Pattern Migration from LTS24 to LTS26
This guide covers breaking changes in the standard patterns (nevisAdmin 4 plugins) that require attention when migrating from LTS24 to LTS26.
Migration Process
To reduce the number of warnings and errors shown in the project and to avoid follow-up errors, a step-by-step upgrade approach can be beneficial. For instance, consider upgrading one major release at a time:
LTS24 (7.2402.x) → 8.2405.x → 8.2411.x → 8.2505.x → 8.2511.x → LTS26
Upgrading through every patch release (the third digit, e.g. 8.2405.3) is not required. Only apply a patch release if it contains a breaking change relevant to your setup — those are listed in the sections below.
For each major version step, follow this process:
- Upgrade the pattern library to the target version.
- Review all warnings and errors in your project and adapt the pattern configuration accordingly. Pay special attention to Generic patterns such as
Generic nevisProxy Instance Settings,Generic Virtual Host Settings, andGeneric Application Settings, as these expose low-level configuration that may be affected by underlying component changes. - Deploy and test all use cases thoroughly.
- Proceed to the next major version.
Before switching nevisAdmin to LTS26, ensure you are on at least pattern version 8.2511.5. This patch release makes the patterns compatible with Groovy 5, which is required by LTS26.
Breaking Changes
8.2405.0
This is the first Rolling Release version after LTS24 was created.
General
- PAT-631: Kubernetes deployments now use startup probes to handle longer startup times. The
Liveness Delay,Readiness Delay, andProbe Periodicitysettings in instance patterns have been removed. Upgrade the nevisOperator and its CRDs before deploying.
Application Protection
- PAT-659: 2-way TLS with PostgreSQL for nevisProxy — the
enabledoption was removed from the TLS encryption drop-down. Useverify-caorverify-fullin combination with aTrust Storeinstead. - PAT-660: 2-way TLS with PostgreSQL for Java-based components — the
enabledoption was removed. Useverify-caorverify-fullin combination with aTrust Storeinstead.
SAML / OAuth / OpenID Connect
- PAT-635: The
Scope(s)settings in Social Login patterns (Apple, Google, Facebook, Microsoft) have been adapted. Review the configured scopes in your patterns and update as described in the pattern help.
Mobile Authentication
- PAT-668: Two entries were removed from the default facets in
nevisFIDO UAF Instance:android:apk-key-hash:z7Xkw62dAn/BsckOQ9a3OMhmlwhzdr2VkcswIIyJgJEios:bundle-id:ch.nevis.accessapp.presales.k8s
8.2405.3
Identity Management
- PAT-749: The
nevisIDM Password Loginpattern now validates the URL from which the password reset flow is started. New settingsRedirection Path Validation Mode,Application Path Fallback, andCustom Redirection Path Validation Regexesare available. If URLs in your protected paths can contain newline or carriage return characters, review and fine-tune these settings.
8.2411.0
Application Protection
- PAT-750 / PAT-754: The
nevisProxy Observability Settingspattern has been refactored. TheTrace Resource Service Nameparameter was renamed and moved to theBasic Settingstab, where it now controls theservice.nameresource attribute for bothMetrics ModeandTrace Mode. Review and update the pattern configuration. - PAT-751: CRS version 4.7.0 was added to the
OWASP ModSecurity CRS Versiondrop-down. The oldest unsupported version, 3.0.2, was removed. If your project used version 3.0.2, select a newer version. - PAT-650: The
SOAP Servicepattern has a newSOAP Schema Validation Modesetting. The new default mode iscontent-type, which only analyzes requests withContent-Type: application/soap+xml. The previous behavior (analyzing all requests) is now calledstrict. Review if this change affects your setup and selectstrictto restore the previous behavior if required. - PAT-755: The
Maintenance Pagepattern now includes its sanitized name in the generatedMaintenanceFilterandDefaultServletnames to prevent naming collisions. If you useGeneric Application SettingsorGeneric Virtual Host Settingsto customize these elements, update the configured names accordingly.
Authentication
- PAT-710:
Custom Attributesin realm patterns are now also applied toRemoteOutOfContextDataStore. If you have attributes that should only be applied to theRemoteSessionStore, prefix the attribute name withsession:.
User Behavior Analytics
- NEVISDETECT-1874: nevisAdapt patterns have been moved to a new nevisAdmin 4 plugin:
nevisadmin-plugin-nevisadapt. The package name of all related patterns changed. Run the automatic migration script provided in the release notes to avoid errors. Ensure the new plugin is enabled in all projects using nevisAdapt. - NEVISDETECT-1954: The observation timeframe setting in
nevisAdapt Instancehas been moved to a dedicated pattern. The automatic migration script handles this change if a specific value was previously configured.
8.2505.0
8.2505.0 is an internal release. Its changes are included in 8.2505.3.
Authentication
- PAT-805: Realm patterns now use a new modern login template by default. Test your use cases with the new template. If you encounter rendering issues, opt out by setting
Default Templatetoclassicin the realm pattern. - PAT-803: The testing mode code for
Email TANandMobile TANpatterns has changed fromAAAAAto111111. The new code follows the configuredTAN Format. Update any test scripts or procedures that relied on the previous code. - PAT-806: The order of buttons in several authentication step patterns has changed (the primary button is now shown first). The following patterns received a
Button Ordersetting inAdvanced Settings— set it toreverseto restore the previous order:nevisIDM User LookupEmail TANMobile TANUser Input (multiple fields)
8.2505.1
8.2505.1 is an internal release. Its changes are included in 8.2505.3.
FIDO2 Passwordless
- PAT-736:
nevisFIDO FIDO2 Instancenow supports protecting FIDO2 onboarding operations with a SecToken. Review the settings in theFIDO2 Onboardingtab to ensure the behavior matches your requirements. - PAT-820:
Signature AlgorithmsinnevisFIDO FIDO2 Instancehave been extended and the default has changed. Review and update the configuration if required.
8.2505.3
Authentication
- PAT-867: The
Remember Inputsetting in authentication step patterns is deprecated. A warning is shown when it is enabled. The feature will be removed in 8.2511.0. DisableRemember Inputin all affected patterns before upgrading to 8.2511.x. - PAT-872: The following button label keys have been renamed. If you have overridden any of these translations, rename them accordingly:
login.social.generic.button.label→login.social.button.labelmobile_auth.cancel.button.label→cancel.button.labelfido2.cancel.button.label→cancel.button.label
- PAT-832: FIDO2 metadata support in
nevisFIDO FIDO2 Instancehas been improved. Check the settings in theFIDO2 Metadatatab and configure the metadata service (e.g., a remote FIDO Alliance MDS3 endpoint) as desired.
Kubernetes
- IP-669: Default
Startup Probe Delayvalues have changed for the following components. Verify that your components start within the new defaults, or configure custom values in the instance patterns:- nevisAuth: 50s (increased)
- nevisIDM: 60s (increased)
- nevisAdapt: 60s (increased)
- nevisProxy, nevisLogrend, nevisMeta, nevisDetect, nevisFIDO, nevisDataPorter: 30s
8.2505.5
User Behavior Analytics
- PAT-909: The
nevisAdapt DatabaseandnevisDetect Databasepatterns have a breaking change: a connection-type drop-down was removed. If you had selected any option in that drop-down, clear it and configure the equivalent settings in theConnection Pooltab instead.
Identity Management
- PAT-929: The
nevisIDM Second Factor Selectionpattern now requires nevisIDM version 8.2505.5 or later. In Kubernetes deployments, ensure the nevisIDM service version is set accordingly in the inventory.
8.2505.7
Application Protection
- PAT-968: Fixed generation of the
sslmodeparameter for PostgreSQL connections in Java-based components. The parameter must besslmode(lowercase) for PostgreSQL andsslModefor MariaDB. This fix may be breaking if your configuration relied on the previous incorrect behavior — verify that your database connections still work after upgrading.
8.2511.0
Authentication
- PAT-999: The
Remember Inputfeature has been removed as announced in 8.2505.3. If any pattern still has this setting enabled, an error will be shown. Manually clear theRemember Inputconfiguration from all affected patterns before deploying.
Federation
- NEVISADMV4-10642: The
SAML IDP ConnectorandSAML SP Connectorpatterns have been refactored. The optionAuthnRequestwas removed from the following drop-downs as it never applied to these connector roles:SAML IDP Connector/Signature ValidationSAML SP Connector/Signed Element- Review your SAML patterns and remove any use of the
AuthnRequestoption.
8.2511.1
General
- PAT-1006: The default value of
TLS Encryptionin all database patterns changed fromplaintotrust. Verify the database TLS configuration in your patterns and adjust if required.
8.2511.2
Application Protection
- PAT-1030: ModSecurity Core Rule Set versions prior to 4.22.0 (CRSv4) and 3.3.8 (CRSv3) have been removed due to known vulnerabilities. If your project uses an older version, select
4.22.0or3.3.8and test your applications against the new rules before deploying. If you need to temporarily use a previous version, download the rule set from the old pattern version, upgrade the patterns, and re-upload it — see the 8.2511.2 release notes for details. - PAT-1013: A new
SSL VHost SNI Policysetting was added to thenevisProxy Instancepattern to configure the ApacheSSLVHostSNIPolicy. This is a security-relevant setting — review it carefully. This change requires nevisProxy version 8.2511.1.2 or newer.
8.2511.4
Application Protection
- IP-1704: The
Transaction Confirmationpattern has been renamed toTransaction Confirmation Serviceand reworked. When upgrading, an error is shown. Decide whether to expose the new endpoint: if yes, assign an authentication realm; if not, set the corresponding drop-down todisabled.
8.2511.5
General
- NEVISADMV4-10671: The patterns are now compatible with both Groovy 4 and Groovy 5. You must upgrade to at least 8.2511.5 before upgrading nevisAdmin 4 to the LTS26 version. This is a prerequisite — skipping this step will cause errors after the LTS26 upgrade.
LTS26
General
- NEVISADMV4-10671: Groovy 5 is now required. Ensure that all Groovy scripts referenced in your patterns — in particular those in
Groovy Script StepandGeneric Authentication Step— are compatible with Groovy 5. Review method resolution, GString handling, and any removed deprecated methods. See the nevisAuth breaking changes for further guidance.
Application Protection
- PRODROAD-817: TLS Settings for inbound connections have been renovated:
- The
HTTPssetting innevisLogrend Instancehas been removed. Reconfigure TLS using the newInbound TLStab. - The
TLS Settingspattern has been renamed toGeneric nevisProxy TLS Settings. - TLS profile options in the
Virtual Hostpattern were updated: newmodernandintermediateoptions were added (inspired by Mozilla guidelines). The existingrecommendedandcompatibleoptions were renamed tolegacy recommendedandlegacy compatibleto make opting out of this change straightforward.
- The
- PAT-1026: Legacy (non-RFC7512) PKCS11 URLs are no longer supported in the
Securosys KeyStore Provider. Migrate to RFC7512-compliant PKCS11 URLs.
Identity Management
- PAT-1087: The
requestedoption was removed from theClient Authenticationdrop-down innevisIDM Instance, as nevisIDM does not support this option. Update any affected configurations.