Skip to main content
Version: 7.2405.x.x LTS

Migration guide from LTS-2021 to LTS-2024

This page lists all the breaking changes that were introduced between the LTS-2021 version (2.83.X) and the LTS-2024 version (7.2405.X) of nevisIDM.

danger

Read all the items, and execute all manual migration steps that are relevant for your setup and environment.

⚠️The recommended migration path involves two steps:

  1. Migrate to the first LTS-24 (7.2405.x) version.
  2. Migrate to the most recent version of our LTS-24 version.

Do not forget to update your other related Nevis components at the time of migration.

In the nevisidm-prod.properties file, Security key is now mandatory.

security.properties.key=rTDnrwBebrM=

A fallback mechanism is introduced if the default key is changed on a live system. This mechanism can be enabled with the following application property:

security.properties.fallback.enabled=true

Breaking changes

nevisIDM 2.83.0.1443644301 - 17.11.2021

  • FIXED: Audit logging of consent creation now returns consent ID as consentId not the related terms extId. (NEVISIDM-7650)
  • CHANGED: If you use nevisAdmin 4, you have upgrade the Standard Patterns. (NEVISADMV4-7752)

nevisIDM 2.86.0.2833457136 - 17.08.2022

  • FIXED: The bug is fixed that in some cases at the unit dataroom check, when the user had an archived profile it still had an effect on the result. (NEVISIDM-8015)
  • FIXED: For mTAN, we do not accept mobile numbers with 00 prefix anymore. (NEVISIDM-8147)

nevisIDM 2.87.0.3469446643 - 16.11.2022

  • CHANGED: We introduced Atomikos XA transaction management to avoid provisioning inconsistency. (NEVISIDM-7963)
  • CHANGED: Policy type LoginPolicy is planned to be removed in May 2023. To stay up-to-date with our software versions, make the necessary changes in your configuration, see LoginPolicy.
  • REMOVED: Some Admin CLI commands are removed with the November Rolling Release. For more information, see Administrative command-line interface.
  • CHANGED: As a consequence of the admin CLI changes, the directory structure in the RPM installation also changed, it does not contain the version number anymore. Consider this when trying to access the installed directories, for example when configuring the classpath for nevisAuth.

nevisIDM 2.88.0.4105994907 - 15.02.2023

  • CHANGED: We upgraded MariaDB Driver is to 2.7.6. (NEVISIDM-8480)
    • In Connection URL in nevisidm an nevisidmdb properties file must contain useMysqlMetadata=true query parameter
  • CHANGED: We renamed the following fields of the SCIM interface, to be standard compliant. For usage of these objects, check apib. (NEVISIDM-8694)
    • The resources field to Resources in ListResponse
    • The operations field to Operations in BulkRequest
    • The operations field to Operations in BulkResponse

nevisIDM 2.89.0.4955612706 - 17.05.2023

  • UPDATED: The default value for security.properties.cipher changed to AES/GCM/NoPadding. In systems, where this value was set, no configuration change is necessary, the update will not affect the decryption process. In systems, where this value was not set, enabling the decryption fallback mechanism with security.properties.fallback.enabled is recommended. This will allow the decryption of old values, which were encrypted with the old default. Alternatively, the cipher can be set to the old value to maintain the same decryption process. (NEVISIDM-8771)

nevisIDM 2.90.0.5832994866 - 16.08.2023

  • CHANGED: Credential validity date calculation if validityFrom is set but validityTo is not, then IDM calculates validityTo date from validityFrom date instead of the current date. Previous calculation can be reactivated with validityDateCalculationVersion set to v1 in the relevant credentail policy. (NEVISIDM-8974)
  • NEW: Fido UAF policy introduced. If you use IDM on an existing instance, create a default FIDO UAF policy for every client where FIDO UAF credentials are allowed. (NEVISIDM-8926)

nevisIDM 2.90.4.6798025192 - 15.11.2023

Lucene/Elasticsearch related changes

The index structure of the entities got modified during refactoring, which may cause the Hibernate Query component to fail to upgrade without error. Therefore, delete all Lucene/Elasticsearch indexes associated with the IDM instance before starting. Once the IDM is started, it re-indexes all entities as part of the startup process.

nevisIDM 7.2311.0.6813600371 - 15.11.2023

  • CHANGED: The nevisAuth session API only accepts String attribute values. Previously it was possible to add any value. If it was not a String, a warning was logged and it was not saved to the database. This change can be tricky with ScriptStates as groovy does not do type-safe checks for the session Map used in the scripts. It is possible to add and retrieve a non String value inside the script, but a java.lang.ClassCastException happens later. In those cases you have to check the scripts and change the behaviour to store a string value, by either changing your logic, or serialising your object to a String. (NEVISIDM-9089)
  • REMOVED: We removed the jcan-log and jcan-optrace third-party dependencies. OpTrace logging is replaced by OpenTelemetry. (NEVISIDM-9070)

Other important changes

nevisIDM 2.83.0.1443644301 - 17.11.2021

  • NEW: Uniqueness scope settings of custom properties imported at startup are verified during startup. (NEVISIDM-7638)
  • CHANGED: User entity deletion forces deleting dependent objects and related audit processing in batch mode to enhance performance. (NEVISIDM-7583)
  • CHANGED: Audit logging of consent creation now contains extId of the terms and extId of the user. (NEVISIDM-7625)
  • CHANGED: the logging level is now ERROR in case the BatchContextRefreshService cannot be started if the configuration file is inaccessible or missing. (NEVISIDM-7523)
  • CHANGED: The Terms and Conditions UI was upgraded to Angular 12 and its dependencies. Also, the UI now uses the new Nevis logo instead of the old one. (NEVISIDM-7509)
  • NEW: nevisIDM now provides a REST service to fetch all consents of a user. For more details, see the REST API documentation. (NEVISIDM-7627)
  • NEW: Elasticsearch support has been introduced in Query REST service as a possible backend alongside the default Lucene. In a multi IDM instance environment this feature is recommended. For new configuration properties, see the reference guide. (NEVISIDM-7547)
  • NEW: Querying users now returns the custom properties of the queried users if the caller has authorization to see them. (NEVISIDM-7577)
  • CHANGED: Second based indexing has been introduced. Filtering is now available by the second for timestamp values. (NEVISIDM-7575)
  • CHANGED: Added new User.loginInfo field to Query REST service with data from TIDMA_USER_LOGIN_INFO table with following properties (NEVISIDM-7575):
  • CHANGED: Added new full text search indexes to improve Query REST service (NEVISIDM-7575)
  • CHANGED Day based indexing has been improved to second based indexing for properties: (NEVISIDM-7575)
  • CHANGED: The Query REST service now supports the sorting of the user results by name, status, e-mail, last login and last failed login. (NEVISIDM-7576)
  • NEW: New tables defined for Quartz's to support JDBC job store and scheduler cluster mechanism. (NEVISIDM-7570)
  • NEW: Added support for database level configuration of a job store for the scheduler cluster to enable the same batch context configuration on multiple IDM environments. (NEVISIDM-7570)
  • NEW: The Login identifier of the character restriction version can now be configured. By default, the restrictions are used and it is possible to enable accepting ASCII characters from ! to ~, ASCII 0x21 to 0x7E. (NEVISIDM-7659)
  • NEW: Added two configuration settings to handle forms with more than 20,000 bytes of content or with more than 333 fields (server.max-form-content-size and server.max-form-keys). (NEVISIDM.7666)

nevisIDM 2.84.0.1816761841 - 16.02.2022

  • NEW: Added maxCredSuccessCount policy parameter to Password, Context Password and Device Password policies, which can be used to define maximum number of successful credential usage before the credential becomes disabled. (NEVISIDM-7786)
  • CHANGED: The extId filter in query credential is now case-sensitive to fix related database performance issues. The full table scan becomes IIDMA_CREDENTIAL_EXTID index scan. (NEVISIDM-7862)
  • NEW : URLTicket GET endpoint supports URL prefixes. (NEVISIDM-7679)
  • NEW: Query REST service supports the sorting of users by their first name. (NEVISIDM-7771)
  • NEW: Created new configuration properties application.modules.provisioning.jmsqueue.max-size-bytes and application.modules.provisioning.jmsqueue.page-size-bytes to control the messaging queue paging. (NEVISIDM-7769)
  • NEW: Created five new configuration properties to provide control over encryption and integrity checking when nevisIDM is connecting to an Oracle database. (NEVISIDM-7785)

nevisIDM 2.85.0.2301361554 - 18.05.2022

  • NEW: We added a new endpoint to create a new user and profile with one call. (NEVISIDM-7654)
  • CHANGED: We removed automatic trimming of loginId and emailAddress fields due to security concerns. (NEVISIDM-7514)
  • CHANGED: UpdateCredentialStateJob now supports all credential types with policy types defined for disabling credentials, including generic credentials. (NEVISIDM-7899)
  • CHANGED: Ninja debug logs can be controlled by the trace group ch.nevis.ninja. There is no need to set property server.auth.ninja.log-debug to enable ninja debug mode anymore. (NEVISIDM-8086)
  • CHANGED: Pre-loading custom properties to the database now also supports enum type custom properties. (NEVISIDM-7900)
  • CHANGED: In Query API sorting field referenced without apostrophes now return 400 Bad Requested instead of 500 Internal Server Error. (NEVISIDM-8027)
  • CHANGED: Logging in authstates now uses slf4j 1.7.36 instead of jbc. (NEVISIDM-8012).
  • CHANGED: Writing login information is improved to handle multiple parallel logins. (NEVISIDM-8011)
  • CHANGED: Compression is disabled and MIME types are corrected for all font files (woff, woff2, ttf and eot). (NEVISIDM-8008)
  • NEW: We extended generic credential creation on REST to contain validity information. (NEVISIDM-7898)
  • NEW: We added an endpoint to delete URL-Ticket credentials. (NEVISIDM-7808)
  • NEW: The notification sending method can now be HTML email in addition to email. (NEVISIDM-7973)
  • CHANGED: Query API error handling is now unified with the other API's error handling. (NEVISIDM-7770)
  • CHANGED: LoginId policy violations on the REST interface now return an improved description of the specific policy that is breached. (NEVISIDM-7912)
  • NEW: We created a REST endpoint for clients, that returns all the custom properties that are in the client with filtering. (NEVISIDM-7995)
  • NEW: We introduced SCIM 2.0 server implementation for exporting and importing identities. For now, only password, generic and ticket credentials are supported. (NEVISIDM-7851)
  • NEW: We introduced the configuration property application.queryservice.instance.index.prefix to configure Elastic/Lucene with instance specific prefix for indices. This enables the use of a single Elastic/Lucene backend by multiple nevisIDM instances. (NEVISIDM-7921)

nevisIDM 2.86.0.2833457136 - 17.08.2022

  • NEW: Pre-loading clients to the database is supported similar to pre-loading custom properties. (NEVISIDM-8057)
  • NEW: The new configuration property application.dataroom.relaxed.permissions is added, that can define permissions for which the dataroom check should be loosened. (NEVISIDM-8015)
  • NEW: Bridging of local ExpiryQueue and DLQ is possible with the setting of the two properties (messaging.remote.expiryQueueUri and messaging.remote.dlqUri) in similar manner as the Provisioning queue. (NEVISIDM-8076)
  • NEW: SELinux policy templates are now available at /opt/nevisidm/selinux. (NEVISAPPLIANCE-569)
  • NEW: We added a new type of batch job to fix issues when the default encryption key is used after a new encryption key is set, and some of the credential and property values were not decipherable. (NEVISIDM-8201)
  • CHANGED: The preferred way for pre-loading custom properties to the database now uses separate files for each property. The old way of of putting multiple properties to one file still works, but is deprecated. (NEVISIDM-8057)
  • CHANGED: From now on, you can see the external ID of the incorrect credential in the fault massage of the SCIM user creation. (NEVISIDM-8109)
  • CHANGED: Log category of CSRFGuard is changed from Owasp.CsrfGuard to org.owasp. (NEVISIDM-8122)
  • NEW: From now on, the query REST interface is able to handle the finding of mTan credentials like phone number or credential type. (NEVISIDM-8067)
  • NEW: Admin and SelfAdmin forms are created to manage FIDO2 credentials. (NEVISIDM-7747, NEVISIDM-7748)
  • NEW: Parameter bulkImportFormat added that enables ScimBulkRequest output with create operations instead of ScimListResponse in user list endpoint to help import. (NEVISIDM-7975)
  • NEW: UserInfo endpoint support HTTP POST method. (NEVISIDM-8142)
  • NEW: FIDO2 credentials are live from now on. (NEVISIDM-8151)
  • NEW: We added a new REST endpoint to update the time of the last user login. The REST endpoint also counts the login attempts with an mTan credential. A successful login resets the failed login counter to 0. (NEVISIDM-7886)
  • NEW: mTan credential is now supported by the SCIM interface. From now on, you can see and send the mTan credential details. (NEVISIDM-7832)
  • NEW: Recovery Code credential is now supported by the SCIM interface. From now on, you can see and send the Recovery Code credential details. (NEVISIDM-7843)
  • NEW: Temporary Strong Password credential is now supported by the SCIM interface. From now on, you can see and send the Temporary Strong Password credential details. (NEVISIDM-7830)
  • NEW: Recovery Code credential is now supported by the SCIM interface. From now on, you can see and send the Recovery Code credential details. (NEVISIDM-7843)
  • NEW: SecurID credential is now supported by the SCIM interface. From now on, you can see and send the SecurID credential details. (NEVISIDM-7827)
  • NEW: Safeword user mapping credentials is now supported by the SCIM interface. From now on, you can see and send the Safeword user mapping credential details. (NEVISIDM-7829)
  • NEW: PUK code credential is now supported by the SCIM interface. From now on, you can see and send the PUK code credential details. (NEVISIDM-7834)
  • NEW: We expanded SCIM filtering with properties. From now on, you can send filters for custom global properties. (NEVISIDM-8208)
  • CHANGED: The queryCredentials operation does not use the VIDMA_CREDENTIAL_SEARCH_VIEW view anymore in case of searches for FIDO_UAF credential types, it has its own generated query. (NEVISIDM-8110)
  • NEW: You can now define the following attributes and properties in the IdmCreateUserState user profile: name, extId, remarks, deputedExtId, modificationComment. (NEVISIDM-8103)
  • NEW: We introduced the AuthState service locator V2 failover strategy, see Properties shared among all nevisIDM authentication plug-ins.

nevisIDM 2.87.0.3469446643 - 16.11.2022

  • CHANGED: We introduced Atomikos XA transaction management to avoid provisioning inconsistency. (NEVISIDM-7963)
  • CHANGED: Policy type LoginPolicy is planned to be removed in May 2023. To stay up-to-date with our software versions, make the necessary changes in your configuration, see LoginPolicy.
  • REMOVED: Some Admin CLI commands are removed with the November Rolling Release. For more information, see Administrative command-line interface.
  • CHANGED: As a consequence of the admin CLI changes, the directory structure in the RPM installation also changed, it does not contain the version number anymore. Consider this when trying to access the installed directories, for example when configuring the classpath for nevisAuth.
  • CHANGED: Custom property caching now covers all scopes with the newly introduced distributed event handling. This means if you have more than one nevisIDM instances, each property definition modification triggers notification to refresh cache on all instances. In SCIM, you can filter for the onProfileForApp and onRoleForApp properties as well. (NEVISIDM-8231)
  • REMOVED: We removed the com.microsoft.azure:azure-servicebus library. (NEVISIDM-8121)
  • NEW: We added the com.azure:azure-messaging-servicebus library with version 7.10.1. (NEVISIDM-8121)
  • NEW: FIDO2 credential now allowed in the default unit policy. (NEVISIDM-8260)
  • CHANGED: From now on, you can create custom properties with spaces in their name. (NEVISIDM-8071)
  • NEW: Certificate credential is now supported by the SCIM interface. From now on, you can see and send the Certificate credential details (NEVISIDM-7826)
  • NEW: Fido UAF credential is now supported by the SCIM interface. From now on, you can see and send the Fido UAF credential details. (NEVISIDM-7830)
  • NEW: Context Password credential is now supported by the SCIM interface. From now on, you can see and send the Context Password credential details (NEVISIDM-7840)
  • NEW: Policy is now supported by the SCIM credential interface. From now on, you can see and send policy external IDs along with credential details.
  • NEW: SCIM search is now able to search for properties with space in their name if the property name is within ' marks. (NEVISIDM-8274)
  • NEW: The SCIM user import now handles if the profile is not given extId at creation. (NEVISIDM-8290)

nevisIDM 2.88.0.4105994907 - 15.02.2023

  • CHANGED: The nevisIDM REST client factory (class ch.nevis.idm.client.IdmRestClientFactory) is now a Singleton which means you have to adapt your Groovy scripts to access nevisIdm. The new client supports connection pooling and uses the new HttpClient provided by nevisAuth which gives additional configuration options. (NEVISIDM-8612)
  • CHANGED: The default value for the size of the JMS Connection Pool is changed to 10 from 1 and configurable in nevisidm-prod.properties. This was necessary because with the original value the JMS template built a new connection for each message and that took a lot of heap and processing time. (NEVISIDM-8507)
  • CHANGED: We replaced the HTTP session with cache for SOAP and Rest services to hold authentication data. The solution highly reduces memory consumption. (NEVISIDM-8524)
  • CHANGED: We improved the performance of certificate login. (NEVISIDM-8487)
  • NEW: We enabled prepared statement caching to improve performance. (NEVISIDM-8480)
  • NEW: We reworked UpdateUserStateJob. No configuration changed. (NEVISIDM-4399)
  • CHANGED: Policy search performance improve by using table directly instead of view. (NEVISIDM-8572).
  • NEW: IDMCreateCredential AuthState now has a new parameter addPolicyViolationsToNotes which if set true, the Authstate adds the failed policy verifications to the notes section of its output. (PAT-185)
  • NEW: NevisIDM officially supports MariaDB 10.6. (NEVISIDM-8545)
  • NEW: From now on, PDF file is sent out to /tmp/printing when an OTP card with PDFstore sending method is created.
  • NEW: Kerberos credential is now supported by the SCIM interface. From now on, you can see and send the Kerberos credential details. (NEVISIDM-7831)
  • NEW: Vasco credential is now supported by the SCIM interface. From now on, you can see and send the Vasco credential details. (NEVISIDM-7833)
  • NEW: URL Ticket credential is now supported by the SCIM interface. From now on, you can see and send the URL Ticket credential details. (NEVISIDM-7835)
  • NEW: Device Password credential is now supported by the SCIM interface. From now on, you can see and send the Device Password credential details. (NEVISIDM-7836)
  • NEW: Mobile Signature credential is now supported by the SCIM interface. From now on, you can see and send the Mobile Signature credential details. (NEVISIDM-7837)
  • NEW: Oath credential is now supported by the SCIM interface. From now on, you can see and send the Oath credential details. (NEVISIDM-7841)
  • NEW: One Time Password (OTP) credential is now supported by the SCIM interface. From now on, you can see and send the OTP credential details. (NEVISIDM-8630)
  • NEW: SAML federation credential is now supported by the SCIM interface. From now on, you can see and send the SAML federation credential details. (NEVISIDM-7838)
  • NEW: Security question credential is now supported by the SCIM interface. From now on, you can see and send the Security Question credential details. (NEVISIDM-7839)
  • NEW: The endpoint login-info is added to the User REST Services for updating login information. UserGetDTO is extended with the lastSuccessfulLoginDate, and lastFailedLoginDate attributes. (NEVISIDM-8616)
  • NEW: Verify password auth REST service is introduced. (NEVISIDM-8617)
  • NEW: Verify device password auth REST service is introduced. (NEVISIDM-8618)
  • NEW: Verify context password auth REST service is introduced. (NEVISIDM-8619)
  • NEW: From now on, you can filter SCIM users by credential-specific attributes. (NEVISIDM-8629)
  • NEW: To align the IDM AuthStates TLS key material configuration with the new HttpClient configuration options in nevisAuth, new properties are available. Note that the IDM AuthStates still use the SOAP client, so available options are limited to TLS. For more information see the migration guide (NEVISIDM-8612)
  • NEW: We introduced the database.connection.xa.enabled configuration, to enable switching off XA in case of provisioning disabled. (NEVISIDM-8562)

nevisIDM 2.88.1.4678820627 - 19.04.2023

  • CHANGED: Read-only transactions use non XA datasource (NEVISIDM-8773)
    • Two DB pools are initiated in case XA enabled:
      • You can configure the non XA pool independently; the read-only database can be a replication, completely independent of the read-write database;
      • In case no configuration for non XA pool the main configuration attributes are used (XA pool configuration);
      • See new configuration attributes in DB connection and DB connection pooling;
    • Only one DB pool is initiated in case XA disabled.

nevisIDM 2.89.0.4955612706 - 17.05.2023

  • NEW: Reference data now contains nevisMeta application with admin and user roles. Bootstrap user has the role nevisMeta.admin. (NEVISIDM-8788)
  • NEW: Configuration property application.scim.idm.uri added to customize SCIM Meta Location URIs. (NEVISIDM-8863)
  • NEW: Reference data now contains two new generic notification e-mail templates for nevisAdapt with the communication event types USER_NOTIFICATION_17, and USER_NOTIFICATION_20. (NEVISIDM-8806)

nevisIDM 2.90.0.5832994866 - 16.08.2023

  • NEW: Fido UAF policy introduced. If you use IDM on an existing instance, create a default FIDO UAF policy for every client where FIDO UAF credentials are allowed. (NEVISIDM-8926)
  • CHANGED: We refactored the application history searches. The database views VIDMH_APPL_HISTORY_SEARCH_VIEW is deprecated. (NEVISIDM-8819)
  • CHANGED: We refactored the personal question and personal answer searches. The database views VIDMA_PERSQUESTION_SEARCH_VIEW and VIDMA_PERSANSWER_SEARCH_VIEW are deprecated. Searches are using TIDMA_PERSONAL_QUESTION, TIDMA_PERSONAL_ANSWER and their related tables directly. (NEVISIDM-8827)
  • CHANGED: We refactored and simplified the Login ID generator. IDM no longer use GENERATE_LOGIN_ID stored procedure. The generator use TIDMA_LOGIN_ID_GENERATION directly and no longer query TIDMA_USER table about possible key collision that caused very high resource consumption and possible deadlock. (NEVISIDM-8924)
  • CHANGED: We refactored the policy configuration and policy parameter searches. The database views VIDMA_POLICY_CFG_SEARCH_VIEW and VIDMA_POLICY_PARAM_SEARCH_VIEW are deprecated. Searches are using TIDMA_POLICY_CONFIGURATION, TIDMA_POLICY_PARAMETER and their related tables directly. (NEVISIDM-8828)
  • CHANGED: We refactored the role related search. The database views VIDMA_ROLE_MAY_ASSIGN_VIEW, VIDMA_ROLE_MAY_ASSIGN_VIEW_MINUS and VIDMA_ROLE_SEARCH_VIEW are deprecated. (NEVISIDM-8831)
  • CHANGED: We refactored the SAML Federation searches. The database view VIDMA_SAML_SEARCH_VIEW is deprecated. (NEVISIDM-8832)
  • FIXED: fidouaf_user_agent property is inserted on new instances. (NEVISIDM-8975)
  • CHANGED: Database trigger for MariaDB reworked to not lock TIDMA_USER table (NEVISIDM-8943).
  • CHANGED: We refactored the client searches and client application assigment searches. The database views VIDMA_CLIENT_APP_SEARCH_VIEW and VIDMA_CLIENT_SEARCH_VIEW are deprecated. Searches are using TIDMA_CLIENT, TIDMA_CLIENT_APPLICATION and their related tables directly. (NEVISIDM-8822)
  • CHANGED: We refactored the application history searches. The database view VIDMH_APPLICATION is deprecated. Searches are using TIDMA_APPLICATION_V and its related tables directly. (NEVISIDM-8836)
  • CHANGED: We refactored the user count by enterprise role and user search by roles. The database views VIDMA_USER_COUNT_BY_EROLE and VIDMA_USER_ROLE_SEARCH_VIEW are deprecated. Searches are using TIDMA_AUTHORIZATION, TIDMA_ENTERPISE_AUTH and their related tables directly. (NEVISIDM-8835)
  • CHANGED: We refactored the user searches. The database view VIDMA_USER_SEARCH_VIEW is deprecated. Searches are using TIDMA_USER and its related tables directly. (NEVISIDM-8708)
  • CHANGED: We refactored the profile searches. The database views VIDMA_PROFILE_DICT_SEARCH, VIDMA_PROFILE_SEARCH_VIEW, VIDMA_PROFILE_BY_ALL_ROLE_SRCH, VIDMA_PROFILE_BY_APPLDR_SEARCH, VIDMA_PROFILE_BY_DR_SEARCH, VIDMA_PROFILE_BY_EROLE_SEARCH, VIDMA_PROFILE_BY_EROLEDR_SRCH, VIDMA_PROFILE_BY_ROLE_SEARCH, VIDMA_PROFILE_BY_UNIT_SEARCH, VIDMA_PROFILE_BY_UNITDR_SEARCH, VIDMA_PROFILE_BY_UNITDRS_SRCH are deprecated. Searches are using TIDMA_PROFILE and its related tables directly. (NEVISIDM-8765, NEVISIDM-8829)
  • CHANGED: When a credential's policy is changed its validity is recalculated with the new policy. (NEVISIDM-8926)
  • CHANGED: The format of Recovery Codes UsageDate is changed to ISO 8601 date and time format. (NEVISIDM-8792)
  • NEW: On Vasco Credential management screen there is an additional column to unassign the Vasco Token from its user. (NEVISIDM-8925)
  • NEW: We have expanded the endpoint for retrieving units by their client to include filtering options. You can now filter units by their name, hname, extid, state, location and description fields. (NEVISIDM-8935)
  • CHANGED: MariaDB related SQL scripts were moved to specific folder. (NEVISIDM-8930)
  • CHANGED: Report generators refactored. (NEVISIDM-8753)
    • Units report no longer use VIDMA_UNIT_SEARCH_VIEW. It uses the TIDMA_UNIT and related tables directly.
    • Applications report no longer use VIDMA_APPLICATION_SEARCH_VIEW. It uses TIDMA_APPLICATION and related tables directly.
    • Users report no longer use VIDMA_REPORT_USER_VIEW. It uses TIDMA_USER and related table directly.
    • Users per application report no longer use VIDMA_USERPERAPPL_VIEW. It uses new view VIDMA_USER_AUTHORIZATIONS.
      • The report extended with enterprise role information (NEVISIDM-8866 / EJPDIDMSUP-11)
    • Applications per user report no longer use VIDMA_APPLPERUSER_VIEW. It uses new view VIDMA_USER_AUTHORIZATIONS.
      • The report extended with enterprise role information (NEVISIDM-8866 / EJPDIDMSUP-11)
    • Users per credential report no longer use VIDMA_USERPERCRED_VIEW. It uses TIDMA_CREDENTIAL and related tables directly.
    • Data room report no longer use VIDMA_DR_REPORT_VIEW. It uses TIDMA_AUTHORIZATION and related tables directly.
      • Ordering corrected for better clarity:
        • The fifth ordering element is the user's profile name;
        • Data room elements are displayed consecutively. At first the client, then the unit level and so on.
  • NEW: IDMRestInterface for authStates in nevisidmcl is extended with new methods to handle request and response with oomplex objects. (NEVISIDM-8991)
  • NEW: New property requirePasswordConfirmation added to IdmPasswordResetState, with default value true. If set to false the AuthState does not require confirmation of the new password. (NEVISIDM-9004)

nevisIDM 2.90.3.6566055173 - 24.10.2023

  • CHANGED: Database migration now creates Default FIDO Policy for Default Client if previously it did not have one from refdata created. (NEVISIDM-8926) ::info If you already defined a default FIDO UAF Policy, delete the newly added policy. ::

nevisIDM 2.90.4.6798025192 - 15.11.2023

  • CHANGED: Enterprise Role History shows all assignments of a Role, not just the latest one. (NEVISIDM-9184)
  • CHANGED: User deletion performance is improved when many onProfileForAppGlobal, onProfileForApp are assigned. (NEVISIDM-9164)
  • CHANGED: Provisioning, DLQ, ExpiryQueue if SSL is used verifies the certificate's host name. (NEVISIDM-9133)
  • CHANGED: We refactored the client history displays. The database view VIDMH_CLIENT is depreciated. Display now is using TIDMA_CLIENT_V and its related tables directly. (NEVISIDM-8838)
  • CHANGED: We refactored the personal answer displays. The database view VIDMH_PERSONAL_QUESTION is depreciated.. Display now us ising TIDMA_PERSONAL_QUESTION_V and its related tables directly. (NEVISIDM-8841)
  • CHANGED: We refactored the Property History related displayes. The database view VIDMH_PROPERTY_ALLOWED_UNIQUE, VIDMH_PROPERTY, VIDMH_PROPERTY_UNIQUE, VIDMH_PROPERTY_VALUE_UNIQUE are deprecated. Search now uses TIDMA_PROPERTY_ALLOWED_VAL_V, TIDMA_PROPERTY_V, TIDMA_PROPERTY_VALUE_V and their related tables directly. (NEVISIDM-8844)
  • CHANGED: We refactored the template and template collection searches. The database views VIDMA_TEMP_COLL_MANAGER, VIDMA_TMPLCOLL_SEARCH_VIEW, VIDMA_TEMPLATE_DEFAULT, VIDMA_TMPL_SEARCH_VIEW and the stored query VIDMA_TEMPL_DEFAULT_SUB are deprecated. Searches use TIDMA_TEMPLATE, TIDMA_TEMPLATE_COLLECTION and their related tables directly. (NEVISIDM-8833)
  • CHANGED: We refactored the credential history related searches. The database views VIDMH_CREDENTIAL, VIDMH_CREDENTIAL_UNIQUE, VIDMH_CRED_LOGIN_INFO, VIDMH_CRED_LOGIN_INFO_UNIQUE, and their stored queries are deprecated. Searches use TIDMA_CREDENTIAL_V and TIDMA_CRED_LOGIN_INFO_V and their related tables directly. (NEVISIDM-8839)
  • CHANGED: We refactored the profile history related searches. The database views VIDMH_PROFILE, VIDMH_PROFILE_UNIQUE and their stored queries are deprecated. Searches use the TIDMA_PROFILE_V and its related tables directly (NEVISIDM-8843).
  • CHANGED: We refactored the persistent queue related searches. The database view VIDMA_PERSIST_QUEUE_SEARCH is deprecated. (NEVISIDM-8826)
  • CHANGED: We refactored the credential related search. Search uses the database view VIDMA_CREDENTIAL_SEARCH_VIEW and its related tables directly. (NEVISIDM-8823, NEVISIDM-9111)
  • CHANGED: We refactored the unit credential policy related search. The database view VIDMA_UNIT_CRED_POLICY_SEARCH is deprecated. Search uses the TIDMA_UNIT_CRED_POLICY and its related tables directly. (NEVISIDM-8834)
  • CHANGED: We refactored the data authorization related search. The database view VIDMA_DATA_AUTH_SEARCH_VIEW is deprecated. Search uses the TIDMA_PROFILE and its related tables directly. (NEVISIDM-8824)
  • CHANGED: We refactored the policy configuration history and policy parameter history related searches. The database views VIDMH_POLICY_CONFIGURATION, VIDMH_POLICY_PARAMETER are deprecated. Searches use TIDMA_POLICY_CONFIGURATION_V, TIDMA_POLICY_PARAMETER_V and their related tables directly. (NEVISIDM-8842)
  • CHANGED: We refactored the unit history related search. The database view VIDMH_UNIT and its stored queries are deprecated. Search uses the TIDMA_UNIT_V and its related tables directly. (NEVISIDM-8846)
  • CHANGED: We refactored the Enterprise Authorization History and Enterprise Role History handling. The database view VIDMH_ENTERPRISE_AUTH, VIDMH_ENTERPRISE_AUTH_UNIQUE, VIDMH_ENTERPRISE_ROLE, VIDMH_EROLE_MEMBER_UNIQUE are deprecated. Display now uses TIDMA_ENTERPRISE_AUTH_V, TIDMA_ENTERPRISE_ROLE_V, TIDMA_EROLE_MEMBER_V and their related tables directly. (NEVISIDM-8840)
  • CHANGED: We refactored the Authorization related searches. The database views VIDMA_AUTH_APPL_SEARCH, VIDMA_AUTH_CLIENT_SEARCH, VIDMA_AUTH_EROLE_SEARCH, VIDMA_AUTH_UNIT_SEARCH are deprecated. Search now uses TIDMA_AUTHORIZATION_APPL, TIDMA_AUTHORIZATION_CLIENT, TIDMA_AUTHORIZATION_EROLE, TIDMA_AUTHORIZATION_UNIT and their related tables directly. (NEVISIDM-8821)
  • CHANGED: We refactored the authorization related search. The database views VIDMA_AUTHORIZATION_SEARCH and VIDMA_AUTH_DICT_SEARCH are deprecated. Searches are using new view VIDMA_AUTHORIZATION and its related tables directly. (NEVISIDM-8820)
  • CHANGED: We refactored the Enterprise Authorization and Enterprise Role handling. The database views VIDMA_EAUTH_SEARCH_VIEW, VIDMA_EROLE_MB_MAY_ASSIGN_VIEW, VIDMA_EROLE_MEMBER_SEARCH_VIEW, VIDMA_EROLE_MEMBER_SEARCH_VIEW are deprecated. Search and display now uses TIDMA_ENTERPRISE_AUTH, TIDMA_ENTERPRISE_ROLE, TIDMA_EROLE_MEMBER and their related tables directly. (NEVISIDM-8825)
  • CHANGED: We refactored the Role handling. The database views VIDMH_ROLE, VIDMH_ROLE_UNIQUE are deprecated. Display now uses TIDMA_ROLE and its related tables directly. (NEVISIDM-8845)
  • CHANGED: We refactored the User History and User Login Info History handling. The database view VIDMH_USER, VIDMH_USER_LOGIN_INFO, VIDMH_USER_LOGIN_INFO_UNIQUE are deprecated. Display now uses TIDMA_USER_V, TIDMA_USER_LOGIN_INFO_V and their related tables directly. (NEVISIDM-8847)
  • CHANGED: We refactored the Property related searches. The database views VIDMA_PROP_ALD_VAL_SEARCH_VIEW, VIDMA_PROP_LANG_SEARCH, VIDMA_PROPERTY_SEARCH_VIEW, VIDMA_PROPERTY_VALUE_SEARCH are deprecated. Searches use TIDMA_PROPERTY_ALLOWED_VAL, TIDMA_PROPERTY, TIDMA_PROPERTY_VALUE and their related tables directly. (NEVISIDM-8830)
  • NEW: Added ch.nevis.idm.restException and ch.nevis.idm.soapException logs to log all exceptions on REST and SOAP interfaces. (NEVISIDM-9014)
  • NEW: Added a new configuration database.connection.healthcheck.refresh that enables refreshing the connection pools before serving the health endpoint. (NEVISIDM-9016)

nevisIDM 7.2402.0.7902594534 - 21.02.2024

  • NEW: The encryption settings are settings that can be set as per Client. (NEVISIDM-9218)
  • NEW: We enhanced nevisIDM roles with credential-type specific permissions, allowing precise control over elementary rights tailored to specific credential types. Mobile Signature policy parameters create.restrictedRoles and modify.restrictedRoles are deprecated and will be removed in future versions. For further information: Credential-type specific permissions of nevisIDM roles. (NEVISIDM-9280)
  • NEW: We added dispatchTargetExtId field to Fido UAF credential. (NEVISIDM-9287)
  • NEW: We added the new fields neverLoggedInDaysNoActivity and neverLoggedInGracePeriod to UpdateUserStateJob. (NEVISIDM-9052)
  • NEW: We added the new notification NevisAdapt Notification with default Templates. (NEVISIDM-9082)
  • NEW: Application nevisAdapt added to IDM DB (NEVISIDM-9103)
  • NEW: We added the new configuration-property web.gui.textcrop.size to control multiline cropping. (NEVISIDM-9195)
  • NEW: We added client level filtering for Fido UAF credential. (NEVISIDM-9219)
  • CHANGED: Users and their history tables name column sizes are increased. (NEVISIDM-9304)
    • TITLE field is increased from 20 to 64 characters;
    • NAME field is increased from 100 to 120 characters;
    • FIRST_NAME field is increased from 50 to 100 characters.
caution

We suggest to apply this migration in maintenance period because of possible high load during index recreations. In case of Oracle database the IIDMA_USER_FIRST_NAME_UP index has to be dropped before altering the FIRST_NAME column (which is done by nevisidmdb tool). If you have other function based index on the field FIRST_NAME (or on TITLE or NAME fields) the migration fails until you drop them manually.

nevisIDM 7.2405.0.9032132306 - 15.05.2024

  • NEW: Credential-type specific permissions have been extended with AccessControl.CredentialSearch; From now on, it is possible to provide CredentialSearch to only specific credential types. For further information: Credential-type specific permissions of nevisIDM roles. (NEVISIDM-9309)
  • NEW: OpenTelemetry spanId and traceId is added to audit log if openTelemetry is configured (NEVISIDM-9480)
  • CHANGED: Refactored dataroom handling to use separate dataroom test in SQL instead of summarizing them. (NEVISIDM-9408)
  • CHANGED: Refactored JMS Bridge to use its internal status to check for potential disconnetcions, thus provide improved stability. (NEVISIDM-9319)
  • CHANGED: Refactored the way IDM retrieves data from the persistent queue. (NEVISIDM-9502)
  • NEW: You can configure external JMS server for provisioning instead of using embedded Artemis server and JMS bridging. (NEVISIDM-9474)
    • If you configure external JMS server, the embedded Artemis instance will not be started.
    • New configuration properties introduced:
      • application.modules.provisioning.connection.factory.classname: connection factory class name; e.g. org.apache.activemq.artemis.jms.client.ActiveMQXAConnectionFactory
      • application.modules.provisioning.connection.factory.xa.properties: initialization properties for previous factory class; e.g. {"brokerURL": "https://artemis-server:61616", "user": "producer", "password": "secret"}
      • application.modules.provisioning.destination.classname: JMS destination class name; e.g. org.apache.activemq.artemis.jms.client.ActiveMQQueue
      • application.modules.provisioning.destination.name: JMS queue name; constructor parameter for previous class; e.g. Provisioning
      • application.modules.provisioning.destination.properties: possible initialization properties for the destination class
      • There is no default value for these properties. The default behavior is to start and use embedded Artemis JSM server
      • ATTENTION: The configured connection factory must implement jakarta.jms.XAConnectionFactory and destination must implement jakarta.jms.Destination!
  • NEW: The OpenTelemetry span and related OpTrace logging can contain the SOAP and REST request and response bodies. (NEVISIDM-9488)
    • New configuration property introduced:
      • add.request.and.response.body.to.opentelemetry: need to add or not; by default false
      • ATTENTION:
        • Processing the complete request and response bodies can cause reduction of performance!
        • The complete request and response bodies could contain sensitive information!
        • It works only if you use OpenTelemetry extension agent and OpTrace logger is configured to TRACE or you can see the body contents in Jaeger or similar tool!
  • NEW: The endpoint {userExtId}/credentials is added to the User REST Services to search for the credentials of the user with given extId. (NEVISIDM-9458)
  • NEW: Added new endpoint to find and delete generics credentials to ClientsRestService. (NEVISIDM-9485)
  • NEW: SCIM is now able to filter or order users by meta.created and meta.lastModified fields. (NEVISIDM-9473)
  • REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value SHA256withRSA instead. (NEVISIDM-9456)
  • NEW: nevisIDM support multi-line JAVA_OPTS parameters in conf/env.conf. (NEVISIDM-9490)
  • NEW: If add.request.and.response.body.to.opentelemetry is set to true, nevisIDM logs the request and response body to OpenTelemetry. (NEVISIDM-9491)
  • NEW: Introduced new configuration properties database.connection.healthcheck.retrydelay and database.connection.healthcheck.retrycount to control behaviour better, if healthcheck called during connection pool maintenance. (NEVISIDM-9494)
  • NEW: Added new configuration properties application.modules.provisioning.connection.factory.classname, application.modules.provisioning.connection.factory.xa.properties,application.modules.provisioning.destination.classname,application.modules.provisioning.destination.name and application.modules.provisioning.destination.propertie to make JMS connection more configurable. (NEVISIDM-9474)
  • NEW: Introduced rest.display.timezone configuration property to set the timezone for date and time attributes in the REST API responses. For further information: rest.display.timezone(NEVISIDM-9450)
  • NEW: Introduced new configuration property application.config.credentialTypesToBeLockedInDatabase to provided fine-grained control over which credential types should be locked during uniqueness check. (NEVISIDM-9330)