead of specifying a random UID. This is to improve compatibility with OpenShift. - IMPROVED: While loading an authentication flow tree, an information message is displayed about the loading tree.
- IMPROVED: The inventory colour and background highlights are improved. The change is affected in Inventory Editor, Deployment wizard and inventory icon colours.
- IMPROVED: Importing a project from zip is improved with a warning message when the user tries to import the existing project. In such case, the project will be overwritten and this has to be confirmed by the user.
- FIXED: There was a flickering issue while scrolling the patterns in Pattern Master List. This issue is now fixed.
- FIXED: The details in Kubernetes Status screen were not displayed properly in a smaller screen size. This issue is now fixed.
- FIXED: The display of error messages is improved on Deployment Wizard and Pattern property editor.
- REMOVED: Patterns to set up monitoring are no longer available in the standard pattern libraries.
Deprecations
- DEPRECATED: Using the Kubernetes cluster to sign the certificates when using automatic key management is now deprecated, and the feature will be removed in a future release. It is recommended to use cert-manager for this purpose, for more information see: Migrating to cert-manager
Patterns 4.13.0 Release Notes - 2021-11-17
Release information
Build Version: 4.13.0.13
How to Install and Use the Plug-Ins
This version is not supported anymore and cannot be downloaded. Upgrade to a newer version.
Changes
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these release notes carefully, and adapt your pattern configuration if required.
General
- We do not generate the info issue "Some host addresses do not include port, calculating port based on scheme." anymore.
- A thread-safety issue which can make the generation fail when automatic key management is used has been fixed.
- A
chmod
to automatic key management scripts to fix a permission issue which occurs in combination with certain versions ofopenssl
has been added.
Application Protection
- NEW: Support for the assignment of multiple Virtual Host patterns in application patterns was added.
- NEW: We added the property "Database Schema Check" to the "nevisProxy MariaDB Remote Session Store" pattern. When enabled, nevisProxy verifies that the database schema and integrity constraints match the requirements of the Remote Session Store at startup. This check is disabled for "Managed nevisProxy Remote Session Store" patterns.
- UPDATED: The "compatible" configuration for the "Frontend TLS Settings" of Virtual Hosts was updated. Refer to the pattern help for the new values.
- UPDATED: Blank fields in "TLS Settings" patterns assigned to a Virtual Host will be now be replaced by the corresponding "recommended" value. The "compatible" value was previously applied.
- UPDATED: We upgraded the default ModSecurity CRS version to 3.3.2 and introduced new property "OWASP ModSecurity CRS version" to the "Virtual Host" pattern to choose CRS version. The new default matches the OWASP recommended configuration, therefore it uses anomaly mode and response body check is enabled. If previously custom CRS was configured, the "custom" option has to be selected.
- UPDATED: The nevisProxy status script for classic VM deployment was improved.
- UPDATED: Generic Application Settings now support the expression
${host.key}
which may be used forEntryPointID
when declaring a customIdentityCreationFilter
or to point to configuration files within thedocBase
of the host. - FIXED: An exception in the Application Mapping Report which made report generation fail was fixed.
- FIXED: We fixed an issue where a Virtual Host could have Frontend TLS Settings set to
recommended
orcompatible
and have a TLS Settings pattern assigned at the same time.- Now assigning a TLS Settings pattern requires setting Frontend TLS Settings to
custom
.
- Now assigning a TLS Settings pattern requires setting Frontend TLS Settings to
Authentication
- NEW: We now have support for additional algorithms to the JWT Token pattern.
- NEW: We now create a WARN issue when multiple files per language are uploaded for Labels in the authentication realm patterns.
- FIXED: A bug in the generation of
SectokenVerifierCert
when using multiple realm patterns with different configuration for Internal SecToken Trust Store was fixed.
Federation
- NEW: An optional configuration On User Creation Failed in social login patterns was added.
- NEW: We added configuration options to SAML SP Realm and SAML IDP patterns to support logout using SOAP-binding.
- UPDATED: We improved the error handling when social login provider returns an error.
Identity Management
- UPDATED: CSRF protection for nevisIDM was updated.
- NEW: New experimental patterns for the configuration of nevisIDM batch jobs were added.
- NEW: New experimental patterns for the configuration of nevisDataPorter were added.
- CHANGED: Oracle JDBC drivers uploaded in nevisIDM Instance pattern now also get deployed for nevisidmdb.
Monitoring
- As announced in Components Removed from the Rolling Releases as of November 2021, patterns to set up an ELK stack on the nevisAppliance are removed.
Known issues and limitations
See also:
nevisAdmin 4
Since 8.2411
- If you initiate a library upgrade using the update icon in the project selector bar, the upgrade notes dialog might not open. As a workaround, downgrade the library back to the old version, and initiate the upgrade from the Project Settings page.
Since 8.2405
- On startup, nevisAdmin 4 produces warning messages, such asThese can be ignored.
Bean 'shiroConfig' of type [ch.nevis.admin.v4.infra.spring.rest.ShiroConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). The currently created BeanPostProcessor [lifecycleBeanPostProcessor] is declared through a non-static factory method on that class; consider declaring it as static instead.
Since 4.19:
- After deleting a deployment from the Kubernetes Status screen, the overall status of the deployment is not updated automatically, only the pods' status.
- On the Configuration tab, if a library upgrade is available for the selected Project, the upgrade icon should open the upgrade dialog, but if you are on the Project Settings screen, the dialog does not open. As a workaround, you can open the dialog from the Overview or Patterns screens.
Since 4.18:
When managing users and groups, in some cases the nevisAdmin 4 GUI incorrectly allows assigning permissions for which the currently logged-in user does not have permission to assign. In these cases, an error dialog will be shown and the permission assignment will not be executed.
The 4.18.0.0 flyway script could fail if the database contains a duplicated user that has groups assigned. To fix this problem, execute these scripts manually.
Remove failed migration history.
delete from flyway_schema_history where version='4.18.0.0';
Delete group assigments of the duplicated users.
delete from `group_member` where user_id not in (select min(u.id) from `user` u group by u.user_id);
Restart nevisAdmin 4, the 4.18.0.0 migration script will be executed again.
Since 4.12:
- Updating an inventory attachment with a file that has a new name, does not update the reference in the inventory. This results in an outdated file name shown in the reference (
inv-res-secret://<id>#fileName>
). - If there are multiple RPM nevisAdmin 4 installations on a server, the command
nevisadmin4 status
lists the versions of all installations under the Component field in the nevisAdmin 4 GUI, not only the currently used one. - You cannot change the case of a letter of an already published variable. This bug does not affect unpublished variables.
- The Project summary report tab can take several seconds to load in case of very large projects.
- Loading the Pattern list can take several seconds in the case of very large projects. In such cases, the Label view or Filters function is a more convenient way to view the patterns.
- The deployment preview phase reports an error if the
automatic key management
setting is enabled during classic deployments. This issue does not occur if the deployment is initiated by theroot
user.
Fixed Issues
4.18 only:
- Deploying to a Kubernetes cluster that uses cgroups v2 such as AKS 1.25 could result in increased memory consumption for all Java based Nevis components. This is caused by a bug in the used Java version(JDK-8230305). As a workaround it's recommended to use
Generic Instance Setting
patterns and set the maximum heap size directly with the-Xmx
option.
4.16 only:
- Updating the value of a binary global secret or global file, such as a zip in Secret and Files results in no change. As a workaround, update the value through the Swagger endpoint reachable at
/nevisadmin/swagger-ui/index.html#/tenant-secret-resource-resource/update_2
for global secrets, and/nevisadmin/swagger-ui/index.html#/tenant-resource-resource/update_3
for global files.
4.15 only:
- The Used in column on Secret & Files does not contain inventories that use a secret through a global constant.
- The label of the link to access pod logs on the Kubernetes Status screen was mistakenly changed to "view operator logs" though it shows only pod logs.
4.14 only:
- If there is an error in the Managed Kubernetes Certificates screen (for example, connection to Kubernetes cluster fails), the table is not refreshed even if another inventory is selected from the drop-down. If the selected inventory is not default, by refreshing the page the issue can be resolved. Otherwise, the error needs to be fixed first.
- The Project summary report tab can take several seconds to load in case of very large projects.
- The Groovy Script Step pattern script validation does not work with 4.13.x plugins. As a workaround, you can disable the validation under Advanced Settings, or update the plugins version to 4.14+.
4.13 only:
- You can now choose the instance patterns in the Deployment Wizard for Classic deployment. By default, the last selected instance patterns will be deployed in the next deployment. If a new instance pattern is added in the meantime, that pattern is not selected automatically since the last selected option is selected by default. This behaviour will be improved in a future release.
Patterns
Automatic key management - Kubernetes deployment
In Kubernetes deployments, automatic keystores are scoped to a Kubernetes service.
To support side-by-side deployment, a post-fix is appended to Kubernetes service names.
As the service name is included in the certificate subject, it is required to generate new keystores when a service is renamed.
This can be problematic for keystores used to sign a token, because all truststores used to validate the token signature have to be updated as well.
This means that tokens signed by the previous signer are no longer accepted.
For instance, a previous signer may have used to sign a SecToken for the user, which is then stored in the session.
To avoid this problem, the following keystores are not scoped to the Kubernetes service, this applies even if side-by-side deployment is not being used:
- The internal SecToken that nevisAuth issues for itself to access nevisIDM and nevisMeta APIs.
- Application access tokens issued to the user to access applications protected by nevisProxy.
This works when no key management patterns are assigned, but it may fail when assigning an Automatic Key Store pattern.
If you use Automatic Key Store patterns to sign tokens, make sure the pattern name ends with -signer
.
HTTP error codes cause session loss
By default, the Virtual Host maps an ErrorFilter
that handles HTTP error codes.
For security reasons, the filter is configured to remove response headers.
This behavior can lead to the loss of the nevisProxy session when an HTTP error occurs, for example while the session cookie is being renewed after a successful authentication.
For status codes 404
and 502
, the headers are not reset, which makes session loss less likely.
You can opt out by adding your own HTTP Error Handling pattern.
This pattern allows you to define which status codes are handled, and for which codes the headers are kept.
You can do this using the property Keep Header Status Codes.
Assign the HTTP Error Handling pattern to relevant locations, for example, the entire Virtual Host or in applications.
Fixed Issues
Up to 4.19:
- When the folder
/var/opt/keys/
is completely removed on target hosts in VM deployments, two deployments are required to recreate the key material. This is an exceptional case which occurs only during disaster recovery or nevisAdmin 4 CA renewal.