Skip to main content
Version: 7.2405.x.x LTS

Release notes

nevisIDM 7.2411.0.11839505839 - 20.11.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2411.0.118395058397.287.x

Breaking changes

General changes and new features

General/Core

  • NEW: We added a new configuration property application.is.keep.raw.phone.number to configure the phone number to reformat it to E164 or keep it raw. (NEVISIDM-9689)
  • UPGRADED: We updated Jetty to 12.0.9. (NEVISIDM-9448)
  • UPGRADED: We updated ws to 8.17.1. (NEVISIDM-9629)
  • FIXED: Added missing dtds to DigesterFactory. (NEVISIDM-9552)
  • FIXED: Fixed mistakenly applied/left out privilege escalation checks for credential related operations. (NEVISIDM-9334)
  • CHANGED: IDM health check now only check database version once in database.version.healthcheck.cache.timeout seconds, otherwise it uses the cached value. (NEVISIDM-9563)
  • CHANGED: Added more detailed logging to authentication to better understand the causes of errors. (NEVISIDM-9783)
  • CHANGED: Moved Lucene index working directory from /tmp to working directory of IDM instance. (NEVISIDM-9719)

Web GUI

  • UPGRADED: We updated commons-io to 2.14.0. (NEVISIDM-9793)
  • UPGRADED: We updated socket.io to 4.7.5. (NEVISIDM-9629)
  • UPGRADED: We updated npm-ip to 2.0.1. (NEVISIDM-9609)
  • CHANGED: On logout( Logout.do at the end of the URL) the runtime user will be removed from the cache. This evicts the runtime user from the runtime cache. (NEVISIDM-9779)

REST API

SCIM API

Web Services

  • FIXED: For queryRoles, queryProfiles and queryUsers now displaying the nevisIDM roles correctly. (NEVISIDM-9787)
  • FIXED: ModifyCredential now accepts state changes for FIDO UAF credentials with empty credentialFidoUaf tags in the request. (NEVISIDM-9762)
  • FIXED: When displaying credential SOAP services no longer logs an error if the user has RECOVERY_CODE or FIDO2 credentials is not found. (NEVISIDM-9599)
  • FIXED: queryCredentials SOAP request does not throw NullPointerException if credentialDetailLevel is EXCLUDE. (NEVISIDM-9582)
  • FIXED: Create history for custom properties when it is modified via REST API (NEVISIDM-9690)

Auth States

Configuration

  • FIXED: database.connectiom.pool.min and database.read.only.connectiom.pool.min now has the correct default value of 3. (NEVISIDM-9601)
  • FIXED: Property Import mechanism now can display encrypted enum property values correctly after first start. (NEVISIDM-9587)
  • NEW: Property import mechanism now handles properties with same name, but different scope correctly. (NEVISIDM-9463)
  • NEW: Introduced new configuration property to control if UserRestService should return credential specific fields. Behaviour could be controlled with show.user.credentials.special.attributes.enabled. (NEVISIDM-9567)

Database

  • FIXED: Added CERTIFICATE_VALUE to TIDMA_CERT_INFO_V table on PostgreSQL Database schema. (NEVISIDM-9562)
  • CHANGED: CONTEXT column in TIDMA_CREDENTIAL table is extended to be able to handle up to 4000 characters. (NEVISIDM-9807)
  • CHANGED: Dropped TIDMA_ERROR table from the database schema and modified error raising. (NEVISIDM-9477)

Upgrading from nevisIDM 8.2405.x

Step 1: Installation

Install the packages of nevisIDM 7.2411.0.11839505839 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.2411.0.11839505839-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 7.2405.5.11573997813 - 31.10.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2405.5.115739978137.237.x

General/Core

  • FIXED: Issue where RecreateCertificateInfosJob display the cert credentials correctly is fixed. (NEVISIDM-9821)

nevisIDM 7.2405.4.11028242603 - 27.09.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2405.4.110282426037.237.x

General/Core

  • UPGRADE: We updated path-to-regexp to 0.1.10. (NEVISIDM-9761)
  • NEW: Audit messages with type AUTHORIZATION_CREATE, AUTHORIZATION_MODIFIY and AUTHORIZATION_CREATE now contains a field applicationName. (NEVISIDM-9777)
  • CHANGED: The mobile number field of MTan credentials are now updatable. (NEVISIDM-9656)
  • FIXED: The issue where authorization related search queries were not working correctly if number of roles were larger than database.performance.bindvar.max is fixed. (NEVISIDM-9778)
  • FIXED: UnitDataroomAuthCheckerForUser now does not log DataInconsistency warning if User is imported via SCIM. (NEVISIDM-9759)
  • FIXED: Issue where MTan duplication check was finding MobileSignatures as duplicates is fixed. (NEVISIDM-9756)
  • UPGRADED: We updated Braces lib from 3.0.2 to 3.0.3. (NEVISIDM-9617)
  • UPGRADED: We updated NodeJs from 16.13.2 to 22.9.0. (NEVISIDM-9831)
  • FIXED: The problem with credential login info counters solved on systems where the audit logging disabled. (NEVISIDM-9886)

nevisIDM 7.2405.3.10629987104 - 31.08.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2405.3.106299871047.237.x

General/Core

  • UPGRADE: We updated Spring Framework to 6.0.23. (NEVISIDM-9697)
  • UPGRADE: We updated CXF to 4.0.5. (NEVISIDM-9648)
  • NEW: Introduced Customer facing settings for OWASP CSRF Guard, configurable with application.owasp.csrfguard.overlay.properties.file. (NEVISIDM-9655)

nevisIDM 7.2405.2.10082472190- 25.07.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2405.2.100824721907.237.x

General/Core

  • FIXED: Added fixed database schema migration 7.10.1 to solve issue where 7.10 failed on MariaDB if TIDMA_UNIT.NAME or TIDMA_USER.NAME was longer than 50 characters. (NEVISIDM-9618)
  • NEW: Modified nevisidmdb tool to be able conditionally use 7.10.1 and 7.10 on MariaDB, depending if 7.10 is already applied. (NEVISIDM-9618)
  • FIXED: Fixed displaying IDM roles in QueryUser role listing if the querying user has restricted application dataroom. (NEVISIDM-9631)
  • FIXED: Added default servlet to handle GET and POST on /nevisidm/admin/ similarly as they were before jetty 11 update. (NEVISIDM-9611)
  • NEW: Made deviceId modifiable on FIDO UAF credentials. (NEVISFIDO-2140)

nevisIDM Release 7.2405.1.9265059647 - 26.06.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2405.1.92650596477.237.x

General/Core

  • NEW: FIDO2 Patch now works correctly with Oracle SQL Database. (NEVISIDM-9594)

nevisIDM 7.2405.0.9032132306 - 15.05.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2405.0.90321323067.237.x

Breaking changes

General changes and new features

General/Core

  • UPGRADED: We updated Jetty to 12.0.6. (NEVISIDM-9448)
  • UPGRADED: We updated Netty to 4.1.108.Final.
  • UPGRADED: We updated Spring Framework to 6.0.19. (NEVISIDM-9487)
  • UPGRADED: We updated CXF to 4.0.4. (NEVISIDM-9487)
  • UPGRADED: We updated PostgreSQL Driver to 42.6.1.
  • UPGRADED: We upgraded Commons-configuration2 to 2.10.1 (NEVISIDM-9470)
  • NEW: Credential-type specific permissions have been extended with AccessControl.CredentialSearch; From now on, it is possible to provide CredentialSearch to only specific credential types. For further information: Credential-type specific permissions of nevisIDM roles. (NEVISIDM-9309)
  • NEW: OpenTelemetry spanId and traceId is added to audit log if openTelemetry is configured (NEVISIDM-9480)
  • FIXED: Potential performance issues related to getting generic credentials have been resolved. (NEVISIDM-9295)
  • FIXED: Corrected issues with pagination of FIDO UAF credentials. (NEVISIDM-9315)
  • FIXED: In Kubernetes, IDM now saves Asynchronous Email Sending into the persistent event queue. Previously, IDM with with OracleSQL or PostgreSQL database did not save it into the persistent event queue, making Asynchronous Email Sending impossible. (NEVISIDM-9476)
  • CHANGED: Refactored dataroom handling to use separate dataroom test in SQL instead of summarizing them. (NEVISIDM-9408)
  • CHANGED: Refactored JMS Bridge to use its internal status to check for potential disconnetcions, thus provide improved stability. (NEVISIDM-9319)
  • CHANGED: Refactored the way IDM retrieves data from the persistent queue. (NEVISIDM-9502)
  • FIXED: Potential performance issues related to getting generic credentials have been resolved. (NEVISIDM-9295)
  • UPGRADED: On GUI CredentialType dropdowns lists only the CredentialTypes that signed-in user has the required credential-type specific right. Credential-type specific permissions (NEVISIDM-9500)
  • UPGRADED: Extended CredentialGetDto classes with the following 9 credential types: Ticket, Otp, TempStringPassword, Vasco, PUK, DevicePassword, MobileSignature, SamlFederaion, SecurityQuestions. They can be queried with the new endpoint {userExtId}/credentials in User REST service. (NEVISIDM-9479)
  • FIXED: JMS bridge feature refactored to avoid high resource consumption in case the bridge target is not enough stable. (NEVISIDM-9319)
    • Bridge status added to health endpoint.
      • The health endpoint counts the unsuccessful restart attempts and indicates as down if it reaches 10, otherwise as up
      • The successful reconnection to bridge target resets the health endpoint counter
    • New configuration properties introduced:
      • messaging.bridge.failure.retry.interval: passed to org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl as failureRetryInterval property; by default 10000
      • messaging.bridge.max.retries.on.failure: passed to ~"~.JMSBridgeImpl as maxRetries property; by default 6
    • Before this refactor the maxRetries property was hardcoded with value -1 and failureRetryInterval as 1000.
      • This means it tried to reconnect for each one second infinitely and a reinitalizer algorithm tried to stop the bridge and re-instantiate
      • Unfortunately, the previous bridge instances didn't shut down properly, so a lot of memory and other resources were not freed up
    • The current implementation instantiates the bridge only once.
      • In case the bridge lost its running state (based on the newly introduced configurations) the IDM tries to start back
      • The mentioned health endpoint counts these restart attempts
  • NEW: You can configure external JMS server for provisioning instead of using embedded Artemis server and JMS bridging. (NEVISIDM-9474)
    • If you configure external JMS server, the embedded Artemis instance will not be started.
    • New configuration properties introduced:
      • application.modules.provisioning.connection.factory.classname: connection factory class name; e.g. org.apache.activemq.artemis.jms.client.ActiveMQXAConnectionFactory
      • application.modules.provisioning.connection.factory.xa.properties: initialization properties for previous factory class; e.g. {"brokerURL": "https://artemis-server:61616", "user": "producer", "password": "secret"}
      • application.modules.provisioning.destination.classname: JMS destination class name; e.g. org.apache.activemq.artemis.jms.client.ActiveMQQueue
      • application.modules.provisioning.destination.name: JMS queue name; constructor parameter for previous class; e.g. Provisioning
      • application.modules.provisioning.destination.properties: possible initialization properties for the destination class
      • There is no default value for these properties. The default behavior is to start and use embedded Artemis JSM server
      • ATTENTION: The configured connection factory must implement jakarta.jms.XAConnectionFactory and destination must implement jakarta.jms.Destination!
  • NEW: The OpenTelemetry span and related OpTrace logging can contain the SOAP and REST request and response bodies. (NEVISIDM-9488)
    • New configuration property introduced:
      • add.request.and.response.body.to.opentelemetry: need to add or not; by default false
      • ATTENTION:
        • Processing the complete request and response bodies can cause reduction of performance!
        • The complete request and response bodies could contain sensitive information!
        • It works only if you use OpenTelemetry extension agent and OpTrace logger is configured to TRACE or you can see the body contents in Jaeger or similar tool!

Auth States

General/Core

Web GUI

  • FIXED: Improved performance of Users per Applicaiton report. (NEVISIDM-9451)
  • FIXED: Improved performance of the Assign Roles to Profile page. (NEVISIDM-9377)
  • FIXED: Search function on Vasco Administation tab now works correctly. (NEVISIDM-9513)

REST API

  • NEW: The endpoint {userExtId}/credentials is added to the User REST Services to search for the credentials of the user with given extId. (NEVISIDM-9458)
  • NEW: Added new endpoint to find and delete generics credentials to ClientsRestService. (NEVISIDM-9485)

SCIM API

  • NEW: SCIM is now able to filter or order users by meta.created and meta.lastModified fields. (NEVISIDM-9473)

Web Services

Auth States

  • REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value SHA256withRSA instead. (NEVISIDM-9456)

Configuration

  • NEW: nevisIDM support multi-line JAVA_OPTS parameters in conf/env.conf. (NEVISIDM-9490)
  • NEW: If add.request.and.response.body.to.opentelemetry is set to true, nevisIDM logs the request and response body to OpenTelemetry. (NEVISIDM-9491)
  • NEW: Introduced new configuration properties database.connection.healthcheck.retrydelay and database.connection.healthcheck.retrycount to control behaviour better, if healthcheck called during connection pool maintenance. (NEVISIDM-9494)
  • NEW: Added new configuration properties application.modules.provisioning.connection.factory.classname, application.modules.provisioning.connection.factory.xa.properties,application.modules.provisioning.destination.classname,application.modules.provisioning.destination.name and application.modules.provisioning.destination.propertie to make JMS connection more configurable. (NEVISIDM-9474)
  • NEW: Introduced rest.display.timezone configuration property to set the timezone for date and time attributes in the REST API responses. For further information: rest.display.timezone(NEVISIDM-9450)
  • NEW: Introduced new configuration property application.config.credentialTypesToBeLockedInDatabase to provided fine-grained control over which credential types should be locked during uniqueness check. (NEVISIDM-9330)

Upgrading from nevisIDM 7.2402.x

Step 1: Installation

Install the packages of nevisIDM 7.2405.0.9032132306 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.2405.0.9032132306-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.