Skip to main content
Version: 9.2605.x.x RR

Pattern Migration from LTS24 to LTS26

This guide covers breaking changes in the standard patterns (nevisAdmin 4 plugins) that require attention when migrating from LTS24 to LTS26.

Migration Process

To reduce the number of warnings and errors shown in the project and to avoid follow-up errors, a step-by-step upgrade approach can be beneficial. For instance, consider upgrading one major release at a time:

LTS24 (7.2402.x)8.2405.x8.2411.x8.2505.x8.2511.xLTS26

Upgrading through every patch release (the third digit, e.g. 8.2405.3) is not required. Only apply a patch release if it contains a breaking change relevant to your setup — those are listed in the sections below.

For each major version step, follow this process:

  1. Upgrade the pattern library to the target version.
  2. Review all warnings and errors in your project and adapt the pattern configuration accordingly. Pay special attention to Generic patterns such as Generic nevisProxy Instance Settings, Generic Virtual Host Settings, and Generic Application Settings, as these expose low-level configuration that may be affected by underlying component changes.
  3. Deploy and test all use cases thoroughly.
  4. Proceed to the next major version.
danger

Before switching nevisAdmin to LTS26, ensure you are on at least pattern version 8.2511.5. This patch release makes the patterns compatible with Groovy 5, which is required by LTS26.

Breaking Changes

8.2405.0

This is the first Rolling Release version after LTS24 was created.

General

  • PAT-631: Kubernetes deployments now use startup probes to handle longer startup times. The Liveness Delay, Readiness Delay, and Probe Periodicity settings in instance patterns have been removed. Upgrade the nevisOperator and its CRDs before deploying.

Application Protection

  • PAT-659: 2-way TLS with PostgreSQL for nevisProxy — the enabled option was removed from the TLS encryption drop-down. Use verify-ca or verify-full in combination with a Trust Store instead.
  • PAT-660: 2-way TLS with PostgreSQL for Java-based components — the enabled option was removed. Use verify-ca or verify-full in combination with a Trust Store instead.

SAML / OAuth / OpenID Connect

  • PAT-635: The Scope(s) settings in Social Login patterns (Apple, Google, Facebook, Microsoft) have been adapted. Review the configured scopes in your patterns and update as described in the pattern help.

Mobile Authentication

  • PAT-668: Two entries were removed from the default facets in nevisFIDO UAF Instance:
    • android:apk-key-hash:z7Xkw62dAn/BsckOQ9a3OMhmlwhzdr2VkcswIIyJgJE
    • ios:bundle-id:ch.nevis.accessapp.presales.k8s

8.2405.3

Identity Management

  • PAT-749: The nevisIDM Password Login pattern now validates the URL from which the password reset flow is started. New settings Redirection Path Validation Mode, Application Path Fallback, and Custom Redirection Path Validation Regexes are available. If URLs in your protected paths can contain newline or carriage return characters, review and fine-tune these settings.

8.2411.0

Application Protection

  • PAT-750 / PAT-754: The nevisProxy Observability Settings pattern has been refactored. The Trace Resource Service Name parameter was renamed and moved to the Basic Settings tab, where it now controls the service.name resource attribute for both Metrics Mode and Trace Mode. Review and update the pattern configuration.
  • PAT-751: CRS version 4.7.0 was added to the OWASP ModSecurity CRS Version drop-down. The oldest unsupported version, 3.0.2, was removed. If your project used version 3.0.2, select a newer version.
  • PAT-650: The SOAP Service pattern has a new SOAP Schema Validation Mode setting. The new default mode is content-type, which only analyzes requests with Content-Type: application/soap+xml. The previous behavior (analyzing all requests) is now called strict. Review if this change affects your setup and select strict to restore the previous behavior if required.
  • PAT-755: The Maintenance Page pattern now includes its sanitized name in the generated MaintenanceFilter and DefaultServlet names to prevent naming collisions. If you use Generic Application Settings or Generic Virtual Host Settings to customize these elements, update the configured names accordingly.

Authentication

  • PAT-710: Custom Attributes in realm patterns are now also applied to RemoteOutOfContextDataStore. If you have attributes that should only be applied to the RemoteSessionStore, prefix the attribute name with session:.

User Behavior Analytics

  • NEVISDETECT-1874: nevisAdapt patterns have been moved to a new nevisAdmin 4 plugin: nevisadmin-plugin-nevisadapt. The package name of all related patterns changed. Run the automatic migration script provided in the release notes to avoid errors. Ensure the new plugin is enabled in all projects using nevisAdapt.
  • NEVISDETECT-1954: The observation timeframe setting in nevisAdapt Instance has been moved to a dedicated pattern. The automatic migration script handles this change if a specific value was previously configured.

8.2505.0

info

8.2505.0 is an internal release. Its changes are included in 8.2505.3.

Authentication

  • PAT-805: Realm patterns now use a new modern login template by default. Test your use cases with the new template. If you encounter rendering issues, opt out by setting Default Template to classic in the realm pattern.
  • PAT-803: The testing mode code for Email TAN and Mobile TAN patterns has changed from AAAAA to 111111. The new code follows the configured TAN Format. Update any test scripts or procedures that relied on the previous code.
  • PAT-806: The order of buttons in several authentication step patterns has changed (the primary button is now shown first). The following patterns received a Button Order setting in Advanced Settings — set it to reverse to restore the previous order:
    • nevisIDM User Lookup
    • Email TAN
    • Mobile TAN
    • User Input (multiple fields)

8.2505.1

info

8.2505.1 is an internal release. Its changes are included in 8.2505.3.

FIDO2 Passwordless

  • PAT-736: nevisFIDO FIDO2 Instance now supports protecting FIDO2 onboarding operations with a SecToken. Review the settings in the FIDO2 Onboarding tab to ensure the behavior matches your requirements.
  • PAT-820: Signature Algorithms in nevisFIDO FIDO2 Instance have been extended and the default has changed. Review and update the configuration if required.

8.2505.3

Authentication

  • PAT-867: The Remember Input setting in authentication step patterns is deprecated. A warning is shown when it is enabled. The feature will be removed in 8.2511.0. Disable Remember Input in all affected patterns before upgrading to 8.2511.x.
  • PAT-872: The following button label keys have been renamed. If you have overridden any of these translations, rename them accordingly:
    • login.social.generic.button.labellogin.social.button.label
    • mobile_auth.cancel.button.labelcancel.button.label
    • fido2.cancel.button.labelcancel.button.label
  • PAT-832: FIDO2 metadata support in nevisFIDO FIDO2 Instance has been improved. Check the settings in the FIDO2 Metadata tab and configure the metadata service (e.g., a remote FIDO Alliance MDS3 endpoint) as desired.

Kubernetes

  • IP-669: Default Startup Probe Delay values have changed for the following components. Verify that your components start within the new defaults, or configure custom values in the instance patterns:
    • nevisAuth: 50s (increased)
    • nevisIDM: 60s (increased)
    • nevisAdapt: 60s (increased)
    • nevisProxy, nevisLogrend, nevisMeta, nevisDetect, nevisFIDO, nevisDataPorter: 30s

8.2505.5

User Behavior Analytics

  • PAT-909: The nevisAdapt Database and nevisDetect Database patterns have a breaking change: a connection-type drop-down was removed. If you had selected any option in that drop-down, clear it and configure the equivalent settings in the Connection Pool tab instead.

Identity Management

  • PAT-929: The nevisIDM Second Factor Selection pattern now requires nevisIDM version 8.2505.5 or later. In Kubernetes deployments, ensure the nevisIDM service version is set accordingly in the inventory.

8.2505.7

Application Protection

  • PAT-968: Fixed generation of the sslmode parameter for PostgreSQL connections in Java-based components. The parameter must be sslmode (lowercase) for PostgreSQL and sslMode for MariaDB. This fix may be breaking if your configuration relied on the previous incorrect behavior — verify that your database connections still work after upgrading.

8.2511.0

Authentication

  • PAT-999: The Remember Input feature has been removed as announced in 8.2505.3. If any pattern still has this setting enabled, an error will be shown. Manually clear the Remember Input configuration from all affected patterns before deploying.

Federation

  • NEVISADMV4-10642: The SAML IDP Connector and SAML SP Connector patterns have been refactored. The option AuthnRequest was removed from the following drop-downs as it never applied to these connector roles:
    • SAML IDP Connector / Signature Validation
    • SAML SP Connector / Signed Element
    • Review your SAML patterns and remove any use of the AuthnRequest option.

8.2511.1

General

  • PAT-1006: The default value of TLS Encryption in all database patterns changed from plain to trust. Verify the database TLS configuration in your patterns and adjust if required.

8.2511.2

Application Protection

  • PAT-1030: ModSecurity Core Rule Set versions prior to 4.22.0 (CRSv4) and 3.3.8 (CRSv3) have been removed due to known vulnerabilities. If your project uses an older version, select 4.22.0 or 3.3.8 and test your applications against the new rules before deploying. If you need to temporarily use a previous version, download the rule set from the old pattern version, upgrade the patterns, and re-upload it — see the 8.2511.2 release notes for details.
  • PAT-1013: A new SSL VHost SNI Policy setting was added to the nevisProxy Instance pattern to configure the Apache SSLVHostSNIPolicy. This is a security-relevant setting — review it carefully. This change requires nevisProxy version 8.2511.1.2 or newer.

8.2511.4

Application Protection

  • IP-1704: The Transaction Confirmation pattern has been renamed to Transaction Confirmation Service and reworked. When upgrading, an error is shown. Decide whether to expose the new endpoint: if yes, assign an authentication realm; if not, set the corresponding drop-down to disabled.

8.2511.5

General

  • NEVISADMV4-10671: The patterns are now compatible with both Groovy 4 and Groovy 5. You must upgrade to at least 8.2511.5 before upgrading nevisAdmin 4 to the LTS26 version. This is a prerequisite — skipping this step will cause errors after the LTS26 upgrade.

LTS26

General

  • NEVISADMV4-10671: Groovy 5 is now required. Ensure that all Groovy scripts referenced in your patterns — in particular those in Groovy Script Step and Generic Authentication Step — are compatible with Groovy 5. Review method resolution, GString handling, and any removed deprecated methods. See the nevisAuth breaking changes for further guidance.

Application Protection

  • PRODROAD-817: TLS Settings for inbound connections have been renovated:
    • The HTTPs setting in nevisLogrend Instance has been removed. Reconfigure TLS using the new Inbound TLS tab.
    • The TLS Settings pattern has been renamed to Generic nevisProxy TLS Settings.
    • TLS profile options in the Virtual Host pattern were updated: new modern and intermediate options were added (inspired by Mozilla guidelines). The existing recommended and compatible options were renamed to legacy recommended and legacy compatible to make opting out of this change straightforward.
  • PAT-1026: Legacy (non-RFC7512) PKCS11 URLs are no longer supported in the Securosys KeyStore Provider. Migrate to RFC7512-compliant PKCS11 URLs.

Identity Management

  • PAT-1087: The requested option was removed from the Client Authentication drop-down in nevisIDM Instance, as nevisIDM does not support this option. Update any affected configurations.