2024-Q4: RR Upgrade (November 2024)

Major version

Version: 8.2411

Lifecycle dates

Minor Version	General Availability	End of Full Support	End of Fade-Out Support
8.2411.0.0	November 20, 2024	May 20, 2025	Jun 19, 2025
8.2405.2.1178	September 27, 2024	Nov 19, 2024	Jun 19, 2025
8.2405.1.1173	August 30, 2024	Nov 19, 2024	Jun 19, 2025
8.2405.1.1165	July 25, 2024	Nov 19, 2024	Jun 19, 2025
8.2405.1.1148	July 11, 2024	Nov 19, 2024	Jun 19, 2025
8.2405.0.1143	June 26, 2024	Nov 19, 2024	Jun 19, 2025
8.2405.0.1130	May 15, 2024	Nov 19, 2024	Jun 19, 2025

Breaking changes and required actions

The following components have breaking changes compared to the previous release, or require specific actions. For more information, see the Release Notes of each listed component.

• nevisProxy: The Apache config generation is changed when multiple hosts are defined in navajo.xml. Now the default hosts' virtual hosts are moved to the beginning. In the old config generation, the virtual hosts order was defined by the connectors' order.
• nevisProxy: The XmlFilter now checks the content against the configured XSD schema (if any). If the content doesn't match the schema, or a schema is missing, the request will be blocked. In order to switch back to the old behaviour you need to set the parameter ValidateSchema to false.
• nevisProxy: Due to the apache httpd upgrade you have to add the following SSLCryptoDevice in the Service section of navajo.xml if a Securosys HSM (or any pkcs#11 based HSM) is configured:

SSLCryptoDevice="pkcs11"

• nevisProxy: The DeflateFilter's CompressionWindowSize parameter no longer accepts positive values.
• nevisProxy: For nevisproxy to run correctly, you need at least SP6 if running on SLES15. You can check the installed SP version on your SLES15 host by executing cat /etc/os-release. The version has to be 15.6 or more:

# cat /etc/os-release 
NAME="openSUSE Leap"
VERSION="15.6"

• nevisProxy: If neither OpenTelemetry nor sampling is enabled op tracing in some nevis components may not work any more. To solve that you can set the java property otel.traces.sampler in the concerned nevis component to always_on.
• nevisAuth: jcan-saml and jcan-saml-xmlbeans libs are removed from the nevisAuth RPM. These are transitive dependencies of jcan-sectoken to support the SAML Assertion as a token. These libraries are only used in Ninja for verification purposes, therefore they are not required in nevisAuth.
• nevisAuth: Several properties in configuration have breaking changes.
• nevisAuth: The LegacySecurityTokenService is removed.
• nevisFIDO: New column dispatch_target_ext_id in database table token_sessions.
• nevisIDM: Now default policy values are applied to PASSWORD, CONTEXT_PASSWORD and DEVICE_PASSWORD credentials when validating passwords. This behaviour can be turned off with configuration property application.policy.loadDefaultValues.
• nevis...: ...

Every RR (minor and major) may contain breaking changes. See the release notes of the component you are upgrading. You should always stay up to date on the RR branch. If there are multiple releases between your current version and the version you are upgrading to, consult the release notes of each version.

Components Changelog

nevisAdmin 8.2411.0 Release Notes - 2024-11-20

Release information

• RPM: nevisadmin4-8.2411.0.17-1.noarch.rpm
• GUI Version: FE 8.2411.0-1459 - BE 8.2411.0.17

Breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

• CHANGED: The nevisadmin-plugin-nevisadapt has been separated from the nevisadmin-plugin-nevisdetect. The nevisAdapt Patterns, which were previously part of the nevisDetect plugin, have now been moved to the new nevisAdapt plugin. (NEVISADMV4-10229)

Main improvement

• NEW: It is now possible to delete plugin libraries on the Resources / Pattern Libraries page. (NEVISADMV4-9761)
• NEW: You can now add a git tag to the commit that is created when publishing a project, both on the GUI in the publishing dialog, and also using the REST API. (PRODROAD-597)
• NEW: Project variables now can have default values. Compared to the existing sample values, if a default value is not overridden in the inventory, it will not cause an error during deployment, and instead the default value of the project variable will be directly used. (NEVISADMV4-10185)
• NEW: We've introduced a new feature that automatically migrates the project when the nevisadmin-plugin-base-generation version is upgraded. This feature attempts to handle breaking changes by updating most project data automatically, reducing the need for manual adjustments, but some cases cannot be handled automatically, and manual intervention may still be required. (NEVISADMV4-10104)

Notable changes and bug fixes

• NEW: Deployments can now be performed using the legacy checkout method by setting the configuration property nevisadmin.git.shallow-checkout to false. (NEVISADMV4-10252)
• NEW: We added two new properties, nevisadmin.pki.root-certificate-validity and nevisadmin.pki.end-certificate-validity, to configure certificate validity for automatic key management in classic deployments. (NEVISADMV4-10268)
• IMPROVED: When publishing a project containing attachment properties where the attached files were changed, the changes can be reviewed in the publish dialog with a new diff view. (NEVISADMV4-10067)
• IMPROVED: The inventory editor has received a number of improvements (NEVISADMV4-10074)
  • Errors that are not related to a specific line are shown on the first line.
  • Folding controls are now always shown, not only when the gutter (i.e. the line numbers) is hovered.
  • When the inventory yaml has issues, an inline peek view pops up showing the details. This can also be triggered from the new menu left to the inventory resource actions, which also has controls to fold/unfold all regions of the yaml file.
  • Tooltips in the editor are no longer clipped if they extend beyond the editor.
• IMPROVED: When editing a pattern attachment file, now you can toggle the editor to Fullscreen mode. (NEVISADMV4-10071)
• IMPROVED: Pattern fields of type key-value can now be sorted alphabetically. This helps in finding them when there are many of them, and also, in reviewing the diff during publishing. (NEVISADMV4-10084)
• IMPROVED: If an attachment is renamed in a way that the only difference from the original name is in letter casing, it may cause errors. The errors now include explanations and workarounds for resolving these issues. (NEVISADMV4-10102)
• IMPROVED: Addressed some performance issues that happened when there were a lot of plugin libraries uploaded. (NEVISADMV4-10073)
• CHANGED: The REST endpoints at /api/v1/jobs now include the creationTime field in their returned data. (NEVISADMV4-10011)
• FIXED: The variables screen now also considers ${var.<name>} references when listing the usages of variables. (NEVISADMV4-10024)
• FIXED: Renaming a variable now also updates all references to it that use the ${var.<name>} format. (NEVISADMV4-10085)
• FIXED: When using the main pattern list in grouped by labels mode, the expanded state of the groups was not restored when navigating away and coming back. They are now correctly saved and restored when needed. (NEVISADMV4-10072)
• FIXED: In some rare cases, newly created tenant scoped secrets were not available in the inventory editor to be inserted, until another inventory was opened first. They are now available immediately. (NEVISADMV4-9969)
• FIXED: We fixed a GUI issue, which caused the project validation spinner to sometimes stay spinning even after the project validation has finished, especially if there were new edits before the previous validation has finished. (NEVISADMV4-8559)
• FIXED: We fixed a GUI issue which allowed both the Delete and the Connect to Git actions for projects and inventories to be available, even when the user did not have permission to modify the selected project or inventory, which led to a permission error. These buttons are now disabled if the user does not have the required permission. (NEVISADMV4-8854)
• FIXED: We fixed a GUI issue in the inventory editor, where inserting a secret in the middle of a line replaced the rest of the line instead of inserting the secret at the caret's location. Highlighting secrets in the editor is also fixed. (NEVISADMV4-8441)
• FIXED: The default values for cors.allowed.methods, cors.allowed.headers, and cors.max.age now align with what is stated in the documentation. (NEVISADMV-10128)
• FIXED: We fixed a GUI issue which caused project variables to be imported with an invalid value. (NEVISADMV4-9090)
• FIXED: We fixed a GUI issue in the pattern editor, which caused the navigation to be canceled when clicking through a pattern reference link while having unsaved changes. (NEVISADMV4-10308)

Dependency upgrades

• shiro 2.0.1 (NEVISADMV4-9164)
• org.eclipse.jgit 6.10.0.202406032230-r (NEVISADMV4-10027)
• jsch 0.2.20 (NEVISADMV4-10273)
• jackson 2.18.0 (NEVISADMV4-10273)
• jetty-rewrite 12.0.14 (NEVISADMV4-10273)
• groovy 4.0.23 (NEVISADMV4-10273)
• snakeyaml 2.3 (NEVISADMV4-10273)
• aspectjweaver 1.9.22.1 (NEVISADMV4-10027)
• jakarta-annotation-api 3.0.0 (NEVISADMV4-10027)
• slf4j-api 2.0.16 (NEVISADMV4-10027)
• logback-classic 1.5.9 (NEVISADMV4-10273)
• guava 33.3.1-jre (NEVISADMV4-10273)
• opensaml 4.3.2 (NEVISADMV4-10027)
• spring-boot 3.3.5 (NEVISADMV4-10307)
• spring-dependency-management-plugin 1.1.6 (NEVISADMV4-10027)
• springdoc-openapi-starter-webmvc-ui 2.6.0 (NEVISADMV4-10027)
• mustache 0.9.14 (NEVISADMV4-10027)
• mariadb-java-client 3.4.1 (NEVISADMV4-10027)
• postgresql 42.7.4 (NEVISADMV4-10027)
• nimbus-jose-jwt 9.41.2 (NEVISADMV4-10273)
• bcprov-jdk18on 1.78.1 (NEVISADMV4-10027)
• bcpkix-jdk18on 1.78.1 (NEVISADMV4-10027)
• bcpg-jdk18on 1.78.1 (NEVISADMV4-10027)
• bcutil-jdk18on 1.78.1 (NEVISADMV4-10027)
• kubernetes-java-client 21.0.1 (NEVISADMV4-10027)

Patterns 8.2411.0 Release Notes - 2024-11-20

Release information

• Build Version: 8.2411.0.15

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

General Changes

• PAT-762: Fixed a bug in Generic Deployment which caused unknown files in nested sub-folders to be deleted, even when Path: Delete Unknown Files is set to disabled.
• NEVISADMV4-9763: Added new logger ProductAnalytics to Nevis components.
  • The logger is enabled by default, it can be disabled by setting the log level to WARN or ERROR.

Application Protection

• ⚠️ PAT-750 / PAT-754: Refactored the nevisProxy Observability Settings pattern:
  • Renamed the Trace Resource Service Name parameter and moved it to the Basic Settings tab.
    • This setting now controls the service.name key-value pair resource attribute for both Metrics Mode and Trace Mode.
  • Removed the experimental label from the pattern.
  • New settings: Sampler, Deployment Environment, Capture Request Headers, Capture Response Headers
• ⚠️ PAT-751: Added CRS version 4.7.0 to the OWASP ModSecurity CRS Version setting in the Virtual Host pattern.
  • The oldest, unsupported CRS version 3.0.2 was removed.
• PAT-734: Added Default File setting to the Hosting Service pattern.
• PAT-678: Added a default template for Proxy Login Renderer.
• ⚠️ PAT-650: Added the setting SOAP Schema Validation Mode to the SOAP Service pattern.
  • The default mode is content-type, where the SOAP service only analyses requests with Content-Type application/soap+xml.
  • Select enabled to analyse all requests with a body.
  • Select strict to analyse all requests, which was the previous behaviour.
• PAT-688: We fixed an unexpected error when using a variable for the Public Key of the JWT Access Restriction pattern.
• ⚠️ PAT-755: We improved the Maintenance Page pattern:
  • The Update Interval is now configurable.
  • The pattern now includes its sanitized name in the names of the generated MaintenanceFilter and DefaultServlet.
    • This prevents naming collisions, and allow linking multiple Maintenance Page patterns to a single Virtual Host or Application.
    • Check your configuration if you use Generic Application Settings or Generic Virtual Host Settings to customize your MaintenanceFilter or the related DefaultServlet.
• PAT-759: The SOAP Service pattern can now be attached to several Virtual Host patterns even when SOAP Schema Validation files are configured.
• NEVISPROXY-7253: The HTTP Error Handling pattern now also replaces placeholders in JSON error pages.
  • This also applies to the default ErrorFilter that is generated by the Virtual Host.

Authentication

• PAT-756: Set -Dotel.instrumentation.metro.enabled=false for nevisAuth.
  • OpenTelemetry does not support tracing of these SOAP calls.
• ⚠️ PAT-710: Apply Custom Attributes to RemoteOutOfContextDataStore as well.
  • If you have attributes that should only be applied to the RemoteSessionStore use the prefix session: in the attribute name.
• PAT-707: Support configuration of number of worker threads for nevisAuth.
• PAT-693: Updated JWT Token pattern to be compatible with latest nevisAuth release.

Identity Management

• PAT-507: Support upload of additional resources for nevisDataPorter Instance.
• PAT-704: NevisIDM Second Factor pattern now validates if the found credentials are active and during their validity period.
• PAT-722: The nevisIDM Authorizations pattern now adds default values to Roles where no setting is defined in the pattern.
• PAT-722: The nevisIDM Authorizations pattern now accepts MultiClient authorization as well.
• PAT-726: Password validation displays error correctly when using Self-Registration flow in Simple Sign-in / Sign On Template
• PAT-743: Added SYSLOG formatting option for nevisIDM's batch log.
• PAT-745: Created pattern for nevisIDM Create Credential AuthState.
• PAT-763: Path of password reset in nevisIDM Password Login automatically added to the Allowed Application paths.
• PAT-758: Modified nevisIDM Password Login to store the redirection URL in the URL Ticket credential.
• PAT-770: nevisIDM Authorizations pattern now handles fine-grained authorizations for UserModify and UserSearch authorization.

SAML / OAuth / OpenID Connect

• PAT-753: New setting Remove Empty Claim(s) In Token in OAuth 2.0 Authorization Server / OpenID Provider.
• PAT-701: Updated the translation text for the OAuth2 / OpenID Connect consent screen.
• PAT-744: Fixed invalid generation of nevisIDM HttpClient in Social Login patterns.
• PAT-742: The IDP URL in the SAML IDP Connector now supports EL expressions.
• PAT-716: Fixes in SAML patterns to support logout message via SOAP.

FIDO2 Passwordless

• PAT-729: Support Authenticator allow-listing in nevisFIDO FIDO2 Instance.

Mobile Authentication

• PAT-541: Configuration of fido-uaf.timeout.device-request.
• PAT-730: Support for Android Key Attestation (FIDO UAF Full Basic Attestation).
• PAT-735: Updated default metadata file to support both RSA and new EC algorithms for Android UAF authenticators.
• PAT-748: Support REST-only usage of nevisIDM in nevisFIDO.
• PAT-694: Add new wildcard facetID entries to replace the old specific values.
• PAT-618: New pattern nevisFIDO UAF Device Service.
• PAT-739: Support assignment of nevisFIDO UAF Connector in Out-of-band Mobile Onboarding pattern.
• NEVISAUTH-4768: The mobile authentication JavaScripts now only schedule a single polling request at a time, preventing “parallel polling” in the same session.

User Behavior Analytics

• ⚠️ NEVISDETECT-1874: nevisAdapt patterns were moved to a new nevisAdmin4 plugin: nevisadmin-plugin-nevisadapt.
  • The package name of all related patterns changed, so it is important to run the automatic migrations script to avoid errors.
  • Make sure that the new package is enabled when setting up a project with nevisAdapt.
• ⚠️ NEVISDETECT-1954: observation timeframe inside nevisAdapt Instance was moved to its own pattern along with other cleanup related timeframes which can be linked into nevisAdapt Instance.
  • The automatic migration script takes care of this change if any specific value was set in the original project.

nevisAdapt 8.2411.0.22 - 20.11.2024

Breaking changes

• CHANGED: nevisAdapt has its own nevisAdmin 4 plugin: nevisadmin-plugin-nevisadapt. There is an automated migration script for transferring nevisAdapt patterns. Please make sure that the new plugin is enabled after the migration. On the other hand, nevisadmin-plugin-nevisdetect can be turned off if nevisDetect is not part of the authentication flow.
• CHANGED: ch.nevis.nevisdetect:nevisdetect-dto package no longer contains nevisAdapt DTOs. New package ch.nevis.nevisadapt:nevisadapt-dto:8.2411.0.22 introduced.
• CHANGED: ch.nevis.nevisdetect:nevisadapt-api package was moved. New package ch.nevis.nevisadapt:nevisadapt-api:8.2411.0.22 introduced.

Changes and new features

• ADDED: nevisadaptcl package for nevisAdapt AuthStates (introduced ch.nevis.adapt.authstate domain)
• FIXED: Dependencies updated
• FIXED: Observation data analysis performance was improved
• FIXED: IP velocity analyzer for close distances
• CHANGED: Dependencies used by nevisDetect only were removed
• CHANGED: Several classes were moved within ch.nevis.nevisadapt
• CHANGED: Health checks expect lower-case schema history table name
• CHANGED: nevisAdapt plugin classes for nevisDetect are removed (moved to nevisdetect package)

nevisAuth 8.2411.0.13 - 20.11.2024

Breaking changes

• REMOVED: The deprecated LegacySecurityTokenService is removed. It was enabled by default when -Dch.nevis.esauth.wstrust.SecurityTokenService.Enabled=true was configured. The replacement for the LegacySecurityTokenService is the SecurityTokenService (NEVISAUTH-4654)
• REMOVED: We removed the validation that acr_values must contain the value of the acr claim. (NEVISAUTH-4854)
• REMOVED: jcan-saml and jcan-saml-xmlbeans libs are removed from the nevisAuth RPM. These are transitive dependencies of jcan-sectoken to support the SAML Assertion as a token. These libraries are only used in Ninja for verification purposes, therefore they are not required in nevisAuth. In case you relied on classes from these artifacts in your testing or custom auth states, you can acquire them from Ninja and add them on your classpath manually. (NEVISAUTH-4864)
• CHANGED: The JWTToken auth state configuration token.identifier is renamed to token.outputAttributeName. (NEVISAUTH-4715)
• CHANGED: The default value connectionMaxPoolSize property of the Remote session store and OOCD is changed to 10 from the previous 20 to be aligned with the underlying library recommended defaults. (NEVISAUTH-4819)
• CHANGED: ScripState now resolves variables in parameter.[parameterName]. This can be a breaking change if you resolved variables manually before, or have a value which looks like an EL expression. (NEVISAUTH-4604)
• NEW: We introduced the property removeEmptyClaimsInToken in AuthorizationServer AuthState to remove empty claims for ID Token and Access Token. (NEVISAUTH-4778)

General Changes

• NEW: nevisAuth generates new OpenTelemetry metrics for Jetty worker threads, request statistics, heap size, http client pool statistics. This can help in analysing and observing nevisAuth load. (NEVISAUTH-4746)
• NEW: The JWTToken auth state now allows the configuration where the output is stored using the token.outputAttributeScope configuration option. By default, it is the previous outargs. (NEVISAUTH-4715)
• NEW: HTTP headers can be referred in the log pattern with syntax %X{httpHeader.yourHttpHeader}. There is a differences in where the HTTP request is originating from: authenticate/stepup requests arriving from nevisProxy will contain the original HTTP headers of the client in the SOAP request body and made available in the logging context. Other Web and Rest services does not have this proprietary mechanism therefore in case of those nevisAuth will simply use the HTTP headers of the current request. (NEVISAUTH-4776)
• NEW: connectionMinPoolSize configuration option for the Remote session store and OOCD. Note that by default connectionMinPoolSize takes the value of connectionMaxPoolSize which means that the pool opens all connections on start, which is the recommended way to maximise performance. For cases where you only want to create connections on demand, you can specify a lower connectionMinPoolSize value. (NEVISAUTH-4819)
• NEW: We introduced openid.jws.addx5c and oauth2.jws.addx5c for adding x5c field to ID Token and Access Token header. (NEVISAUTH-4834)
• NEW: We allow the use of EL expressions for claimsRequest in RelyingPartyState and OAuth2ClientState. (NEVISAUTH-4832)
• NEW: We introduced absoluteRefreshTokenLifetime to specify how the lifetime of a Refresh Token is managed when using token rotation. (NEVISAUTH-4745)
• FIXED: We reduced the verbosity of the log entries related to the translation of scope metadata. (NEVISAUTH-4507)
• FIXED: SecurityTokenService logging confusing error message SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1 when generating an error response. (NEVISAUTH-4681)
• FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also, some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
• FIXED: Unreleased lock causing threads to hang in scenarios where IdentityProviderState received the logout contain session index but doesn't act as SOAP logout. (NEVISAUTH-4852)
• FIXED: We removed the limitation of only allowing a certain prefix in the envelope of SOAP logout requests in IdentityProviderState. (NEVISAUTH-4852)
• FIXED: We fixed AccessTokenConsumer not accepting URLs that contain space. (NEVISAUTH-4788)
• DEPRECATED: The autoRegenerate configuration flag of the TANState is currently not working properly, and it is not possible to fix it with the current codebase, therefore it will be removed in the future. Custom behaviour can implemented with the existing inputFalse transition mechanism which allows the customization of the faulty input handling. (NEVISAUTH-4710)
• FIXED: Default logging.yml incorrectly containing jcan.Op instead of OpTrace. (NEVISAUTH-4774)
• FIXED: WSSHeaderValidation auth state not sanitizing passwords in soap headers in the log. (NEVISAUTH-4826)
• FIXED: NullPointerException in the ScripState session variable validation. (NEVISAUTH-4856)
• FIXED: We improved the performance by reducing the introspection endpoint calls for empty token_type_hint. (NEVISAUTH-4899)
• CHANGED: Most of the log messages produced by loggers AuthEngine, EsAuthStart, EsAuthSv related to startup were moved from INFO to DEBUG level to speed up start and clean up logs, as those messages are not relevant from an operational point of view. (NEVISAUTH-4833)
• FIXED: XmlSec initialization in jcan-saml caused the error message lookup in the wss4j library to fail and producing confusing errors. (NEVISAUTH-4864)
• FIXED: The error responses of the introspection and revocation endpoints were not returned in JSON format.(NEVISAUTH-3998)
• FIXED: The session was not terminated after a SAML concurrent logout. (NEVISAUTH-4491)
• DOWNGRADED: We fixed encrypted SAML message generation with xenc11:MGF tag by downgrading the xmlsec third-party dependency to version 3.0.3. (NEVISAUTH-4870)
• UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.25. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.2.1. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.1. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.47.0. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Commons-cli third-party dependency to version 1.19.0. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Commons codec third-party dependency to version 1.17.1. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.17.0. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Commons-text third-party dependency to version 1.12.0. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.2. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Jaxrs-ri third-party dependency to version 3.1.8. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Jaxws-rt third-party dependency to version 4.0.3. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.13. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.22. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Guava third-party dependencies to version 33.3.0-jre. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4836)
• UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4836)
• UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6. (NEVISAUTH-4836)
• UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2411.0.x. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Ldap-unboudid third-party dependency to version 7.0.1. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Libphonenumber third-party dependency to version 8.13.45. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.0. (NEVISAUTH-4836)
• UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.4.1. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Nimbus oicd sdk third-party dependency to version 11.19.1. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Opensaml third-party dependencies to version 4.3.2. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.42.0 (NEVISAUTH-4836)
• UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.4. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.7. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Rhino third-party dependency to version 1.7.15. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.16. (NEVISAUTH-4836)
• UPGRADED: We upgraded the Woodstox third-party dependency to version 7.0.0. (NEVISAUTH-4836)

nevisDataporter 8.2411.0.11795601371 - 20.11.2024

General changes

• UPGRADED: WE upgraded the commons-io 2.14.0. (NEVISDP-543)

nevisDetect 8.2411.0.6 - 20.11.2024

Breaking changes

• CHANGED: nevisAdapt has its own nevisAdmin 4 plugin: nevisadmin-plugin-nevisadapt. There is an automated migration script for transferring nevisAdapt patterns. Please make sure that the new plugin is enabled after the migration.
• CHANGED: ch.nevis.nevisdetect:nevisdetect-dto package no longer contains nevisAdapt DTOs. New package ch.nevis.nevisadapt:nevisadapt-dto:8.2411.0.22 introduced.
• CHANGED: ch.nevis.nevisdetect:nevisadapt-api package was moved. New package ch.nevis.nevisadapt:nevisadapt-api:8.2411.0.22 introduced.

General Changes

• FIXED: Dependencies updated.
• CHANGED: Dependencies used by nevisAdapt only were removed.
• CHANGED: nevisAdapt AuthStates were moved to their own separate package (nevisadaptcl).
• CHANGED: Health checks expect lower-case schema history table name.

nevisFIDO 8.2411.0.13 - 20.11.2024

Breaking changes

For non-docker based setups run the following SQL script to add the new database table columns required for the extended FIDO UAF status service (NEVISFIDO-2145):

ALTER TABLE token_sessions
  ADD COLUMN IF NOT EXISTS `dispatch_target_ext_id` VARCHAR(128) NULL,
;

General Changes

• DEPRECATED: The ch.nevis.auth.fido.uaf.authenticators variable written to the nevisAuth notes by the FidoUafAuthState and OutOfBandFidoUafAuthState is deprecated, use the session variable instead. (NEVISFIDO-2145)
• DEPRECATED: The fido-uaf.metadata.polling-period and fido-uaf.policy.polling-period are deprecated and will be removed in the 2025 May release together with the mechanism to reload those configuration at runtime. (NEVISFIDO-2241)
• EXPERIMENTAL: Allow to modify the device ID in the device credential management endpoint. (NEVISFIDO-2140)
• CHANGED: The status service lists the UAF and generic dispatch target credential extIds for successful authentication operations. (NEVISFIDO-2145)
• CHANGED: The FidoUafAuthState and OutOfBandFidoUafAuthState write the UAF and generic dispatch target credential extIds for a successful authentication operation to the current nevisAuth session. (NEVISFIDO-2145)
• NEW: Support of authenticators that can use different authentication algorithms. (NEVISFIDO-2145)
• NEW: Support additional checks for Full Basic Attestations with Nevis Mobile Authentication SDK Android authenticators. (NEVISFIDO-2212)
• NEW: authenticating during FIDO UAF with a disabled nevisIDM credential now returns UAF status code 1493. This only works on a server that connects to nevisIDM via its REST API, which requires the credential-repository.rest-url property to be set. (NEVISFIDO-2121)
• NEW: nevisFIDO now capable supporting both REST and SOAP connections towards nevisIDM at the same time (FIDO2 supports only REST, FIDO UAF supports REST and SOAP). (NEVISFIDO-2206)
• NEW: There is a new configuration property fido-uaf.idm-connection-type with values soap and rest that defines what connection is used to connect to nevisIDM for FIDO UAF. (NEVISFIDO-2206)
• DEPRECATED: SOAP connection towards nevisIDM will be removed in a future version, replaced by the REST API client. (NEVISFIDO-2206)
• NEW: Added configuration option to allow-list certain FIDO2 authenticators via metadata. The allow-listing can be enabled by setting the fido2.metadata.allow-listing-enabled property to true. The allowed authenticators are configured via a metadata json file supplied in the configuration property fido2.metadata.path. (NEVISFIDO-2157)
• NEW: Added HTTP connection configuration options for REST nevisIDM connections in the credential repository. (NEVISFIDO-2056)
• NEW: Added configuration options for FCM dispatcher proxy-user and proxy-password to enable basic proxy authentication. This will be used for both sending request to FCM and Google OAuth2 endpoint to acquire an access token. (NEVISFIDO-2108)
• FIXED: The HTTP Client used to connect to nevisIdm REST service and the Firebase Cloud Messaging service was in some cases incorrectly configured limiting the maximum allowed connections per route to 5. The intended default 50 is now properly used. (NEVISFIDO-2103)
• FIXED: Confusing error message when login information status cannot be updated. (NEVISFIDO-2091)
• FIXED: The registration and authentication response endpoints now correctly return UAF status code 1492 Unacceptable Authenticator in case the UAF policy does not allow the authenticator, instead of UAF status code 1498 Unacceptable Content. (NEVISFIDO-1940)
• FIXED: Use JSON comparison to compare signature and encryption keys in device endpoints. Fixing a bug breaking the device service for iOS when multiple accounts are defined in a given device. (NEVISFIDO-2198)
• CHANGED: For backwards compatibility, FIDO UAF credentials do not use key ID attribute (kid) in the comparison of encryption and signature keys as new versions of the SDK do not provide it. (NEVISFIDO-2237)
• CHANGED: Errors occurring during the final challenge parameter validation in the authentication response service resulting in UAF status code 1491 Request Invalid are now logged on ERROR level. This can help to identify configuration problems (such as an incorrect appID in the Facets configuration) more quickly. (NEVISFIDO-2099)
• CHANGED: nevisFIDO now updates the successful or failed login information in the generic dispatch target associated with the UAF credential used during the authentication operation. This change makes it easier to find out when a user's "device" was last used for UAF authentication as not all associated UAF credentials need to be searched. (NEVISFIDO-2088)
• CHANGED: We replaced SOAP technology stack for nevisIDM connections. (NEVISFIDO-2056)
• REMOVED: The experimental JavaScript Login Application has been removed from the nevisFIDO client RPM. Preferred integration is via the nevisadmin-plugin-mobile-auth nevisAdmin 4 pattern. (NEVISFIDO-2194)
• UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.25. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.1. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Checker Framework third-party dependency to version 3.47.0. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Google-api-client third-party dependency to version 2.7.0. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Google-auth-library third-party dependency to version 1.25.0. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Guava third-party dependency to version 33.3.0-jre. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.2. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Jakarta-validation third-party dependency to version 3.1.0. (NEVISAUTH-2193)
• UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.0. (NEVISFIDO-2193)
• UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.4.1. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Nimbus third-party dependency to version 9.40. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.42.0. (NEVISFIDO-2193)
• UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.4. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.16. (NEVISFIDO-2193)
• UPGRADED: We upgraded the Spring-boot third-party dependency to version 3.3.4. (NEVISFIDO-2222)
• UPGRADED: We upgraded the Spring third-party dependencies to version 6.1.14. (NEVISFIDO-2222)
• UPGRADED: We upgraded the Webauthn4j api third-party dependency to version 0.26.0.RELEASE. (NEVISFIDO-2193)

nevisIDM 8.2411.0.11824142812 - 20.11.2024

Application version	Minimal required database schema version	Maximal supported database schema version
8.2411.0.11824142812	7.28	7.x

Breaking changes

• FIXED: Now default policy values are applied to PASSWORD, CONTEXT_PASSWORD and DEVICE_PASSWORD credentials when validating passwords. This behaviour can be turned off with configuration property application.policy.loadDefaultValues. (NEVISIDM-9598)
  • Startup time check is added to check if there is some policy where it can cause issues. It can be turned of with application.policies.passwordpolicies.checkatstartup configuration property.
  • Policies for credential types PASSWORD, CONTEXT_PASSWORD and DEVICE_PASSWORD are validated when created and modified.

General changes and new features

General/Core

• UPGRADED: We updated Jetty to 12.0.9. (NEVISIDM-9448)
• UPGRADED: We updated ws to 8.17.1. (NEVISIDM-9629)
• FIXED: Added missing dtds to DigesterFactory. (NEVISIDM-9552)
• FIXED: Fixed mistakenly applied/left out privilege escalation checks for credential related operations. (NEVISIDM-9334)
• CHANGED: IDM health check now only check database version once in database.version.healthcheck.cache.timeout seconds, otherwise it uses the cached value. (NEVISIDM-9563)
• UPGRADED: We updated Braces lib from 3.0.2 to 3.0.3. (NEVISIDM-9617)
• UPGRADED: We updated NodeJs from 16.13.2 to 22.9.0. (NEVISIDM-9831)
• FIXED: The problem with credential login info counters solved on systems where the audit logging disabled. (NEVISIDM-9886)

Web GUI

• UPGRADED: We updated commons-io to 2.14.0. (NEVISIDM-9793)
• UPGRADED: We updated socket.io to 4.7.5. (NEVISIDM-9629)
• UPGRADED: We updated npm-ip to 2.0.1. (NEVISIDM-9609)

REST API

• FIXED: Create history for custom properties when it is modified via REST API (NEVISIDM-9690)

Web Services

• FIXED: For queryRoles, queryProfiles and queryUsers now displaying the nevisIDM roles correctly. (NEVISIDM-9787)
• FIXED: ModifyCredential now accepts state changes for FIDO UAF credentials with empty credentialFidoUaf tags in the request. (NEVISIDM-9762)
• FIXED: When displaying credential SOAP services no longer logs an error if the user has RECOVERY_CODE or FIDO2 credentials is not found. (NEVISIDM-9599)

Configuration

• FIXED: database.connectiom.pool.min and database.read.only.connectiom.pool.min now has the correct default value of 3. (NEVISIDM-9601)
• FIXED: Property Import mechanism now can display encrypted enum property values correctly after first start. (NEVISIDM-9587)
• NEW: Property import mechanism now handles properties with same name, but different scope correctly. (NEVISIDM-9463)
• NEW: Introduced new configuration property to control if UserRestService should return credential specific fields. Behaviour could be controlled with show.user.credentials.special.attributes.enabled. (NEVISIDM-9567)

Database

• FIXED: Added CERTIFICATE_VALUE to TIDMA_CERT_INFO_V table on PostgreSQL Database schema. (NEVISIDM-9562)
• CHANGED: CONTEXT column in TIDMA_CREDENTIAL table is extended to be able to handle up to 4000 characters. (NEVISIDM-9807)
• CHANGED: Dropped TIDMA_ERROR table from the database schema and modified error raising. (NEVISIDM-9477)

nevisLogRend 8.2411.0.14 - 20.11.2024

General changes

• FIXED: Default logging.yml incorrectly containing jcan.Op instead of OpTrace. (NEVISAUTH-4774)
• UPGRADED: We upgraded the commons-cli third-party dependency to version 1.9.0. (NEVISLOG-538)
• UPGRADED: We upgraded the commons-lang3 third-party dependency to version 3.17.0. (NEVISLOG-538)
• UPGRADED: We upgraded the commons-text third-party dependency to version 1.12.0. (NEVISLOG-538)
• UPGRADED: We upgraded the commons-validator third-party dependency to version 1.9.0. (NEVISLOG-538)
• UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.2. (NEVISLOG-538)
• UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.13. (NEVISLOG-538)
• UPGRADED: We upgraded the Guava third-party dependency to version 33.3.0-jre. (NEVISLOG-538)
• UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.42.0 (NEVISLOG-538)
• UPGRADED: We upgraded the log4j third-party dependencies to version 2.24.0. (NEVISLOG-538)
• UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.16. (NEVISLOG-538)

nevisMeta 8.2411.0.4 - 20.11.2024

General changes

• FIXED: We fixed NPE exception while import the old data that doesn't contain ToS URI, Policy URI, Logo URI. (NEVISMETA-2037)
• FIXED: We fixed DCR endpoint cannot create new client without login. (NEVISMETA-2080)
• FIXED: The Resource Server's scope metadata was incorrectly displayed on the GUI. (NEVISMETA-2035)
• FIXED: In the field contacts of the UI, the character n was converted to a separator. (NEVISMETA-2015)
• FIXED: We fixed the validation of JWKS and JWKS_URI field on UI. (NEVISMETA-2058)
• FIXED: We only log the error for invalid request uri while loading from database instead of throwing exception. (NEVISMETA-2088)
• CHANGED: We only write a warning instead of an error when a property name is incorrect. (NEVISMETA-1924)
• UPGRADED: We upgraded the jetty third-party dependency to 12.0.14. (NEVISMETA-2091)
• UPGRADED: We upgraded the spring third-party dependency to 6.1.14. (NEVISMETA-2094)
• UPGRADED: We upgraded the primefaces bootstrap dependency to 1.10.11. (NEVISMETA-2071)
• UPGRADED: We upgraded the common-io to 2.17.0. (NEVISMETA-2084)
• CHANGED: We changed implementation from custom JWKS class to nimbus one. (NEVISMETA-2045)

nevisProxy 8.2411.0 - 20.11.2024

Changes and new features

• NEW: We added the parameter PropagateTraceparentHeader to forward the traceparent header back to the frontend. (NEVISPROXY-7335)
• NEW: We added the parameter InflateResponse.ContentTypes to the InflateFilter. (NEVISPROXY-7271)
• NEW: We added the parameter Brotli.Quality to the DeflateFilter. (NEVISPROXY-7270)
• NEW: The OpenTelemetry traces now contain the dt and cR values. (NEVISPROXY-7259)
• NEW: We added the parameter ViaHeader to the BackendConnectorServlet. (NEVISPROXY-7248)
• NEW: We added the parameter Sampler to the OpenTelemetry tracing. (NEVISPROXY-7243)
• NEW: We added the parameter AllowEncodedSlashes to navajo.xml. (NEVISPROXY-7239)
• NEW: The PostgreSQLSessionStoreServlet now reports to the StatusServlet. (NEVISPROXY-7094)
• NEW: We added the parameter EnableMetrics to the BackendConnectorServlet. (NEVISPROXY-7092)
• NEW: We extended the HTTP connector servlets with status code metrics. (NEVISPROXY-7091)
• NEW: We added the parameter DeploymentEnvironment to the Telemetry configuration. (NEVISPROXY-7088)
• NEW: The Lua JWT handler now supports token verification using a JWK key. (NEVISPROXY-7078)
• NEW: We added the parameters ValidateSchema and SchemaType to the XMLFilter. (NEVISPROXY-7069)
• NEW: Events are now reported in traces to the OpenTelemetry service. (NEVISPROXY-6887)
• NEW: The DeflateFilter and InflateFilter support now deflate encoding as well. (NEVISPROXY-6224)
• NEW: The DeflateFilter and InflateFilter support now the Brotli Algorithm. (NEVISPROXY-6206)
• FIXED: We fixed the bug where a race condition followed by a NullPointerException was triggered when using the MultiLevelSessionStoreServlet and a custom based SessionManagementFilter. (NEVISPROXY-7307)
• FIXED: We fixed the possible ModSecurityFilter segmentation fault when DelegateFromTx parameter was configured. (NEVISPROXY-7362)
• FIXED: We fixed the issue that the BackendConnectorServlet passed the wrong HTTP-Protocol for HTTP/2 requests coming from the frontend. (NEVISPROXY-7340)
• FIXED: We fixed the issue where a DATA frame was sent for empty HTTP2 responses. (NEVISPROXY-7319)
• FIXED: We fixed the issue where the ErrorFilter did only replace placeholders for text/* Content-Types when the Resource was a Servlet. It now also processes application/json Content-Type by default. See the new parameter PlaceHolders.ContentTypes. (NEVISPROXY-7312)
• FIXED: We fixed the bug where the UrlEncryptionFilter did not support a request path containing URL-encoded special characters. (NEVISPROXY-7293)
• FIXED: We fixed the issue where Events and Logout-Cookies were not visible in LuaFilters for logout requests. (NEVISPROXY-7282)
• FIXED: The JsonFilter now adds the RequestFlag +NEEDS_JSON_PARSING by default. (NEVISPROXY-7210)
• FIXED: We fixed the error which may have occurred if a ModSecurityFilter was mapped before an ICAPFilter. (NEVISPROXY-7170)
• FIXED: We fixed a possible memory leak if SSLCheckPeerHostname.AllowWildcards was set to true in the HttpsConnectorServlet. (NEVISPROXY-7162)
• CHANGED: The deprecated Lua functions getRequestUri and setRequestUri have been replaced by getRequestPath and setRequestPath. (NEVISPROXY-7304)
• CHANGED: We improved the placeholder substitution in the ErrorFilter. (NEVISPROXY-7300)
• CHANGED: The ModSecurityFilter checks now against the encoded path for the request evaluation. (NEVISPROXY-7279)
• CHANGED: The DeflateFilter accepts now a quality of 0 in the Accept-Encoding header. (NEVISPROXY-7246)
• CHANGED: We improved the startup time of nevisProxy. (NEVISPROXY-7228)
• CHANGED: We improved the MultiLevelSessionStoreServlet for parallel login requests. (NEVISPROXY-7207)
• CHANGED: We changed the behaviour of the navajo.xml Connector priority. (NEVISPROXY-7152)
• CHANGED: We use now keep-alive sockets if KeepAlive is true in the HttpConnectorServlet or BackendConnectorServlet. (NEVISPROXY-7143)
• CHANGED: The parameter CompressionWindowSize of the DeflateFilter accepts now only values between -15 and -8 including those. (NEVISPROXY-7138)
• CHANGED: We improved the nevisproxy version written in telemetry reports. (NEVISPROXY-7129)
• CHANGED: The base62 binary can now be used without setting the LD_LIBRARY_PATH. (NEVISPROXY-7107)
• CHANGED: The DefaultAction parameter of the CountryIpFilter is now conditional. (NEVISPROXY-6606)
• CHANGED: The method name isn't traced any longer for INFO and ERROR messages.. (NEVISPROXY-4619)
• UPGRADED: We upgraded to nghttp2 1.64.0. (NEVISPROXY-7353)
• UPGRADED: We upgraded to OpenSSL 3.0.15. (NEVISPROXY-7310)
• UPGRADED: We upgraded to Apache HTTP Server 2.4.62. (NEVISPROXY-7247)
• UPGRADED: We upgraded to OpenTelemetry 1.16.1. (NEVISPROXY-7238)
• UPGRADED: We upgraded to Lua 5.4.6. (NEVISPROXY-7147)
• UPGRADED: We upgraded to ModSecurity 3.0.13. (NEVISPROXY-7009)
• UPGRADED: We upgraded to mod_qos 11.75. (NEVISPROXY-6705)
• DEPRECATED: We replaced the low-level property ch.nevis.navajo.SessionCleanupWaitTimeout with ch.nevis.navajo.ListenerWaitTimeout. (NEVISPROXY-7202)
• DEPRECATED: We deprecated the bc property org.apache.request.ParsedUri. (NEVISPROXY-7080)
• DEPRECATED: The parameter CheckAlwaysClientCert of the IdentityCreationFilter has been deprecated. (NEVISPROXY-6750)
• DEPRECATED: The apache H2 directive H2SerializeHeaders has been deprecated. (NEVISPROXY-6527)
• DEPRECATED: We deprecated the ch.nevis.isiweb4.auth.ExternalHint request attribute. (NEVISPROXY-5741)
• REMOVED: We removed the system memory usage tracing. (NEVISPROXY-7209)
• DOCUMENTATION: We improved the documentation for Securosys integration. (NEVISPROXY-7277)
• DOCUMENTATION: We improved the documentation of the H2 tag in navajo.xml. (NEVISPROXY-7232)
• DOCUMENTATION: The chapters about tracing information have been improved. (NEVISPROXY-4637)

SLES15 support

• on SLES15 you have to be up to date with the latest available service pack (SP). You can find the available SP versions here.

Backward compatibility issues

• The Apache config generation is changed when multiple hosts are defined in navajo.xml. Now the default hosts' virtual hosts are moved to the beginning. In the old config generation, the virtual hosts order was defined by the connectors' order.
• The XmlFilter checks now the content against the configured XSD schema (if any). If the content doesn't match the schema, or a schema is missing, the request will be blocked. In order to switch back to the old behaviour you need to set the parameter ValidateSchema to false.
• Due to the apache httpd upgrade you have to add the following SSLCryptoDevice in the Service section of navajo.xml if a Securosys HSM (or any pkcs#11 based HSM) is configured:

SSLCryptoDevice="pkcs11"

• The DeflateFilter's CompressionWindowSize parameter no longer accepts positive values.
• For nevisproxy to run correctly, you need at least SP6 if running on SLES15. You can check the installed SP version on your SLES15 host by executing cat /etc/os-release. The version has to be 15.6 or more:

# cat /etc/os-release 
NAME="openSUSE Leap"
VERSION="15.6"

• If neither OpenTelemetry nor sampling is enabled op tracing in some nevis components may not work any more. To solve that you can set the java property otel.traces.sampler in the concerned nevis component to always_on.

Ninja 8.2411.0.1 - 20.11.2024

• UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2411.0.x. (NINJA-236)

Component versions

The following versions are part of this release. All of them are under Full Support until the next RR upgrade becomes available.

Component	Artifact name	Version**	RHEL 8*	RHEL 9*	SLES 15*
nevisAppliance	nevisappliance	8.2411.0.0000	n/a	n/a	n/a
nevisAdapt	nevisadapt	8.2411.0.0	✅	✅
nevisAdmin 4	nevisadmin4	8.2411.0.0	✅	✅
nevisAuth	nevisauth	8.2411.0.13	✅	✅
nevisCred	neviscred	2.0.20.0	✅
nevisDataPorter	nevisdp	8.2411.0.0	✅	✅
nevisDetect	nevisdetect nevisdetectcl	8.2411.0.0	✅	✅
nevisFIDO	nevisfido nevisfidocl	8.2411.0.13	✅	✅
nevisIDM	nevisidm nevisidmcl nevisidmdb	8.2411.0.0	✅	✅
nevisIDM	adnooprint	7.2311.0.6565033000	✅	✅
nevisKeybox	neviskeybox	2.2.5.0	✅	✅	✅
nevisLogRend	nevislogrend	8.2411.0.14	✅	✅
nevisMeta	nevismeta	8.2411.0.0	✅	✅
nevisProxy	nevisproxy	8.2411.0.0		✅	✅
Ninja	ninja	8.2411.0.1	n/a	n/a	n/a
Ninwin	ninwin	2.3.5.0	n/a	n/a	n/a

*) Tested with the latest available patch level.

**) Versions in bold changed compared to the previous release.

Third-party dependencies

The following third-party software is often used by Nevis components. Some of the software is included within nevisAppliance.

Below you find the latest supported versions.

Third-Party Software	Version
JVM (OpenJDK)	✅ 17.0.12
MariaDB	✅ 10.6
PostgreSQL	✅ 15
Kubernetes	✅ 1.29

Mobile Apps

Mobile apps and the Mobile SDK are released independently of the component releases. Refer to the following pages:

• Nevis Mobile Authentication Client SDK
• Nevis Access App