Skip to main content
Version: 7.2405.x.x LTS

Release notes

nevisIDM Release 7.2405.1.9265059647 - 26.06.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2405.1.92650596477.237.x

General/Core

  • NEW: FIDO2 Patch now works correctly with Oracle SQL Database. (NEVISIDM-9594)

nevisIDM 7.2405.0.9032132306 - 15.05.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2405.0.90321323067.237.x

Breaking changes

General changes and new features

General/Core

  • UPGRADED: We updated Jetty to 12.0.6. (NEVISIDM-9448)
  • UPGRADED: We updated Netty to 4.1.108.Final.
  • UPGRADED: We updated Spring Framework to 6.0.19. (NEVISIDM-9487)
  • UPGRADED: We updated CXF to 4.0.4. (NEVISIDM-9487)
  • UPGRADED: We updated PostgreSQL Driver to 42.6.1.
  • UPGRADED: We upgraded Commons-configuration2 to 2.10.1 (NEVISIDM-9470)
  • NEW: Credential-type specific permissions have been extended with AccessControl.CredentialSearch; From now on, it is possible to provide CredentialSearch to only specific credential types. For further information: Credential-type specific permissions of nevisIDM roles. (NEVISIDM-9309)
  • NEW: OpenTelemetry spanId and traceId is added to audit log if openTelemetry is configured (NEVISIDM-9480)
  • FIXED: Potential performance issues related to getting generic credentials have been resolved. (NEVISIDM-9295)
  • FIXED: Corrected issues with pagination of FIDO UAF credentials. (NEVISIDM-9315)
  • FIXED: In Kubernetes, IDM now saves Asynchronous Email Sending into the persistent event queue. Previously, IDM with with OracleSQL or PostgreSQL database did not save it into the persistent event queue, making Asynchronous Email Sending impossible. (NEVISIDM-9476)
  • CHANGED: Refactored dataroom handling to use separate dataroom test in SQL instead of summarizing them. (NEVISIDM-9408)
  • CHANGED: Refactored JMS Bridge to use its internal status to check for potential disconnetcions, thus provide improved stability. (NEVISIDM-9319)
  • CHANGED: Refactored the way IDM retrieves data from the persistent queue. (NEVISIDM-9502)
  • FIXED: Potential performance issues related to getting generic credentials have been resolved. (NEVISIDM-9295)
  • UPGRADED: On GUI CredentialType dropdowns lists only the CredentialTypes that signed-in user has the required credential-type specific right. Credential-type specific permissions (NEVISIDM-9500)
  • UPGRADED: Extended CredentialGetDto classes with the following 9 credential types: Ticket, Otp, TempStringPassword, Vasco, PUK, DevicePassword, MobileSignature, SamlFederaion, SecurityQuestions. They can be queried with the new endpoint {userExtId}/credentials in User REST service. (NEVISIDM-9479)
  • FIXED: JMS bridge feature refactored to avoid high resource consumption in case the bridge target is not enough stable. (NEVISIDM-9319)
    • Bridge status added to health endpoint.
      • The health endpoint counts the unsuccessful restart attempts and indicates as down if it reaches 10, otherwise as up
      • The successful reconnection to bridge target resets the health endpoint counter
    • New configuration properties introduced:
      • messaging.bridge.failure.retry.interval: passed to org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl as failureRetryInterval property; by default 10000
      • messaging.bridge.max.retries.on.failure: passed to ~"~.JMSBridgeImpl as maxRetries property; by default 6
    • Before this refactor the maxRetries property was hardcoded with value -1 and failureRetryInterval as 1000.
      • This means it tried to reconnect for each one second infinitely and a reinitalizer algorithm tried to stop the bridge and re-instantiate
      • Unfortunately, the previous bridge instances didn't shut down properly, so a lot of memory and other resources were not freed up
    • The current implementation instantiates the bridge only once.
      • In case the bridge lost its running state (based on the newly introduced configurations) the IDM tries to start back
      • The mentioned health endpoint counts these restart attempts
  • NEW: You can configure external JMS server for provisioning instead of using embedded Artemis server and JMS bridging. (NEVISIDM-9474)
    • If you configure external JMS server, the embedded Artemis instance will not be started.
    • New configuration properties introduced:
      • application.modules.provisioning.connection.factory.classname: connection factory class name; e.g. org.apache.activemq.artemis.jms.client.ActiveMQXAConnectionFactory
      • application.modules.provisioning.connection.factory.xa.properties: initialization properties for previous factory class; e.g. {"brokerURL": "https://artemis-server:61616", "user": "producer", "password": "secret"}
      • application.modules.provisioning.destination.classname: JMS destination class name; e.g. org.apache.activemq.artemis.jms.client.ActiveMQQueue
      • application.modules.provisioning.destination.name: JMS queue name; constructor parameter for previous class; e.g. Provisioning
      • application.modules.provisioning.destination.properties: possible initialization properties for the destination class
      • There is no default value for these properties. The default behavior is to start and use embedded Artemis JSM server
      • ATTENTION: The configured connection factory must implement jakarta.jms.XAConnectionFactory and destination must implement jakarta.jms.Destination!
  • NEW: The OpenTelemetry span and related OpTrace logging can contain the SOAP and REST request and response bodies. (NEVISIDM-9488)
    • New configuration property introduced:
      • add.request.and.response.body.to.opentelemetry: need to add or not; by default false
      • ATTENTION:
        • Processing the complete request and response bodies can cause reduction of performance!
        • The complete request and response bodies could contain sensitive information!
        • It works only if you use OpenTelemetry extension agent and OpTrace logger is configured to TRACE or you can see the body contents in Jaeger or similar tool!

Auth States

General/Core

Web GUI

  • FIXED: Improved performance of Users per Applicaiton report. (NEVISIDM-9451)
  • FIXED: Improved performance of the Assign Roles to Profile page. (NEVISIDM-9377)
  • FIXED: Search function on Vasco Administation tab now works correctly. (NEVISIDM-9513)

REST API

  • NEW: The endpoint {userExtId}/credentials is added to the User REST Services to search for the credentials of the user with given extId. (NEVISIDM-9458)
  • NEW: Added new endpoint to find and delete generics credentials to ClientsRestService. (NEVISIDM-9485)

SCIM API

  • NEW: SCIM is now able to filter or order users by meta.created and meta.lastModified fields. (NEVISIDM-9473)

Web Services

Auth States

  • REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value SHA256withRSA instead. (NEVISIDM-9456)

Configuration

  • NEW: nevisIDM support multi-line JAVA_OPTS parameters in conf/env.conf. (NEVISIDM-9490)
  • NEW: If add.request.and.response.body.to.opentelemetry is set to true, nevisIDM logs the request and response body to OpenTelemetry. (NEVISIDM-9491)
  • NEW: Introduced new configuration properties database.connection.healthcheck.retrydelay and database.connection.healthcheck.retrycount to control behaviour better, if healthcheck called during connection pool maintenance. (NEVISIDM-9494)
  • NEW: Added new configuration properties application.modules.provisioning.connection.factory.classname, application.modules.provisioning.connection.factory.xa.properties,application.modules.provisioning.destination.classname,application.modules.provisioning.destination.name and application.modules.provisioning.destination.propertie to make JMS connection more configurable. (NEVISIDM-9474)
  • NEW: Introduced rest.display.timezone configuration property to set the timezone for date and time attributes in the REST API responses. For further information: rest.display.timezone(NEVISIDM-9450)
  • NEW: Introduced new configuration property application.config.credentialTypesToBeLockedInDatabase to provided fine-grained control over which credential types should be locked during uniqueness check. (NEVISIDM-9330)

Upgrading from nevisIDM 7.2402.x

Step 1: Installation

Install the packages of nevisIDM 7.2405.0.9032132306 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.2405.0.9032132306-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.