2024-Q2: RR Upgrade (May 2024)
Major version
Version: 8.2405
Lifecycle dates
Minor Version | General Availability | End of Full Support | End of Fade-Out Support |
---|---|---|---|
8.2405.2.1178 | September 27, 2024 | Nov 19, 2024 | Jun 19, 2025 |
8.2405.1.1173 | August 30, 2024 | Nov 19, 2024 | Jun 19, 2025 |
8.2405.1.1165 | July 25, 2024 | Nov 19, 2024 | Jun 19, 2025 |
8.2405.1.1148 | July 11, 2024 | Nov 19, 2024 | Jun 19, 2025 |
8.2405.0.1143 | June 26, 2024 | Nov 19, 2024 | Jun 19, 2025 |
8.2405.0.1130 | May 15, 2024 | Nov 19, 2024 | Jun 19, 2025 |
Components Changelog
nevisAdmin 8.2405.0 Release Notes - 2024-05-15
- RPM: nevisadmin4-8.2405.0.7-1.noarch.rpm
- GUI Version: FE 8.2405.0-1300 - BE 8.2405.0.7
Changes and new features
Breaking changes
- CHANGED: Due to the shallow checkout feature, Kubernetes deployments no longer work with uninitialized repositories.
New features
NEW: Inventory scoped secrets, secret files, and files can now be converted into global scoped secrets, secret files, and files respectively, on the Secrets & Files screen.
NEW: nevisAdmin 4 now collects anonymized analytics data. This helps us understand better how nevisAdmin 4 is used.
notenevisAdmin 4 only collects data, it does not send it to us without explicit user interaction. For more information, see product-analytics.
General changes
- IMPROVED: Issues with INFO severity are now logged at DEBUG log level instead of INFO log level, for better log readability. This change only affects issues (mostly the ones created during the validation of configurations), not all log messages.
- IMPROVED: The deployment process now creates a shallow clone of the deployment repository.
- IMPROVED: In the Inventory Editor, validation errors that can be traced to specific lines are now displayed inline in the editor instead of only in the page header.
- IMPROVED: The log viewer dialog (for pod's or nevisAdmin 4's logs) now lets you turn on line wrapping. The preference is sticky among logs.
- FIXED: Using REST requests, it used to be possible to deploy projects with inventories that are not in the same tenant as the project. Such requests are now rejected.
- FIXED: We fixed a GUI issue in the pattern editor where an error was thrown when a variable was assigned to a multi-select type of pattern field.
- FIXED: The file tree in the Generation Results in the Deployment Wizard no longer throws errors or become unresponsive when the tree has a lot of items. Moving the divider between the file tree and the file content previewer also became easier.
- FIXED: The authentication flow tree (in the right sidebar of the pattern editor) mixed up multiple occurrences of the same pattern when navigating using the links in the tree. Now those links correctly select the expected pattern in the tree.
Dependency upgrades
- org.eclipse.jgit 6.9.0.202403050737-r
- jsch 0.2.17
- jackson 2.17.0
- jetty-rewrite 12.0.8
- groovy 4.0.20
- aspectjweaver 1.9.22
- jakarta-activation-api 2.1.3
- jakarta-xml-bind-api 4.0.2
- jaxb-runtime 4.0.5
- slf4j-api 2.0.12
- logback-classic 1.5.3
- guava 33.1.0-jre
- commonmark 0.22.0
- opensaml 4.3.1
- spring-boot 3.2.5
- springdoc-openapi-starter-webmvc-ui 2.5.0
- mariadb-java-client 3.3.3
- postgresql 42.7.3
- nimbus-jose-jwt 9.37.3
- bcprov-jdk18on 1.78
- bcpkix-jdk18on 1.78
- bcpg-jdk18on 1.78
- bcutil-jdk18on 1.78
- kubernetes-java-client 20.0.1
- micrometer 1.12.4
For a more detailed release description, see the nevisAdmin4 release notes.
Patterns 8.2405.0 Release Notes - 2024-05-15
Build Version: 8.2405.0.6
Changes and new features
Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.
General
- ⚠️ The image version encoded in the patterns has been raised to
8.2405.0
for all components. If you are deploying to Kubernetes you have to push all required images to your container registry before deployment. - PAT-639: Added
Deployment Environment
drop-down toJava Observability Settings
pattern. - PAT-657: Ensure errors caused by uploaded XML files are shown in the pattern where the file is uploaded.
- PAT-675: Fixed duplicate Java agent configuration in
env.conf
when usingJava Observability Settings
pattern. - PAT-667: Support generation of
otel
configuration based on inventory variables. - ⚠️ PAT-660: Support 2-way TLS with PostgreSQL for Java components.
- The value
enabled
does not exist anymore, and you have to select a different value. We recommend to useverify-ca
orverify-full
in combination with aTrust Store
instead.
- The value
- ⚠️ PAT-631: Kubernetes deployments will now use startup probes to allow for longer startup times.
- Additionally, the used liveness and readiness probe timings were tightened and the liveness and readiness delay configuration options were removed.
- Make sure to upgrade to the latest version of the nevisOperator and its corresponding CRDs before deploying with the new plugin version.
Application Protection
- PAT-547: The generated dynamic
SecurityRoleFilter
won’t store the intercepted requests by default anymore. - PAT-651: The
StateKey
parameter is no longer generated forSecurityRoleFilter
. - PAT-651: Added option to configure custom parameters for the
SecurityRoleFilter
in realms. - ⚠️ PAT-659: Support 2-way TLS with PostgreSQL for nevisProxy.
- The value
enabled
does not exist anymore, and you have to select a different value. We recommend to useverify-ca
orverify-full
in combination with aTrust Store
instead.
- The value
- PAT-658: Updated
navajo.xml
generation to match the latest navajo DTD version. - PAT-674: Fix error during background generation when using a nevisAdmin
${var
expression and using only a variable asparam-value
in aservlet
orfilter
inGeneric Virtual Host Settings
orGeneric Application Settings
.
Authentication
- PAT-673: Support configuration of arbitrary
KeyObject
elements by allowing thenevisAuth KeyObject
pattern to be assigned tonevisAuth Instance
. - PAT-673: Support configuration of
property
elements forKeyObject
innevisAuth KeyObject
pattern. - PAT-669: Support configuration of custom Audit channels for nevisAuth.
- PAT-657: Support child
Mapping
forMethod
inGeneric nevisAuth Web Service
. - PAT-652: New setting
Shared Groovy Scripts
onnevisAuth Instance
. - PAT-642: Fix requirement clash when reusing
JSON Response Step
. - N/A: Fixed corrupted binary files being deployed when uploading them to
Custom Resources
innevisAuth Instance
.
Identity Management
- PAT-680: For permissions related to credentials (such as CredentialChangeState, CredentialCreate, CredentialDelete, CredentialModify, CredentialPdfView, CredentialSearch, CredentialView, and CredentialViewPlainValue), it is now allowed to reduce the elementary permission to a specific credential type. Example:
CredentialCreate.PASSWORD
- PAT-663: Avoid file clash when creating the same nevisIDM property with different scopes.
Mobile Authentication
- ⚠️ PAT-668: The following 2 values have been removed from the default facets in
nevisFIDO UAF Instance
:android:apk-key-hash:z7Xkw62dAn/BsckOQ9a3OMhmlwhzdr2VkcswIIyJgJE
ios:bundle-id:ch.nevis.accessapp.presales.k8s
- PAT-641: Fix HTTP connection to nevisFIDO for
Out-of-band Mobile Onboarding
.
SAML / OAuth / OpenID Connect
- PAT-644: Allow to configure no scopes for
Generic Social Login Step
. - PAT-643: Fix error when
Schema User Password
is missing in classic deployment. - ⚠️ PAT-635: The
Scope(s)
that can be configured in Social Login patterns (Apple, Google, Facebook, Microsoft) have been adapted.- If you use any of these patterns check the configuration of your pattern. See help for
Scope(s)
for details.
- If you use any of these patterns check the configuration of your pattern. See help for
User behavior analytics
- NEVISDETECT-1827: updated nevisAdapt Demo app in the template.
- NEVISDETECT-1831: Added option to disable private IP filtering and configure default country code in that case.
- NEVISDETECT-1834: Added option to enable
Apache Hostname Verifier
undernevisAdapt Instance
/Advanced Settings
. - NEVISDETECT-1835: Added option to disable nevisAdapt analyzers, either on module or analyzer level.
nevisAppliance 8.2405.0.1130 - 15.05.2024
The Rolling Release from May 2024 has been lifted to be based on 'Rocky Linux 9' which is a breaking change. To go along with supported Operating System Releases, we have upgraded the Base OS of the NevisAppliance from Rocky Linux 8 to 'Rocky Linux 9', also to support the EL9 platform. Please get yourself familiar with 'Rocky Linux 9' if you need to do OS level changes.
The database appliance contains in addition to MariaDB (10.5.x) also a PostgreSQL Database (15.x) which is supported by the Nevis components.
Breaking change
NetworkManager is now the default for managing network interfaces/connections.
- The legacy scripts in /etc/sysconfig/network-scripts/ still exist but are now under control of the NetworkManager.
- NetworkManager stores its config files under /etc/NetworkManager/. The 'nevisappliance' network menu still creates these legacy files during this transformation (as you also manually can do) but NetworkManager will handle them. You can also already use the new configuration by defining interfaces in /etc/NetworkManager/system-connections, these will also be considered.
- Thus, to go along with this change, while upgrading existing Rocky Linux 8 based nevisAppliances (current RR and RR23) it is necessary to make the following changes to prepare the activation of NetworkManager upfront or after the 'upgrade-nevis.sh' script but before rebooting the nevisAppliance!
- Update/append the following (arrow marked) parts in each existing /etc/sysconfig/network-scripts/ifcfg* file, giving it the same value as you have for 'DEVICE':
...
TYPE=ethernet
NAME=eth0 # <======= add this line accordingly (adjust value)
DEVICE=eth0
BOOTPROTO=static
...
#NM_CONTROLLED=no # <======= put this in comment(#)
- Issue the following shell commands
# systemctl enable NetworkManager
# systemctl restart NetworkManager
- ClamAv runtime user/group has changed from 'clamav:clamav' to 'clamscan:antivirus' to go along with this package. This change will be done automatically during the upgrade.
- The 'vi' editor is superseeded by 'vim'
For more information, see the component-specific upgrade and release notes.
Upgraded Nevis components
- nevisadapt 8.2405.0.8
- nevisadmin4 8.2405.0.7
- nevisadmin plugins 8.2405.0.6
- nevisauth 8.2405.0.4
- nevisdetect 8.2405.0.8
- nevisdetectcl 8.2405.0.8
- nevisdp 8.2405.0.8998714849
- nevisfido 8.2405.0.2
- nevisfidocl 8.2405.0.2
- nevisFIDO test client core 8.2405.0.2
- nevisFIDO test client gatling 8.2405.0.2
- nevisidm 8.2405.0.9032318589
- nevisidmcl 8.2405.0.9032318589
- nevisidmdb 8.2405.0.9032318589
- nevislogrend 8.2405.0.1
- nevismeta 8.2405.0.2
- nevisproxy 8.2405.0.0
- ninja 8.2405.0.2
Resolved issues
- UPGRADED: We upgraded the Rocky Linux 8 operating system to Rocky Linux 9.
- UPDATED: We updated the DB Appliance to also contain PostgreSQL.
For a more detailed release description, see the nevisAppliance release notes.
nevisAdapt 8.2405.0.8 - 15.05.2024
Changes and new features
- ADDED: Added the option to disable private IP filtering and configure default country code in that case.
- ADDED: Added the option to enable Apache Hostname Verifier under nevisAdapt Deployable / Advanced Settings.
- ADDED: Added the option to disable nevisAdapt analyzers, either on module or analyzer level.
- ADDED: New Logging groups for nevisAdapt for ease-of-access.
- FIXED: finished integration to Java 17.
- FIXED: PostgreSQL integration with nevisAdapt.
- FIXED: GeoLocation error with nevisAdapt.
- FIXED: nevisAdapt can now consume multiline JAVA_OPTS.
- CHANGED: Dependencies updated.
For a more detailed release description, see the nevisAdapt release notes.
nevisAuth 8.2405.0.4 - 15.05.2024
Changes and new features
Breaking changes
- REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value
SHA256withRSA
instead. - REMOVED: The nevisauth-test-authstateharness-fat no longer embeds the following 3rd party dependencies: log4j, slf4j, groovy-test, groovy-test-junit5, groovy-testng as these can easily cause an unresolvable version clash.
- REMOVED: RHEL8 Linux is no longer supported, it is superseded by RHEL9. RHEL8 is still supported on 7.2405.x (LTS24).
- FIXED: The OOCD and Remote session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisAuth as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change OOCD entries and Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this:
update nevisauth_out_of_context_data_service set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR); update TNSSA_AUTH_SESSION_CACHE set ABSTO = DATE_ADD(ABSTO, INTERVAL 2 HOUR);
These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error likeUnknown or incorrect time zone: 'UTC'
afterwards that means your database did not have the timezone database initilized. You have to runmysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p
to verifiy the result of that you can runSELECT * FROM mysql.time_zone_name;
. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 4.40.0.10. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISAUTH-4265.
General Changes
- FIXED: OAuth2 only return error redirect when valid redirect_uri is provided.
- FIXED: We made the encryption of the AccessToken work also for OAuth2.
- FIXED: We fixed corrupted SecToken generated by JWT Bearer Grant Authentication flow.
- FIXED: Getting BadConfigurationException when setting
nevismeta.httpclient.authorization.basic.*
properties. - FIXED: The actorCert not extracted from HTTP Request.
- FIXED: The public client without client secret throw exception during token request.
- NEW: We support EC key for JWKS.
- NEW: Configuration option
server.tls.verify-sni
which allows to disable SNI validation Jetty. This can be used to mitigate a Java bug when a Java client is not sending SNI information when the hostname does not contain a dot. - EXPERIMENTAL: We introduced the property
openid.promptParameterSupported
for usingprompt
parameter inAuthorizationServer
. - UPGRADED: We upgraded the Angus activation third-party dependencies to version 2.0.2.
- UPGRADED: We upgraded the Angus mail third-party dependencies to version 2.0.3.
- UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1.
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.
- UPGRADED: We upgraded the Commons codec third-party dependency to version 1.16.1.
- UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.21.
- UPGRADED: We upgraded the Guava third-party dependencies to version 33.1.0-jre.
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0.
- UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0.
- UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2.
- UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6.
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x.
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8.
- UPGRADED: We upgraded the json-smart third-party dependency to version 2.5.1.
- UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 7.0.0.
- UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.34.
- UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1.
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3.
- UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.10.1.
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0.
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3.
- UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.6.
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12.
- UPGRADED: We upgraded the woodstox third-party dependency to version 6.6.2.
- UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.3.
- UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.4.
- DEPRECATED: The
LegacySecurityTokenService
has been depreceated in 2011, it is enabled by default when-Dch.nevis.esauth.wstrust.SecurityTokenService.Enabled=true
is configured. TheLegacySecurityTokenService
will be removed in the 2024 November release. The replacement for theLegacySecurityTokenService
is the SecurityTokenService.
For a more detailed release description, see the nevisAuth release notes.
nevisDataporter 8.2405.0.8998714849 - 15.05.2024
Changes and new features
- UPGRADED: We updated netty to 4.1.108.Final.
- UPGRADED: We upgraded greenmail to 2.0.1.
- UPGRADED: We changed Javax Mail to Jakarta Mail 2.0.1.
- FIXED: EmailSink issue with incorrect library used for sending emails is now fixed.
For a more detailed release description, see the nevisDataporter release notes.
nevisDetect 8.2405.0.8 - 15.05.2024
Changes and new features
- FIXED: finished integration to Java 17.
- CHANGED: Dependencies updated.
For a more detailed release description, see the nevisDetect release notes.
nevisFIDO 8.2405.0.2 - 15.05.2024
Changes and new features
- NEW: nevisFIDO supports the Password Authenticator in the metadata and policy files. A new default policy file has been added to allow only the password authenticator to be used.
Breaking changes
- CHANGE: The
PublicKeyCredentialOptions
stored in the FIDO2 session (webauthn_sessions) changed its format. Because of the serialisation used, it's not backward compatible. Ongoing registration or authentication ceremonies (started before upgrading) will fail. - REMOVED: RHEL8 Linux is no longer supported, it is superseded by RHEL9. RHEL8 is still supported on 7.2405.x (LTS24).
- FIXED: The session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisFIDO as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this:
update uaf_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated = DATE_ADD(status_updated, INTERVAL 2 HOUR); update token_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated = DATE_ADD(status_updated, INTERVAL 2 HOUR); update webauthn_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated_at = DATE_ADD(status_updated_at, INTERVAL 2 HOUR); update jws_requests set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR);
These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error likeUnknown or incorrect time zone: 'UTC'
afterwards that means your database did not have the timezone database initilized. You have to runmysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p
to verifiy the result of that you can runSELECT * FROM mysql.time_zone_name;
. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 2.4.0.7. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISFIDO-1817.
General Changes
- UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1.
- UPGRADED: We upgraded the Apache Http Core third-party dependencies to version 5.2.4.
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.
- UPGRADED: We upgraded the google-api-client third-party dependency to version 2.4.0.
- UPGRADED: We upgraded the google-auth-library third-party dependency to version 1.23.0.
- UPGRADED: We upgraded the guava third-party dependency to version 33.1.0-jre.
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0.
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x.
- UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.7.
- UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1.
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3.
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0.
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3.
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12.
- UPGRADED: We upgraded the Spring-boot third-party dependency to version 3.2.4.
- UPGRADED: We upgraded Spring third-party dependencies to version 6.1.6.
- UPGRADED: We upgraded the Webauthn4j api third-party dependency to version 0.23.0.RELEASE.
- UPGRADED: We upgraded the ZXing third-party dependency to version 3.5.3.
- FIXED: UAF credential login information in nevisIdm was incorrectly updated for all UAF credentials of the user during authentication instead of only the credential used for the current authentication operation.
For a more detailed release description, see the nevisFido release notes.
nevisIDM 8.2405.0.9032318589 - 15.05.2024
- Application version: 8.2405.0.9032318589
- Minimal required database schema version: 7.23
- Maximal supported database schema version: 7.x
Changes and new features
General/Core
- UPGRADED: We updated Jetty to 12.0.6.
- UPGRADED: We updated Netty to 4.1.108.Final.
- UPGRADED: We updated Spring Framework to 6.0.19.
- UPGRADED: We updated CXF to 4.0.4.
- UPGRADED: We updated PostgreSQL Driver to 42.6.1.
- UPGRADED: We upgraded Commons-configuration2 to 2.10.1.
- NEW: Credential-type specific permissions have been extended with
AccessControl.CredentialSearch
; From now on, it is possible to provideCredentialSearch
to only specific credential types. For further information: Credential-type specific permissions of nevisIDM roles. - NEW: OpenTelemetry spanId and traceId is added to audit log if openTelemetry is configured.
- FIXED: Potential performance issues related to getting generic credentials have been resolved.
- FIXED: Corrected issues with pagination of FIDO UAF credentials.
- FIXED: In Kubernetes, IDM now saves Asynchronous Email Sending into the persistent event queue. Previously, IDM with with OracleSQL or PostgreSQL database did not save it into the persistent event queue, making Asynchronous Email Sending impossible.
- CHANGED: Refactored dataroom handling to use separate dataroom test in SQL instead of summarizing them.
- CHANGED: Refactored JMS Bridge to use its internal status to check for potential disconnetcions, thus provide improved stability.
- CHANGED: Refactored the way IDM retrieves data from the persistent queue.
- FIXED: Potential performance issues related to getting generic credentials have been resolved.
- UPGRADED: On GUI CredentialType dropdowns lists only the CredentialTypes that signed-in user has the required credential-type specific right. Credential-type specific permissions.
- UPGRADED: Extended CredentialGetDto classes with the following 9 credential types:
Ticket
,Otp
,TempStringPassword
,Vasco
,PUK
,DevicePassword
,MobileSignature
,SamlFederaion
,SecurityQuestions
. They can be queried with the new endpoint{userExtId}/credentials
in User REST service. - FIXED: JMS bridge feature refactored to avoid high resource consumption in case the bridge target is not enough stable.
- Bridge status added to health endpoint.
- The health endpoint counts the unsuccessful restart attempts and indicates as
down
if it reaches 10, otherwise asup
- The successful reconnection to bridge target resets the health endpoint counter
- The health endpoint counts the unsuccessful restart attempts and indicates as
- New configuration properties introduced:
messaging.bridge.failure.retry.interval
: passed toorg.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl
asfailureRetryInterval
property; by default 10000messaging.bridge.max.retries.on.failure
: passed to~"~.JMSBridgeImpl
asmaxRetries
property; by default 6
- Before this refactor the
maxRetries
property was hardcoded with value-1
andfailureRetryInterval
as1000
.- This means it tried to reconnect for each one second infinitely and a
reinitalizer
algorithm tried to stop the bridge and re-instantiate - Unfortunately, the previous bridge instances didn't shut down properly, so a lot of memory and other resources were not freed up
- This means it tried to reconnect for each one second infinitely and a
- The current implementation instantiates the bridge only once.
- In case the bridge lost its
running
state (based on the newly introduced configurations) the IDM tries to start back - The mentioned health endpoint counts these restart attempts
- In case the bridge lost its
- Bridge status added to health endpoint.
- NEW: You can configure external JMS server for provisioning instead of using embedded Artemis server and JMS bridging.
- If you configure external JMS server, the embedded Artemis instance will not be started.
- New configuration properties introduced:
application.modules.provisioning.connection.factory.classname
: connection factory class name; e.g.org.apache.activemq.artemis.jms.client.ActiveMQXAConnectionFactory
application.modules.provisioning.connection.factory.xa.properties
: initialization properties for previous factory class; e.g.{"brokerURL": "https://artemis-server:61616", "user": "producer", "password": "secret"}
application.modules.provisioning.destination.classname
: JMS destination class name; e.g.org.apache.activemq.artemis.jms.client.ActiveMQQueue
application.modules.provisioning.destination.name
: JMS queue name; constructor parameter for previous class; e.g.Provisioning
application.modules.provisioning.destination.properties
: possible initialization properties for the destination class- There is no default value for these properties. The default behavior is to start and use embedded Artemis JSM server
- ATTENTION: The configured connection factory must implement
jakarta.jms.XAConnectionFactory
and destination must implementjakarta.jms.Destination
!
- NEW: The OpenTelemetry span and related
OpTrace
logging can contain the SOAP and REST request and response bodies.- New configuration property introduced:
add.request.and.response.body.to.opentelemetry
: need to add or not; by defaultfalse
- ATTENTION:
- Processing the complete request and response bodies can cause reduction of performance!
- The complete request and response bodies could contain sensitive information!
- It works only if you use OpenTelemetry extension agent and
OpTrace
logger is configured toTRACE
or you can see the body contents in Jaeger or similar tool!
- New configuration property introduced:
- NEW: We added a documentation page that provides a more detailed explanation of the SOAP detail levels. See more.
Web GUI
- FIXED: Improved performance of
Users per Applicaiton
report. - FIXED: Improved performance of the
Assign Roles to Profile
page. - FIXED: Search function on
Vasco Administation
tab now works correctly.
REST API
- NEW: The endpoint
{userExtId}/credentials
is added to the User REST Services to search for the credentials of the user with givenextId
. - NEW: Added new endpoint to find and delete generics credentials to ClientsRestService.
SCIM API
- NEW: SCIM is now able to filter or order users by
meta.created
andmeta.lastModified
fields.
Auth States
- REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value
SHA256withRSA
instead.
Configuration
- NEW: nevisIDM support multi-line JAVA_OPTS parameters in
conf/env.conf
. - NEW: If
add.request.and.response.body.to.opentelemetry
is set to true, nevisIDM logs the request and response body to OpenTelemetry. - NEW: Introduced new configuration properties
database.connection.healthcheck.retrydelay
anddatabase.connection.healthcheck.retrycount
to control behaviour better, if healthcheck called during connection pool maintenance. - NEW: Added new configuration properties
application.modules.provisioning.connection.factory.classname
,application.modules.provisioning.connection.factory.xa.properties
,application.modules.provisioning.destination.classname
,application.modules.provisioning.destination.name
andapplication.modules.provisioning.destination.propertie
to make JMS connection more configurable. - NEW: Introduced
rest.display.timezone
configuration property to set the timezone for date and time attributes in the REST API responses. For further information: rest.display.timezone. - NEW: Introduced new configuration property
application.config.credentialTypesToBeLockedInDatabase
to provided fine-grained control over which credential types should be locked during uniqueness check.
For a more detailed release description, see the nevisIDM release notes.
nevisLogRend 8.2405.0.1 - 15.05.2024
Changes and new features
Breaking changes
- REMOVED: RHEL8 Linux is no longer supported, it is superseded by RHEL9. RHEL8 is still supported on 7.2405.x (LTS24).
General changes
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0.
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8.
- UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0.
- UPGRADED: We upgraded the Guava third-party dependency to version 33.1.0-jre.
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0.
- UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1.
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12.
For a more detailed release description, see the nevisLogRend release notes.
nevisMeta 8.2405.0.2 - 15.05.2024
Changes and new features
- NEW: We introduced property
server.session-timeout
to configure session timeout on GUI for nevisMeta. - NEW: We introduced property
expiredDataCleaningTolerance
to configure minimum time needed to delete data after expiration. - NEW: We introduced property
responseCacheExpiry
to configure the cache expiry for the GET Entities endpoint. - NEW: We exposed the OpenAPI Descriptor of nevisMeta REST services with endpoint
/nevismeta/api
. - FIXED: We fixed the data return incorrectly without root language for metadata of
tos_uri
,policy_uri
,logo_uri
- FIXED: We fixed expired data cleanup to remove data in equal intervals defined by
expiredDataCleaningInterval
, instead of doing it once per day. - FIXED: We fixed queries using a lot of resources when querying all entities.
- UPGRADED: We upgraded the jetty third-party dependency to 12.0.7.
- UPGRADED: We upgraded the jakarta.enterprise.cdi-api third-party dependency to 4.0.1.
- UPGRADED: We upgraded the jakarta.servlet-api third-party dependency to 6.0.0.
- UPGRADED: We upgraded the jakarta.servlet.jsp.jstl-api third-party dependency to 3.0.0.
- UPGRADED: We upgraded the jersey third-party dependency to 3.1.5.
- UPGRADED: We upgraded the weld third-party dependency to 5.1.2.Final.
- UPGRADED: We upgraded the spring third-party dependency to 6.1.6.
- UPGRADED: We upgraded the postgresql third-party dependency to 42.7.3.
For a more detailed release description, see the nevisMeta release notes.
nevisProxy 8.2405.0 - 15.05.2024
Changes and new features
- NEW: We added the parameter
CaptureResponseHeaders
to the OpenTelemetry trace configuration. - NEW: We added the parameter
CaptureRequestHeaders
to the OpenTelemetry trace configuration. - NEW: We added the parameter DefaultFile to the FileReaderServlet.
- NEW: We added experimental support for client certificates with HTTP/2 frontend connections.
- NEW: We added the parameter
ResourceServiceName
to the OpenTelemetry configuration. - NEW: We added the parameter EnableMetrics to the Http[s]ConnectorServlet, Esauth4ConnectorServlet and WebSocketServlet.
- NEW: We added the parameters EnableMetrics to the local, MySQL, and Postgres session store servlets.
- NEW: We added the bc.property
ch.nevis.navajo.tracing.DisableMemoryUsage
. - NEW: We added an example of Content-Security-Policy violation reporting.
- FIXED: We fixed that for Kubernetes setups information about telemetry was written into stdout.
- FIXED: We fixed the issue that redirect URLs containing a
?
were not correctly URL-encoded. - FIXED: We fixed the issue that a session invalidated via a LuaFilter was not properly invalidated when using the MySQLSessionStoreServlet.
- FIXED: We fixed the issue that the request body was unnecessarily read when OriginalUrl was enabled in the IdentityCreationFilter.
- FIXED: We trace now the correct SHA256 hashed and base64 encoded cookie value in NProxyOp.
- CHANGED: We made AES key related error handling more strict.
- CHANGED: We improved the error logging of the MultiLevelSessionStoreServlet and MYSQLSessionStoreServlet.
- CHANGED: We improved the error message if NevisAuth sends an error.
- CHANGED: The SoapFilter now uses the namespace as fallback when there is no schemaLocation in import directives.
- CHANGED: We check now at start that the MariaDB contains the unique attribute constraint in the attribute table.
- CHANGED: We changed some default values.
- CHANGED: We deprecated the attribute name
Loglevel
in navajo.xml, and replaced it withLogLevel
to match with the Apache directive. - CHANGED: We changed the default value to
true
for the SecureConnection parameter of the IdentityCreationFilter. - CHANGED: We changed the default of
ResourceManager.DisablePing
totrue
in the HttpConnectorServlet. - CHANGED: Integration of PKCS#11 has been adapted for frontend connections.
- UPGRADED: We upgraded zlib to 1.2.13.
- UPGRADED: We upgraded nghttp2 to 1.61.0.
- UPGRADED: We upgraded the SLES15 package to run on SLES15-SP3 and newer.
- UPGRADED: We upgraded to Apache httpd/2.4.59.
- DEPRECATED: We deprecated the Protocol parameter of the HttpConnectorServlet. It will be ignored and use HTTP/1.1 automatically.
- DEPRECATED: We deprecated the parameters AwaitingResponse and LegacyRegexpMatching of the HttpConnectorServlet.
- REMOVED: We removed the deprecated ReadLineSize of the InputValidationFilter.
- REMOVED: We removed the undocumented Lua method session:renegotiateCookie().
- REMOVED: We removed the deprecated values of the RenewIdentification parameter of IdentityCreationFilter.
- REMOVED: We removed the deprecated RemoteServlet parameter of the MultiLevelSessionStoreServlet.
- REMOVED: We removed the deprecated Lua method session:renegotiateSSL().
- REMOVED: We removed the deprecated attributes and elements of the navajo_1_0.dtd file.
- REMOVED: We removed the deprecated values of the InterceptionRedirect parameter of the IdentityCreationFilter.
- REMOVED: We removed the deprecated parameters in the CacheFilter.
- REMOVED: We removed the undocumented
wwwauthenticate
value of RenderingProvider in the LoginRendererServlet. - REMOVED: We removed the deprecated parameter
AuditLog.Key
from the InputValidationFilter. - REMOVED: We removed the deprecated TelemetryFilter.
- REMOVED: We removed the deprecated InsertWrapperFilter.
- REMOVED: We removed the undocumented SIGPWR signal handling.
- REMOVED: We removed the deprecated Milestone features from the CSRFFilter.
- REMOVED: We removed the deprecated values of the AutoRewrite parameter from the HttpConnectorServlet.
- REMOVED: We removed the deprecated OutboundProxyAuthorization parameter of the HttpConnectorServlet.
- REMOVED: We removed the deprecated attribute DocumentRoot from navajo.xml.
- REMOVED: We removed the deprecated memory attributes from navajo.xml.
- REMOVED: We removed the deprecated DB Node Affinity from the MySQLSessionStoreServlet.
Notes
The following unique key to the MariaDB based dynamic session management has to be added:
alter table attribute add constraint uc_id_name unique (ID, NAME);
- Before adding the unique key be sure that all instances using this database have been upgraded to the latest RR.
- The command may fail if there are duplicated attributes. In that case you have to retry later. We recommended adding this key while there is low load.
- The upgraded Apache version httpd/2.4.59 also contains the fix for the DH certificate bug.
Backward compatibility issues
- If you have configured a PKCS#11 based HSM in navajo.xml, then you have to add those lines into the env.conf file:
OPENSSL_ENGINES=/opt/nevisproxy/lib/engines
export OPENSSL_ENGINES
the default value of the parameter
ResourceManager.NoSessionCookie.CookieSecure
of the Http[s]ConnectorServlet and WebSocketServlet has changed totrue
.the default value of the parameter
URLMode
of the EncryptionFilter has changed tohmacsha256
.For nevisproxy to run correctly, you need at least SP3 if running on SLES15. You can check the installed SP version on your SLES15 host by executing
cat /etc/os-release
. The version has to be 15.3 or more:
# cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.3"
For a more detailed release description, see the nevisProxy release notes.
Ninja 8.2405.0.2 - 15.05.2024
Changes and new features
- CHANGED: Ninja DEV mode now signes sectokens with SHA256 instead of SHA1.
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x.
- UPGRADED: We upgraded the Servlet API third-party dependency to version 6.0.0. The Ninja filter was tested againts Servlet API version 5, 6 and 6.1.
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12.
For a more detailed release description, see the Ninja release notes.
Component versions
The following versions are part of this release. All of them are under Full Support until the next RR upgrade becomes available.
Component | Artifact name | Version** | RHEL 8* | RHEL 9* | SLES 15* |
---|---|---|---|---|---|
nevisAppliance | nevisappliance | 8.2405.1.1165 8.2405.1.1148 8.2405.0.1143 8.2405.0.1130 | n/a | n/a | n/a |
nevisAdapt | nevisadapt | 8.2405.1.1 8.2405.0.8 | ✅ | ✅ | |
nevisAdmin 4 | nevisadmin4 | 8.2405.1.0 8.2405.0.7 | ✅ | ✅ | |
nevisAuth | nevisauth | 8.2405.2.0 8.2405.1.1 8.2405.0.4 | ✅ | ✅ | |
nevisCred | neviscred | 2.0.20.0 | ✅ | ||
nevisDataPorter | nevisdp | 8.2405.0.8998714849 | ✅ | ✅ | |
nevisDetect | nevisdetect nevisdetectcl | 8.2405.1.1 8.2405.0.8 | ✅ | ✅ | |
nevisFIDO | nevisfido nevisfidocl | 8.2405.2.0 8.2405.1.1 8.2405.0.2 | ✅ | ✅ | |
nevisIDM | nevisidm nevisidmcl nevisidmdb | 8.2405.2.10083030000 8.2405.1.9265283332 8.2405.0.9032318589 | ✅ | ✅ | |
nevisIDM | adnooprint | 7.2311.0.6565033000 | ✅ | ✅ | |
nevisKeybox | neviskeybox | 2.2.4.3 | ✅ | ✅ | ✅ |
nevisLogRend | nevislogrend | 8.2405.0.1 | ✅ | ✅ | |
nevisMeta | nevismeta | 8.2405.1.0 8.2405.0.2 | ✅ | ✅ | |
nevisProxy | nevisproxy | 8.2405.1.0 8.2405.0.0 | ✅ | ✅ | |
Ninja | ninja | 8.2405.0.2 | n/a | n/a | n/a |
Ninwin | ninwin | 2.3.5.0 | n/a | n/a | n/a |
*) Tested with the latest available patch level.
**) Versions in bold changed compared to the previous quarterly release.
Third-party dependencies
The following third-party software is often used by Nevis components. Some of the software is included within nevisAppliance.
Below you find the latest supported versions.
Third-Party Software | Version |
---|---|
JVM (OpenJDK) | ✅ 17.0.12 |
MariaDB | ✅ 10.6 |
PostgreSQL | ✅ 15 |
Kubernetes | ✅ 1.29 |