Skip to main content
Version: 2.82.x.x LTS

Migration guide from LTS-2019 to LTS-2021

This page lists all the breaking changes that were introduced between the LTS-2019 version (2.75.X) and the LTS-2021 version (2.82.X) of nevisIDM.

Read all the items, and execute all manual migration steps that are relevant for your setup and environment.

Breaking changes

  • REMOVED: nevisIDM no longer supports adnwildfly. For further instructions refer to the documentation, chapter “Migration to Standalone”. (NEVISIDM-6188)

  • REMOVED: The auditing provider fileAuditProvider has been removed. Use the auditing provider jsonAuditProvider instead. (NEVISIDM-6026)

  • NEW: This release introduces the new nevisidmdb tool. For more information, see chapter "nevisidmdb Usage and Configuration Properties" in the reference guide.

  • REMOVED: The existing nevisidmdb database has been removed and replaced. The following operations are not supported anymore:

  • DEPRECATED: The auditing provider jcanLogAuditProvider is deprecated. Use the auditing provider jsonAuditProvider instead. (NEVISIDM-6026)

  • CHANGED: As of this release, jsonAuditProvider is the default auditing provider. (NEVISIDM-6026)

  • CHANGED: nevisIDM now uses Log4j2, instead of Log4j, for logging. Migrate all your logging configurations to Log4j 2 files. (NEVISIDM-6317)

    • Copy the new default logging configuration template from /opt/nevisidm/config/standalone/logging.yml to the instance configuration folder /var/opt/nevisidm/<instance-name>/conf/logging.yml.
    • Manually migrate custom logging configurations contained in the old log4j.xml file to the instance's logging.yml file. You will find further information about the new Log4j2 configuration format in the template and on this website: http://logging.apache.org/log4j/2.x/manual/migration.html.
    • Remove the old log4j.xml file.
  • CHANGED: From now on, the status code of a REST request with a missing body is 400 (Bad Request). Previously, it was 422 (Unprocessable Entity). (NEVISIDM-6161)

  • CHANGED: As of this release, REST requests with unknown fields in the request body will fail. (NEVISIDM-6161)

  • REMOVED: The Oracle JDBC jar is no longer bundled into the application. For details, see the following steps or the chapter "Database Preparing" in the nevisIDM Reference Guide. (NEVISIDM-6131)

    • In case nevisAppliance is used, the nevisidmdb package is already updated during build time of the nevisAppliance image. In this case, migrate the configuration files manually. Proceed as follows:
        1. Create a backup (archive) of the existing configurations (/var/opt/nevisidmdb/<instance-name>/conf/).
    1. Create a new properties file called nevisidmdb.properties in /var/opt/nevisidmdb/conf/.
    2. Migrate your existing configurations from the env.conf file to nevisidmdb.properties file as follows (the variables surrounded by underscores are the current variable values from your env.conf file):
    3. In case of an Oracle database:
    4. database.connection.url=jdbc:oracle:thin:@//DBHOST: DBPORT/ORACLE_SID
    5. database.owner.name=DBOWNER_NAME
    6. database.owner.password=DBOWNER_PASSWORD
    7. database.role.appl=ROLE_APPL
    8. database.ts.index=DBTS_INDEX
    9. database.ts.data=DBTS_DATA
    10. In case of a MariaDB database:
    11. database.connection.url=jdbc:mysql://_DBHOST_MYSQL_: DBPORT_MYSQL/nevisidm
    12. database.owner.name=DBOWNER_NAME_MYSQL
    13. database.owner.password=DBOWNER_PASSWORD_MYSQL
    14. Copy /opt/nevisidmdb/template/env.conf to /var/opt/nevisidmdb/conf/, which can be used to configure environment variables.
  • CHANGED: The server truststore is no longer used for outbound TLS connections (for example, SMTP or messaging). Instead, you can configure independent truststores for each outbound TLS use case. If there is no independent truststore configured, the system truststore will be used for outbound TLS. (NEVISIDM-6702)

  • CHANGED: During user creation on the REST interface, the login ID generator can now generate a loginId if no ID value is provided and the generator is enabled. If the caller wants to override the generated loginId, by providing a value for it in the request, the caller needs the AccessControl.LoginIdOverride right. (NEVISIDM-7374)

  • CHANGED: The unique check of the extId of the credential and the client's id now takes place on database level, in a new table called TIDMA_CREDENTIAL_CLIENT. Previously, this check happened in the Java business logic. As a consequence of this change, the credential extId must be unique for each credential within the same client. Because this uniqueness constraint may already be violated in some cases, execute the following manual steps before starting the database migration.

SELECT CREDENTIAL.EXTID AS credentialExtid,
COUNT(CREDENTIAL.EXTID) AS credentialCount,
TU.CLIENT_ID AS clientId
FROM TIDMA_CREDENTIAL CREDENTIAL
LEFT OUTER JOIN TIDMA_USER TU ON CREDENTIAL.USER_ID = TU.USER_ID
GROUP BY TU.CLIENT_ID, CREDENTIAL.EXTID
HAVING COUNT(CREDENTIAL.EXTID) > 1
;
  • The users delete the credentials on their own and create new ones through the GUI or one of our APIs (REST, SOAP).
  • The administrators delete the credentials and create new ones through the GUI or one of our APIs (REST, SOAP). With this option, the secrets of the new credentials must be communicated to the affected users.
  • The administrators manually change the extId of the credentials directly in the database. However, by doing so, the changes are neither written to the audit log nor to the provisioning queue. Use the following statement in case synchronize these manual changes to another system (replace NEW_VALUE with the new extId value)
for each row in the query above, get the credentialExtId and the clientId and do:
SELECT CREDENTIAL_ID as credentialId WHERE EXTID='credentialExtId' and CLIENT_ID=clientId;
for all but one credentialId do:
UPDATE TIDMA_CREDENTIAL SET EXTID='__NEW_VALUE__' WHERE CREDENTIAL_ID=credentialId;
  • CHANGED: When removing old, archived users, the UpdateUserStateJob now also removes users who were created with the Archived state and never had their state changed. That is, these user's STATE_CHANGED_DATE is "null". (NEVISIDM-7349)

  • CHANGED: The GUI has been updated with the new Nevis design. If you use custom facing on the GUI, this change might break existing CSS styling. (NEVISIDM-7436)

  • CHANGED: Index creation and the search functionality behind the Query REST services were upgraded. Delete old indexes in the application.queryservice.index.dir folder. (NEVISIDM-7526)

  • Index creation and the search functionality behind the Query REST services were upgraded. Delete old indexes in the application.queryservice.index.dir folder. The index folders are also changed to avoid conflicts during upgrade:

  • CHANGED: login.service.connection and admin.service.connection must be configured for all nevisIDM AuthStates. You can use propertyRef to include existing configuration. (NEVISIDM-7498)

  • FIXED: A bug caused a memory leak in adnooprint 1.1.0.0. The installation of adnooprint 1.2.0.x supporting LibreOffice 5.3.6.1 fixes the bug. For more details, see the new instructions of "Installation of adnooprint version 1.2.0.x and LibreOffice" in the reference guide chapter “Preparing nevisIDM for Use with OpenOffice Templates (adnooprint)”. (NEVISIDM-7456)

  • The CTL_MOD_DAT field of TIDMA_PROPERTY_VALUE table will not be updated for each modification on related scope (e.g. on TIDMA_USER) and the custom property update evens will not be written into the TIDMA_PROPERTY_VALUE_V table to reduce database space consumption. The direct modifications on custom properties are incorporated into property tables but only those that are absolutely necessary. If you count on these records you need to calculate them based on earlier history events as IDM does, or use the SOAP history services. (NEVISIDM-7545)

Other important changes

  • NEW: You can now configure the jsonAuditProvider auditing provider such that it rolls the log files daily or by file size, or both. (NEVISIDM-6026)
  • NEW: From now on the provided logging template is in YAML format. YAML is also the recommended format. (NEVISIDM-6414)
  • CHANGED: The package of the UserServiceRequestInjectingFilter has been changed. Adjust the logging configurations such that they point to the new package ch.adnovum.nevisidm.web.filters.UserServiceRequestInjectingFilter. (NEVISIDM-5838)
  • REMOVED: Usage of custom batch jobs is discouraged. Nevis does not support calling internal services of nevisIDM. Use an external job scheduler such as Cron, which accesses nevisIDM via the official nevisIDM APIs. Existing jobs may work for a while but they might break if the business service is changed or if third party dependencies are removed or changed.
  • NEW: The Roles endpoint of the Profiles REST service now also returns roles assigned over enterprise roles. (NEVISIDM-6333)
  • CHANGED: Password creation will now also return the "201" (CREATED) status code and a location header for the created password credential even if no password fragment is returned in the response. (NEVISIDM-6186)
  • CHANGED (Edge Case): Paginated REST calls now return elements that are created at the exact same timestamp in the correct order. (NEVISIDM-6168).
  • REMOVED: The DELETE_CREDENTIAL_HISTORY procedure has been removed. (NEVISIDM-6997)
  • CHANGED: From now on, if the loadUser flag is set to true, the IdmCreateUserState loads the client external ID (clientExtId) and the client name (clientName) in the user DTO of the session. (NEVISIDM-6852)
  • DEPRECATED: The status servlet is deprecated. To retrieve runtime and database statistics information, use the management service instead (for more information, see the chapter "Management Service").
  • NEW: You can now configure outbound TLS truststores (for SMTP or messaging) independently of the server truststore. If there is no independent truststore configured, the system truststore will be used. (NEVISIDM-6702)
  • NEW: The new credential type Recovery Code with CREDENTIAL_TYPE=22 is now available. (NEVISIDM-6731)
  • NEW: The UpdateUserStateJob has a new configuration: daysNoActivitySinceReactivation, which provides a grace period before deactivating users who have been recently reactivated. (NEVISIDM-6873)
  • CHANGED: SecTokens will now always use the default encoding of the JVM. The default encoding can be controlled with the JVM system property -Dfile.encoding. In addition, the JVM system property -Dsectoken.data.charset must be configured accordingly to match the default JVM encoding. Be aware that encoding changes might require users to log in again. (NEVISIDM-6651)
  • CHANGED: The "User per application" report now contains the street and house number of the users if the client policy address.ech0010.enabled is set to true. (NEVISIDM-6937)
  • CHANGED: There is no unique_email migration anymore during startup even if the configuration parameters authentication.loginWithEmail.enabled or application.feature.emaillogin.enabled are enabled. (NEVISIDM-7187)
  • CHANGED: From now on, nevisIDM only restores event queues at startup if the configuration parameter application.modules.event.autostartup.enabled is set to true. (NEVISIDM-7267)
  • REMOVED: The nevisIDM command reinit batch has been removed. From now on, nevisIDM automatically refreshes the batch context when modifying the configuration file. (NEVISIDM-7166)
  • CHANGED: The permission checks for property REST service endpoints are now consistent. nevisIDM now checks the permission of the entity determined by the property scope as well as the general permission for properties, for all endpoints. (NEVISIDM-7181)
  • NEW: nevisIDM now automatically detects logging configuration changes every 5 seconds for newly created instances. To configure this for existing instances, add the parameter monitorInterval: 5 to the log configuration. The minimum interval is 5 seconds. (NEVISIDM-7004)
  • CHANGED: The location of the default temporary directory has been changed from /tmp to /var/opt/nevisidm/{instance_name}/tmp. (NEVISIDM-7168)
  • NEW: The Content-Security-Policy header is now added to */nevisidm/**. (NEVISIDM-7357)
  • CHANGED: The default profile name now contains only the first 80 characters of the loginId, in case the loginId is longer than 80 characters. (NEVISIDM-7306)
  • CHANGED: The LOGIN_ID column of the TIDMA_USER table is extended to 300 characters. Due to this change, indexes that hold the LOGIN_ID column must be rebuilt during migration. Furthermore, the indexes iidma_user_client_login_id_up and iidma_user_login_id_num of Oracle databases are dropped and recreated. As a consequence, the migration may take longer. Therefore, plan your migration accordingly. (NEVISIDM-7306)
  • CHANGED: From now on, multiple instances can handle events without concurrency issues. (NEVISIDM-7451)