Skip to main content
Version: 8.2405.x.x RR

2024-Q2: RR Upgrade (May 2024)

Major version

Version: 8.2405

Lifecycle dates

Minor VersionGeneral AvailabilityEnd of Full SupportEnd of Fade-Out Support
8.2405.1.1165July 25, 2024Nov 19, 2024Jun 19, 2025
8.2405.1.1148July 11, 2024Nov 19, 2024Jun 19, 2025
8.2405.0.1143June 26, 2024Nov 19, 2024Jun 19, 2025
8.2405.0.1130May 15, 2024Nov 19, 2024Jun 19, 2025

Breaking changes, improvements and required actions

nevisAdmin 8.2405.0 Release Notes - 2024-05-15

  • RPM: nevisadmin4-8.2405.0.7-1.noarch.rpm
  • GUI Version: FE 8.2405.0-1300 - BE 8.2405.0.7

Changes and new features

Breaking changes
  • CHANGED: Due to the shallow checkout feature, Kubernetes deployments no longer work with uninitialized repositories.
New features

  • NEW: Inventory scoped secrets, secret files, and files can now be converted into global scoped secrets, secret files, and files respectively, on the Secrets & Files screen.

  • NEW: nevisAdmin 4 now collects anonymized analytics data. This helps us understand better how nevisAdmin 4 is used.

    note

    nevisAdmin 4 only collects data, it does not send it to us without explicit user interaction. For more information, see product-analytics.

General changes
  • IMPROVED: Issues with INFO severity are now logged at DEBUG log level instead of INFO log level, for better log readability. This change only affects issues (mostly the ones created during the validation of configurations), not all log messages.
  • IMPROVED: The deployment process now creates a shallow clone of the deployment repository.
  • IMPROVED: In the Inventory Editor, validation errors that can be traced to specific lines are now displayed inline in the editor instead of only in the page header.
  • IMPROVED: The log viewer dialog (for pod's or nevisAdmin 4's logs) now lets you turn on line wrapping. The preference is sticky among logs.
  • FIXED: Using REST requests, it used to be possible to deploy projects with inventories that are not in the same tenant as the project. Such requests are now rejected.
  • FIXED: We fixed a GUI issue in the pattern editor where an error was thrown when a variable was assigned to a multi-select type of pattern field.
  • FIXED: The file tree in the Generation Results in the Deployment Wizard no longer throws errors or become unresponsive when the tree has a lot of items. Moving the divider between the file tree and the file content previewer also became easier.
  • FIXED: The authentication flow tree (in the right sidebar of the pattern editor) mixed up multiple occurrences of the same pattern when navigating using the links in the tree. Now those links correctly select the expected pattern in the tree.
Dependency upgrades
  • org.eclipse.jgit 6.9.0.202403050737-r
  • jsch 0.2.17
  • jackson 2.17.0
  • jetty-rewrite 12.0.8
  • groovy 4.0.20
  • aspectjweaver 1.9.22
  • jakarta-activation-api 2.1.3
  • jakarta-xml-bind-api 4.0.2
  • jaxb-runtime 4.0.5
  • slf4j-api 2.0.12
  • logback-classic 1.5.3
  • guava 33.1.0-jre
  • commonmark 0.22.0
  • opensaml 4.3.1
  • spring-boot 3.2.5
  • springdoc-openapi-starter-webmvc-ui 2.5.0
  • mariadb-java-client 3.3.3
  • postgresql 42.7.3
  • nimbus-jose-jwt 9.37.3
  • bcprov-jdk18on 1.78
  • bcpkix-jdk18on 1.78
  • bcpg-jdk18on 1.78
  • bcutil-jdk18on 1.78
  • kubernetes-java-client 20.0.1
  • micrometer 1.12.4
tip

For a more detailed release description, see the nevisAdmin4 release notes.

Patterns 8.2405.0 Release Notes - 2024-05-15

Build Version: 8.2405.0.6

Changes and new features

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

General
  • ⚠️ The image version encoded in the patterns has been raised to 8.2405.0 for all components. If you are deploying to Kubernetes you have to push all required images to your container registry before deployment.
  • PAT-639: Added Deployment Environment drop-down to Java Observability Settings pattern.
  • PAT-657: Ensure errors caused by uploaded XML files are shown in the pattern where the file is uploaded.
  • PAT-675: Fixed duplicate Java agent configuration in env.conf when using Java Observability Settings pattern.
  • PAT-667: Support generation of otel configuration based on inventory variables.
  • ⚠️ PAT-660: Support 2-way TLS with PostgreSQL for Java components.
    • The value enabled does not exist anymore, and you have to select a different value. We recommend to use verify-ca or verify-full in combination with a Trust Store instead.
  • ⚠️ PAT-631: Kubernetes deployments will now use startup probes to allow for longer startup times.
    • Additionally, the used liveness and readiness probe timings were tightened and the liveness and readiness delay configuration options were removed.
    • Make sure to upgrade to the latest version of the nevisOperator and its corresponding CRDs before deploying with the new plugin version.
Application Protection
  • PAT-547: The generated dynamic SecurityRoleFilter won’t store the intercepted requests by default anymore.
  • PAT-651: The StateKey parameter is no longer generated for SecurityRoleFilter.
  • PAT-651: Added option to configure custom parameters for the SecurityRoleFilter in realms.
  • ⚠️ PAT-659: Support 2-way TLS with PostgreSQL for nevisProxy.
    • The value enabled does not exist anymore, and you have to select a different value. We recommend to use verify-ca or verify-full in combination with a Trust Store instead.
  • PAT-658: Updated navajo.xml generation to match the latest navajo DTD version.
  • PAT-674: Fix error during background generation when using a nevisAdmin ${var expression and using only a variable as param-value in a servlet or filter in Generic Virtual Host Settings or Generic Application Settings.
Authentication
  • PAT-673: Support configuration of arbitrary KeyObject elements by allowing the nevisAuth KeyObject pattern to be assigned to nevisAuth Instance.
  • PAT-673: Support configuration of property elements for KeyObject in nevisAuth KeyObject pattern.
  • PAT-669: Support configuration of custom Audit channels for nevisAuth.
  • PAT-657: Support child Mapping for Method in Generic nevisAuth Web Service.
  • PAT-652: New setting Shared Groovy Scripts on nevisAuth Instance.
  • PAT-642: Fix requirement clash when reusing JSON Response Step.
  • N/A: Fixed corrupted binary files being deployed when uploading them to Custom Resources in nevisAuth Instance.
Identity Management
  • PAT-680: For permissions related to credentials (such as CredentialChangeState, CredentialCreate, CredentialDelete, CredentialModify, CredentialPdfView, CredentialSearch, CredentialView, and CredentialViewPlainValue), it is now allowed to reduce the elementary permission to a specific credential type. Example: CredentialCreate.PASSWORD
  • PAT-663: Avoid file clash when creating the same nevisIDM property with different scopes.
Mobile Authentication
  • ⚠️ PAT-668: The following 2 values have been removed from the default facets in nevisFIDO UAF Instance:
    • android:apk-key-hash:z7Xkw62dAn/BsckOQ9a3OMhmlwhzdr2VkcswIIyJgJE
    • ios:bundle-id:ch.nevis.accessapp.presales.k8s
  • PAT-641: Fix HTTP connection to nevisFIDO for Out-of-band Mobile Onboarding.
SAML / OAuth / OpenID Connect
  • PAT-644: Allow to configure no scopes for Generic Social Login Step.
  • PAT-643: Fix error when Schema User Password is missing in classic deployment.
  • ⚠️ PAT-635: The Scope(s) that can be configured in Social Login patterns (Apple, Google, Facebook, Microsoft) have been adapted.
    • If you use any of these patterns check the configuration of your pattern. See help for Scope(s) for details.
User behavior analytics
  • NEVISDETECT-1827: updated nevisAdapt Demo app in the template.
  • NEVISDETECT-1831: Added option to disable private IP filtering and configure default country code in that case.
  • NEVISDETECT-1834: Added option to enable Apache Hostname Verifier under nevisAdapt Instance / Advanced Settings.
  • NEVISDETECT-1835: Added option to disable nevisAdapt analyzers, either on module or analyzer level.

nevisAppliance 8.2405.0.1130 - 15.05.2024

Announcement

The Rolling Release from May 2024 has been lifted to be based on 'Rocky Linux 9' which is a breaking change. To go along with supported Operating System Releases, we have upgraded the Base OS of the NevisAppliance from Rocky Linux 8 to 'Rocky Linux 9', also to support the EL9 platform. Please get yourself familiar with 'Rocky Linux 9' if you need to do OS level changes.

The database appliance contains in addition to MariaDB (10.5.x) also a PostgreSQL Database (15.x) which is supported by the Nevis components.

Breaking change

NetworkManager is now the default for managing network interfaces/connections.

  • The legacy scripts in /etc/sysconfig/network-scripts/ still exist but are now under control of the NetworkManager.
  • NetworkManager stores its config files under /etc/NetworkManager/. The 'nevisappliance' network menu still creates these legacy files during this transformation (as you also manually can do) but NetworkManager will handle them. You can also already use the new configuration by defining interfaces in /etc/NetworkManager/system-connections, these will also be considered.
  • Thus, to go along with this change, while upgrading existing Rocky Linux 8 based nevisAppliances (current RR and RR23) it is necessary to make the following changes to prepare the activation of NetworkManager upfront or after the 'upgrade-nevis.sh' script but before rebooting the nevisAppliance!
  1. Update/append the following (arrow marked) parts in each existing /etc/sysconfig/network-scripts/ifcfg* file, giving it the same value as you have for 'DEVICE':
...
TYPE=ethernet
NAME=eth0                        # <======= add this line accordingly (adjust value)
DEVICE=eth0
BOOTPROTO=static
...
#NM_CONTROLLED=no                # <======= put this in comment(#)
  1. Issue the following shell commands
# systemctl enable NetworkManager
# systemctl restart NetworkManager
also note:
  • ClamAv runtime user/group has changed from 'clamav:clamav' to 'clamscan:antivirus' to go along with this package. This change will be done automatically during the upgrade.
  • The 'vi' editor is superseeded by 'vim'

For more information, see the component-specific upgrade and release notes.

Upgraded Nevis components
  • nevisadapt 8.2405.0.8
  • nevisadmin4 8.2405.0.7
  • nevisadmin plugins 8.2405.0.6
  • nevisauth 8.2405.0.4
  • nevisdetect 8.2405.0.8
  • nevisdetectcl 8.2405.0.8
  • nevisdp 8.2405.0.8998714849
  • nevisfido 8.2405.0.2
  • nevisfidocl 8.2405.0.2
  • nevisFIDO test client core 8.2405.0.2
  • nevisFIDO test client gatling 8.2405.0.2
  • nevisidm 8.2405.0.9032318589
  • nevisidmcl 8.2405.0.9032318589
  • nevisidmdb 8.2405.0.9032318589
  • nevislogrend 8.2405.0.1
  • nevismeta 8.2405.0.2
  • nevisproxy 8.2405.0.0
  • ninja 8.2405.0.2
Resolved issues
  • UPGRADED: We upgraded the Rocky Linux 8 operating system to Rocky Linux 9.
  • UPDATED: We updated the DB Appliance to also contain PostgreSQL.
tip

For a more detailed release description, see the nevisAppliance release notes.

nevisAdapt 8.2405.0.8 - 15.05.2024

Changes and new features

  • ADDED: Added the option to disable private IP filtering and configure default country code in that case.
  • ADDED: Added the option to enable Apache Hostname Verifier under nevisAdapt Deployable / Advanced Settings.
  • ADDED: Added the option to disable nevisAdapt analyzers, either on module or analyzer level.
  • ADDED: New Logging groups for nevisAdapt for ease-of-access.
  • FIXED: finished integration to Java 17.
  • FIXED: PostgreSQL integration with nevisAdapt.
  • FIXED: GeoLocation error with nevisAdapt.
  • FIXED: nevisAdapt can now consume multiline JAVA_OPTS.
  • CHANGED: Dependencies updated.
tip

For a more detailed release description, see the nevisAdapt release notes.

nevisAuth 8.2405.0.4 - 15.05.2024

Changes and new features

Breaking changes
  • REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value SHA256withRSA instead.
  • REMOVED: The nevisauth-test-authstateharness-fat no longer embeds the following 3rd party dependencies: log4j, slf4j, groovy-test, groovy-test-junit5, groovy-testng as these can easily cause an unresolvable version clash.
  • REMOVED: RHEL8 Linux is no longer supported, it is superseded by RHEL9. RHEL8 is still supported on 7.2405.x (LTS24).
  • FIXED: The OOCD and Remote session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisAuth as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change OOCD entries and Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this: update nevisauth_out_of_context_data_service set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR); update TNSSA_AUTH_SESSION_CACHE set ABSTO = DATE_ADD(ABSTO, INTERVAL 2 HOUR); These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error like Unknown or incorrect time zone: 'UTC' afterwards that means your database did not have the timezone database initilized. You have to run mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p to verifiy the result of that you can run SELECT * FROM mysql.time_zone_name;. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 4.40.0.10. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISAUTH-4265.
General Changes
  • FIXED: OAuth2 only return error redirect when valid redirect_uri is provided.
  • FIXED: We made the encryption of the AccessToken work also for OAuth2.
  • FIXED: We fixed corrupted SecToken generated by JWT Bearer Grant Authentication flow.
  • FIXED: Getting BadConfigurationException when setting nevismeta.httpclient.authorization.basic.* properties.
  • FIXED: The actorCert not extracted from HTTP Request.
  • FIXED: The public client without client secret throw exception during token request.
  • NEW: We support EC key for JWKS.
  • NEW: Configuration option server.tls.verify-sni which allows to disable SNI validation Jetty. This can be used to mitigate a Java bug when a Java client is not sending SNI information when the hostname does not contain a dot.
  • EXPERIMENTAL: We introduced the property openid.promptParameterSupported for using prompt parameter in AuthorizationServer.
  • UPGRADED: We upgraded the Angus activation third-party dependencies to version 2.0.2.
  • UPGRADED: We upgraded the Angus mail third-party dependencies to version 2.0.3.
  • UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1.
  • UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.
  • UPGRADED: We upgraded the Commons codec third-party dependency to version 1.16.1.
  • UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.21.
  • UPGRADED: We upgraded the Guava third-party dependencies to version 33.1.0-jre.
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0.
  • UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0.
  • UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2.
  • UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6.
  • UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x.
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8.
  • UPGRADED: We upgraded the json-smart third-party dependency to version 2.5.1.
  • UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 7.0.0.
  • UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.34.
  • UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1.
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3.
  • UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.10.1.
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0.
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3.
  • UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.6.
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12.
  • UPGRADED: We upgraded the woodstox third-party dependency to version 6.6.2.
  • UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.3.
  • UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.4.
  • DEPRECATED: The LegacySecurityTokenService has been depreceated in 2011, it is enabled by default when -Dch.nevis.esauth.wstrust.SecurityTokenService.Enabled=true is configured. The LegacySecurityTokenService will be removed in the 2024 November release. The replacement for the LegacySecurityTokenService is the SecurityTokenService.
tip

For a more detailed release description, see the nevisAuth release notes.

nevisDataporter 8.2405.0.8998714849 - 15.05.2024

Changes and new features

  • UPGRADED: We updated netty to 4.1.108.Final.
  • UPGRADED: We upgraded greenmail to 2.0.1.
  • UPGRADED: We changed Javax Mail to Jakarta Mail 2.0.1.
  • FIXED: EmailSink issue with incorrect library used for sending emails is now fixed.
tip

For a more detailed release description, see the nevisDataporter release notes.

nevisDetect 8.2405.0.8 - 15.05.2024

Changes and new features

  • FIXED: finished integration to Java 17.
  • CHANGED: Dependencies updated.
tip

For a more detailed release description, see the nevisDetect release notes.

nevisFIDO 8.2405.0.2 - 15.05.2024

Changes and new features

  • NEW: nevisFIDO supports the Password Authenticator in the metadata and policy files. A new default policy file has been added to allow only the password authenticator to be used.
Breaking changes
  • CHANGE: The PublicKeyCredentialOptions stored in the FIDO2 session (webauthn_sessions) changed its format. Because of the serialisation used, it's not backward compatible. Ongoing registration or authentication ceremonies (started before upgrading) will fail.
  • REMOVED: RHEL8 Linux is no longer supported, it is superseded by RHEL9. RHEL8 is still supported on 7.2405.x (LTS24).
  • FIXED: The session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisFIDO as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this: update uaf_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated = DATE_ADD(status_updated, INTERVAL 2 HOUR); update token_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated = DATE_ADD(status_updated, INTERVAL 2 HOUR); update webauthn_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated_at = DATE_ADD(status_updated_at, INTERVAL 2 HOUR); update jws_requests set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR); These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error like Unknown or incorrect time zone: 'UTC' afterwards that means your database did not have the timezone database initilized. You have to run mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p to verifiy the result of that you can run SELECT * FROM mysql.time_zone_name;. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 2.4.0.7. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISFIDO-1817.
General Changes
  • UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1.
  • UPGRADED: We upgraded the Apache Http Core third-party dependencies to version 5.2.4.
  • UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.
  • UPGRADED: We upgraded the google-api-client third-party dependency to version 2.4.0.
  • UPGRADED: We upgraded the google-auth-library third-party dependency to version 1.23.0.
  • UPGRADED: We upgraded the guava third-party dependency to version 33.1.0-jre.
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0.
  • UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x.
  • UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.7.
  • UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1.
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3.
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0.
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3.
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12.
  • UPGRADED: We upgraded the Spring-boot third-party dependency to version 3.2.4.
  • UPGRADED: We upgraded Spring third-party dependencies to version 6.1.6.
  • UPGRADED: We upgraded the Webauthn4j api third-party dependency to version 0.23.0.RELEASE.
  • UPGRADED: We upgraded the ZXing third-party dependency to version 3.5.3.
  • FIXED: UAF credential login information in nevisIdm was incorrectly updated for all UAF credentials of the user during authentication instead of only the credential used for the current authentication operation.
tip

For a more detailed release description, see the nevisFido release notes.

nevisIDM 8.2405.0.9032318589 - 15.05.2024

  • Application version: 8.2405.0.9032318589
  • Minimal required database schema version: 7.23
  • Maximal supported database schema version: 7.x

Changes and new features

General/Core
  • UPGRADED: We updated Jetty to 12.0.6.
  • UPGRADED: We updated Netty to 4.1.108.Final.
  • UPGRADED: We updated Spring Framework to 6.0.19.
  • UPGRADED: We updated CXF to 4.0.4.
  • UPGRADED: We updated PostgreSQL Driver to 42.6.1.
  • UPGRADED: We upgraded Commons-configuration2 to 2.10.1.
  • NEW: Credential-type specific permissions have been extended with AccessControl.CredentialSearch; From now on, it is possible to provide CredentialSearch to only specific credential types. For further information: Credential-type specific permissions of nevisIDM roles.
  • NEW: OpenTelemetry spanId and traceId is added to audit log if openTelemetry is configured.
  • FIXED: Potential performance issues related to getting generic credentials have been resolved.
  • FIXED: Corrected issues with pagination of FIDO UAF credentials.
  • FIXED: In Kubernetes, IDM now saves Asynchronous Email Sending into the persistent event queue. Previously, IDM with with OracleSQL or PostgreSQL database did not save it into the persistent event queue, making Asynchronous Email Sending impossible.
  • CHANGED: Refactored dataroom handling to use separate dataroom test in SQL instead of summarizing them.
  • CHANGED: Refactored JMS Bridge to use its internal status to check for potential disconnetcions, thus provide improved stability.
  • CHANGED: Refactored the way IDM retrieves data from the persistent queue.
  • FIXED: Potential performance issues related to getting generic credentials have been resolved.
  • UPGRADED: On GUI CredentialType dropdowns lists only the CredentialTypes that signed-in user has the required credential-type specific right. Credential-type specific permissions.
  • UPGRADED: Extended CredentialGetDto classes with the following 9 credential types: Ticket, Otp, TempStringPassword, Vasco, PUK, DevicePassword, MobileSignature, SamlFederaion, SecurityQuestions. They can be queried with the new endpoint {userExtId}/credentials in User REST service.
  • FIXED: JMS bridge feature refactored to avoid high resource consumption in case the bridge target is not enough stable.
    • Bridge status added to health endpoint.
      • The health endpoint counts the unsuccessful restart attempts and indicates as down if it reaches 10, otherwise as up
      • The successful reconnection to bridge target resets the health endpoint counter
    • New configuration properties introduced:
      • messaging.bridge.failure.retry.interval: passed to org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl as failureRetryInterval property; by default 10000
      • messaging.bridge.max.retries.on.failure: passed to ~"~.JMSBridgeImpl as maxRetries property; by default 6
    • Before this refactor the maxRetries property was hardcoded with value -1 and failureRetryInterval as 1000.
      • This means it tried to reconnect for each one second infinitely and a reinitalizer algorithm tried to stop the bridge and re-instantiate
      • Unfortunately, the previous bridge instances didn't shut down properly, so a lot of memory and other resources were not freed up
    • The current implementation instantiates the bridge only once.
      • In case the bridge lost its running state (based on the newly introduced configurations) the IDM tries to start back
      • The mentioned health endpoint counts these restart attempts
  • NEW: You can configure external JMS server for provisioning instead of using embedded Artemis server and JMS bridging.
    • If you configure external JMS server, the embedded Artemis instance will not be started.
    • New configuration properties introduced:
      • application.modules.provisioning.connection.factory.classname: connection factory class name; e.g. org.apache.activemq.artemis.jms.client.ActiveMQXAConnectionFactory
      • application.modules.provisioning.connection.factory.xa.properties: initialization properties for previous factory class; e.g. {"brokerURL": "https://artemis-server:61616", "user": "producer", "password": "secret"}
      • application.modules.provisioning.destination.classname: JMS destination class name; e.g. org.apache.activemq.artemis.jms.client.ActiveMQQueue
      • application.modules.provisioning.destination.name: JMS queue name; constructor parameter for previous class; e.g. Provisioning
      • application.modules.provisioning.destination.properties: possible initialization properties for the destination class
      • There is no default value for these properties. The default behavior is to start and use embedded Artemis JSM server
      • ATTENTION: The configured connection factory must implement jakarta.jms.XAConnectionFactory and destination must implement jakarta.jms.Destination!
  • NEW: The OpenTelemetry span and related OpTrace logging can contain the SOAP and REST request and response bodies.
    • New configuration property introduced:
      • add.request.and.response.body.to.opentelemetry: need to add or not; by default false
      • ATTENTION:
        • Processing the complete request and response bodies can cause reduction of performance!
        • The complete request and response bodies could contain sensitive information!
        • It works only if you use OpenTelemetry extension agent and OpTrace logger is configured to TRACE or you can see the body contents in Jaeger or similar tool!
  • NEW: We added a documentation page that provides a more detailed explanation of the SOAP detail levels. See more.
Web GUI
  • FIXED: Improved performance of Users per Applicaiton report.
  • FIXED: Improved performance of the Assign Roles to Profile page.
  • FIXED: Search function on Vasco Administation tab now works correctly.
REST API
  • NEW: The endpoint {userExtId}/credentials is added to the User REST Services to search for the credentials of the user with given extId.
  • NEW: Added new endpoint to find and delete generics credentials to ClientsRestService.
SCIM API
  • NEW: SCIM is now able to filter or order users by meta.created and meta.lastModified fields.
Auth States
  • REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value SHA256withRSA instead.
Configuration
  • NEW: nevisIDM support multi-line JAVA_OPTS parameters in conf/env.conf.
  • NEW: If add.request.and.response.body.to.opentelemetry is set to true, nevisIDM logs the request and response body to OpenTelemetry.
  • NEW: Introduced new configuration properties database.connection.healthcheck.retrydelay and database.connection.healthcheck.retrycount to control behaviour better, if healthcheck called during connection pool maintenance.
  • NEW: Added new configuration properties application.modules.provisioning.connection.factory.classname, application.modules.provisioning.connection.factory.xa.properties,application.modules.provisioning.destination.classname,application.modules.provisioning.destination.name and application.modules.provisioning.destination.propertie to make JMS connection more configurable.
  • NEW: Introduced rest.display.timezone configuration property to set the timezone for date and time attributes in the REST API responses. For further information: rest.display.timezone.
  • NEW: Introduced new configuration property application.config.credentialTypesToBeLockedInDatabase to provided fine-grained control over which credential types should be locked during uniqueness check.
tip

For a more detailed release description, see the nevisIDM release notes.

nevisLogRend 8.2405.0.1 - 15.05.2024

Changes and new features

Breaking changes
  • REMOVED: RHEL8 Linux is no longer supported, it is superseded by RHEL9. RHEL8 is still supported on 7.2405.x (LTS24).
General changes
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0.
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8.
  • UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0.
  • UPGRADED: We upgraded the Guava third-party dependency to version 33.1.0-jre.
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0.
  • UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1.
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12.
tip

For a more detailed release description, see the nevisLogRend release notes.

nevisMeta 8.2405.0.2 - 15.05.2024

Changes and new features

  • NEW: We introduced property server.session-timeout to configure session timeout on GUI for nevisMeta.
  • NEW: We introduced property expiredDataCleaningTolerance to configure minimum time needed to delete data after expiration.
  • NEW: We introduced property responseCacheExpiry to configure the cache expiry for the GET Entities endpoint.
  • NEW: We exposed the OpenAPI Descriptor of nevisMeta REST services with endpoint /nevismeta/api.
  • FIXED: We fixed the data return incorrectly without root language for metadata of tos_uri, policy_uri, logo_uri
  • FIXED: We fixed expired data cleanup to remove data in equal intervals defined by expiredDataCleaningInterval, instead of doing it once per day.
  • FIXED: We fixed queries using a lot of resources when querying all entities.
  • UPGRADED: We upgraded the jetty third-party dependency to 12.0.7.
  • UPGRADED: We upgraded the jakarta.enterprise.cdi-api third-party dependency to 4.0.1.
  • UPGRADED: We upgraded the jakarta.servlet-api third-party dependency to 6.0.0.
  • UPGRADED: We upgraded the jakarta.servlet.jsp.jstl-api third-party dependency to 3.0.0.
  • UPGRADED: We upgraded the jersey third-party dependency to 3.1.5.
  • UPGRADED: We upgraded the weld third-party dependency to 5.1.2.Final.
  • UPGRADED: We upgraded the spring third-party dependency to 6.1.6.
  • UPGRADED: We upgraded the postgresql third-party dependency to 42.7.3.
tip

For a more detailed release description, see the nevisMeta release notes.

nevisProxy 8.2405.0 - 15.05.2024

Changes and new features

  • NEW: We added the parameter CaptureResponseHeaders to the OpenTelemetry trace configuration.
  • NEW: We added the parameter CaptureRequestHeaders to the OpenTelemetry trace configuration.
  • NEW: We added the parameter DefaultFile to the FileReaderServlet.
  • NEW: We added experimental support for client certificates with HTTP/2 frontend connections.
  • NEW: We added the parameter ResourceServiceName to the OpenTelemetry configuration.
  • NEW: We added the parameter EnableMetrics to the Http[s]ConnectorServlet, Esauth4ConnectorServlet and WebSocketServlet.
  • NEW: We added the parameters EnableMetrics to the local, MySQL, and Postgres session store servlets.
  • NEW: We added the bc.property ch.nevis.navajo.tracing.DisableMemoryUsage.
  • NEW: We added an example of Content-Security-Policy violation reporting.
  • FIXED: We fixed that for Kubernetes setups information about telemetry was written into stdout.
  • FIXED: We fixed the issue that redirect URLs containing a ? were not correctly URL-encoded.
  • FIXED: We fixed the issue that a session invalidated via a LuaFilter was not properly invalidated when using the MySQLSessionStoreServlet.
  • FIXED: We fixed the issue that the request body was unnecessarily read when OriginalUrl was enabled in the IdentityCreationFilter.
  • FIXED: We trace now the correct SHA256 hashed and base64 encoded cookie value in NProxyOp.
  • CHANGED: We made AES key related error handling more strict.
  • CHANGED: We improved the error logging of the MultiLevelSessionStoreServlet and MYSQLSessionStoreServlet.
  • CHANGED: We improved the error message if NevisAuth sends an error.
  • CHANGED: The SoapFilter now uses the namespace as fallback when there is no schemaLocation in import directives.
  • CHANGED: We check now at start that the MariaDB contains the unique attribute constraint in the attribute table.
  • CHANGED: We changed some default values.
  • CHANGED: We deprecated the attribute name Loglevel in navajo.xml, and replaced it with LogLevel to match with the Apache directive.
  • CHANGED: We changed the default value to true for the SecureConnection parameter of the IdentityCreationFilter.
  • CHANGED: We changed the default of ResourceManager.DisablePing to true in the HttpConnectorServlet.
  • CHANGED: Integration of PKCS#11 has been adapted for frontend connections.
  • UPGRADED: We upgraded zlib to 1.2.13.
  • UPGRADED: We upgraded nghttp2 to 1.61.0.
  • UPGRADED: We upgraded the SLES15 package to run on SLES15-SP3 and newer.
  • UPGRADED: We upgraded to Apache httpd/2.4.59.
  • DEPRECATED: We deprecated the Protocol parameter of the HttpConnectorServlet. It will be ignored and use HTTP/1.1 automatically.
  • DEPRECATED: We deprecated the parameters AwaitingResponse and LegacyRegexpMatching of the HttpConnectorServlet.
  • REMOVED: We removed the deprecated ReadLineSize of the InputValidationFilter.
  • REMOVED: We removed the undocumented Lua method session:renegotiateCookie().
  • REMOVED: We removed the deprecated values of the RenewIdentification parameter of IdentityCreationFilter.
  • REMOVED: We removed the deprecated RemoteServlet parameter of the MultiLevelSessionStoreServlet.
  • REMOVED: We removed the deprecated Lua method session:renegotiateSSL().
  • REMOVED: We removed the deprecated attributes and elements of the navajo_1_0.dtd file.
  • REMOVED: We removed the deprecated values of the InterceptionRedirect parameter of the IdentityCreationFilter.
  • REMOVED: We removed the deprecated parameters in the CacheFilter.
  • REMOVED: We removed the undocumented wwwauthenticate value of RenderingProvider in the LoginRendererServlet.
  • REMOVED: We removed the deprecated parameter AuditLog.Key from the InputValidationFilter.
  • REMOVED: We removed the deprecated TelemetryFilter.
  • REMOVED: We removed the deprecated InsertWrapperFilter.
  • REMOVED: We removed the undocumented SIGPWR signal handling.
  • REMOVED: We removed the deprecated Milestone features from the CSRFFilter.
  • REMOVED: We removed the deprecated values of the AutoRewrite parameter from the HttpConnectorServlet.
  • REMOVED: We removed the deprecated OutboundProxyAuthorization parameter of the HttpConnectorServlet.
  • REMOVED: We removed the deprecated attribute DocumentRoot from navajo.xml.
  • REMOVED: We removed the deprecated memory attributes from navajo.xml.
  • REMOVED: We removed the deprecated DB Node Affinity from the MySQLSessionStoreServlet.

Notes

The following unique key to the MariaDB based dynamic session management has to be added:

alter table attribute add constraint uc_id_name unique (ID, NAME);
Important
  • Before adding the unique key be sure that all instances using this database have been upgraded to the latest RR.
  • The command may fail if there are duplicated attributes. In that case you have to retry later. We recommended adding this key while there is low load.
  • The upgraded Apache version httpd/2.4.59 also contains the fix for the DH certificate bug.

Backward compatibility issues

  • If you have configured a PKCS#11 based HSM in navajo.xml, then you have to add those lines into the env.conf file:
OPENSSL_ENGINES=/opt/nevisproxy/lib/engines
export OPENSSL_ENGINES

  • the default value of the parameter ResourceManager.NoSessionCookie.CookieSecure of the Http[s]ConnectorServlet and WebSocketServlet has changed to true.

  • the default value of the parameter URLMode of the EncryptionFilter has changed to hmacsha256.

  • For nevisproxy to run correctly, you need at least SP3 if running on SLES15. You can check the installed SP version on your SLES15 host by executing cat /etc/os-release. The version has to be 15.3 or more:

# cat /etc/os-release 
NAME="openSUSE Leap"
VERSION="15.3"
tip

For a more detailed release description, see the nevisProxy release notes.

Ninja 8.2405.0.2 - 15.05.2024

Changes and new features

  • CHANGED: Ninja DEV mode now signes sectokens with SHA256 instead of SHA1.
  • UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x.
  • UPGRADED: We upgraded the Servlet API third-party dependency to version 6.0.0. The Ninja filter was tested againts Servlet API version 5, 6 and 6.1.
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12.
tip

For a more detailed release description, see the Ninja release notes.

Component versions

The following versions are part of this release. All of them are under Full Support until the next RR upgrade becomes available.

ComponentArtifact nameVersion**RHEL 8*RHEL 9*SLES 15*
nevisAppliancenevisappliance8.2405.1.1165
8.2405.1.1148
8.2405.0.1143
8.2405.0.1130		n/an/an/a
nevisAdaptnevisadapt8.2405.1.1
8.2405.0.8
nevisAdmin 4nevisadmin48.2405.1.0
8.2405.0.7
nevisAuthnevisauth8.2405.2.0
8.2405.1.1
8.2405.0.4
nevisCredneviscred2.0.20.0
nevisDataPorternevisdp8.2405.0.8998714849
nevisDetectnevisdetect
nevisdetectcl		8.2405.1.1
8.2405.0.8
nevisFIDOnevisfido
nevisfidocl		8.2405.2.0
8.2405.1.1
8.2405.0.2
nevisIDMnevisidm
nevisidmcl
nevisidmdb		8.2405.2.10083030000
8.2405.1.9265283332
8.2405.0.9032318589
nevisIDMadnooprint7.2311.0.6565033000
nevisKeyboxneviskeybox2.2.4.3
nevisLogRendnevislogrend8.2405.0.1
nevisMetanevismeta8.2405.1.0
8.2405.0.2
nevisProxynevisproxy8.2405.1.0
8.2405.0.0
Ninjaninja8.2405.0.2n/an/an/a
Ninwinninwin2.3.5.0n/an/an/a

*) Tested with the latest available patch level.

**) Versions in bold changed compared to the previous quarterly release.

Third-party dependencies

The following third-party software is often used by Nevis components. Some of the software is included within nevisAppliance.

Below you find the latest supported versions.

Third-Party SoftwareVersion
JVM (OpenJDK)✅ 17.0.12
MariaDB✅ 10.6
PostgreSQL✅ 15
Kubernetes✅ 1.29