Migrating from LTS-24 to LTS-26
This guide covers all changes you must be aware of when upgrading nevisMeta from LTS-24 (version 7.2411.x) to LTS-26 (version 8.2607.x, planned). Read the full release notes of all intermediate releases before you start the migration. For general preparation steps, database backups, and schema migration commands, see General upgrade and patching instructions.
If you have not done so already, upgrade to the latest patch of nevisMeta for LTS-24 before switching to LTS-26.
What's new
The following new features and capabilities were introduced between LTS-24 and LTS-26.
- Java 25 runtime: nevisMeta now runs on Java 25. Java 17 and Java 21 are no longer supported. (NEVISMETA-2131, NEVISMETA-2317, NEVISMETA-2319)
- PostgreSQL 17 support: nevisMeta now supports PostgreSQL 17. (NEVISMETA-2125)
- MariaDB 11.4 support: nevisMeta now supports MariaDB 11.4. (NEVISMETA-2124)
- OpenAPI descriptor: the OpenAPI descriptor of nevisMeta REST services is available at the
/nevismeta/apiendpoint for schema-based tooling and client generation. (NEVISMETA-2017) - REST API V3 consent endpoints: a new persisted consent deletion V3 endpoint has been introduced. Customers should migrate from the deprecated V1 endpoint. See REST API V3. (NEVISMETA-2153)
- REST API V2
replaceActiveStateparameter: the Client and Resource Server update V2 REST endpoints now accept areplaceActiveStatequery parameter. See REST API V2 Resources. (NEVISMETA-2213) server.session-timeoutproperty: the GUI session timeout can now be configured via theserver.session-timeoutproperty. See Component configuration. (NEVISMETA-1974)expiredDataCleaningToleranceproperty: the minimum time needed to delete data after expiration is configurable viaexpiredDataCleaningTolerance. See Server handling. (NEVISMETA-1976)responseCacheExpiryproperty: the cache expiry for the GET Entities endpoint is now configurable viaresponseCacheExpiry. See Server handling. (NEVISMETA-2009)server.max-http-header-sizeproperty: the maximum size of HTTP request and response headers is configurable viaserver.max-http-header-size. See Component configuration. (NEVISMETA-2347)- Nevis OpenTelemetry Java agent 3.x: nevisMeta is now bundled with Nevis OpenTelemetry Java agent version 3. (NEVISMETA-2211)
What has changed
Java 25 is now required
nevisMeta is now compiled and runs exclusively on Java 25. Java 17 and Java 21 are no longer supported. Before upgrading to LTS-26, ensure that your deployment environment provides Java 25.
The Java upgrade took place in two steps across the LTS-24 to LTS-26 cycle:
- Java 17 → Java 21: introduced in rolling release 8.2411.x. (NEVISMETA-2131)
- Java 21 → Java 25: introduced in LTS-26 8.2607.x. (NEVISMETA-2317, NEVISMETA-2319)
As part of this upgrade, several Jakarta EE dependencies were updated to newer major versions, including jakarta.servlet-api 6.1.0 and jakarta.servlet.jsp.jstl-api 3.0.0. If you have custom extensions or integrations that depend on Jakarta EE APIs, review them for compatibility with Java 25 and the updated Jakarta EE versions. For general upgrade preparation, including database backup and schema migration commands, see General upgrade and patching instructions. (NEVISMETA-2131, NEVISMETA-2317, NEVISMETA-2319)
Default resource server and openid scope are now added automatically
nevisMeta now automatically creates a default resource server with the default openid scope on startup. Additionally, when a Dynamic Client Registration (DCR) request does not include a scope, the openid scope is added by default.
Review your existing configuration and integration tests. If your environment relies on the absence of a default resource server or on DCR requests without any scope returning a client with no scopes, the behavior will differ after upgrading. For the resource server entity model and default scope policy configuration, see Entities and Setup. (NEVISMETA-2092)
Resource Server deletion now cascades to Refresh Tokens
Permanently deleting a Resource Server now also deletes all Refresh Tokens that include scopes from that Resource Server. Previously this operation failed with an error when such Refresh Tokens existed.
Ensure that no customer-facing workflows depend on being able to permanently delete a Resource Server while its scopes are still referenced by active Refresh Tokens, or plan for the resulting Refresh Token invalidation. See Entities for the resource server and scope configuration model. (NEVISMETA-2143)
Database sessions now always use UTC timezone
nevisMeta now always uses the UTC timezone for database sessions. Previously, the MariaDB JDBC driver could incorrectly convert timestamps that were already in UTC to a different timezone. This affected editing and creating entities during the spring daylight saving time switch in some environments.
This change does not affect the stored timestamp values or business logic. The timestamp type is used only in internal technical fields. No action is required unless your monitoring or tooling reads raw database timestamps and assumes the server timezone. (NEVISMETA-2172)
Warning issued instead of error for unknown property names
nevisMeta now logs a warning instead of throwing an error when an unknown or incorrectly named property is encountered in the configuration. This prevents startup failures caused by unrecognized property names and improves diagnostic messaging. Review your logs after upgrading to identify any configuration entries that nevisMeta no longer recognizes. (NEVISMETA-1924)
JWKS implementation replaced with Nimbus library
The custom JWKS implementation has been replaced with the Nimbus OAuth2/OIDC SDK. This change is transparent to end users and standard integrations. If you have custom extensions that interact directly with nevisMeta JWKS internals, review them for compatibility. JWKS and JWKS URI configuration continue to use the settings described in Entities. (NEVISMETA-2045)
What has been removed
RSA1_5 and RSA_OAEP encryption methods
The deprecated RSA1_5 and RSA_OAEP key encryption methods have been removed from the client UI and are no longer accepted when editing existing clients. A warning is displayed when a client that was previously configured with one of these methods is loaded.
Before upgrading, identify all clients using RSA1_5 or RSA_OAEP and reconfigure them to use a supported encryption method such as RSA_OAEP_256. See Entities for the client encryption settings that must be reviewed.
includeSoftDeletedStatesPerDefault property
The deprecated configuration property includeSoftDeletedStatesPerDefault has been removed. The only supported way to include soft-deleted states in a REST call is now to explicitly set the query parameter includeSoftDeletedStates=true in each request.
Remove any reference to includeSoftDeletedStatesPerDefault from your configuration files. (NEVISMETA-2143)
OAuth2 Consent REST API V1
The OAuth2 Consent REST API V1 was deprecated in nevisMeta 8.2505.3.2 and announced for removal in the November 2025 release. Review any integrations that still call OAuth2 Consent REST API V1 and migrate them to the V3 Consent REST API before upgrading. See release notes for the original deprecation announcement. (NEVISMETA-2170)
Third-party dependency changes
The following third-party dependency changes may affect custom extensions, scripts, or deployment pipelines that reference specific library versions.
| Dependency | LTS-24 (approximate) | LTS-26 |
|---|---|---|
| Java | 17 | 25 |
| Jetty | 11.0.24 | 12.0.34 |
| Jakarta Servlet API | 5.x | 6.0.0 / 6.1.0 |
| Jakarta CDI API | 3.x | 4.0.1 |
| Jakarta JSTL API | 2.x | 3.0.0 |
| Jersey | 2.x | 3.1.11 |
| Weld | 4.x | 5.1.2.Final |
| Spring | 6.1.x | 6.2.17 |
| Jackson | 2.16.x | 2.21.2 |
| HikariCP | 5.x | 7.0.2 |
| Caffeine | 3.x | 3.2.3 |
| Quartz | 2.3.x | 2.5.2 |
| Flyway | 9.x | 11.8.2 |
| Log4j | 2.22.x | 2.25.4 |
| Slf4j | 2.0.x | 2.0.17 |
| Nimbus OAuth2/OIDC SDK | N/A | 11.37 |
| MariaDB Java connector | 3.2.x | 3.5.8 |
| PostgreSQL JDBC driver | 42.6.x | 42.7.11 |
| Primefaces | 13.x | 15.0.2 |
| Nevis OpenTelemetry Java agent | 2.0.x | 3.x |
After upgrading, it is recommended to delete your browser cache to avoid UI display issues caused by cached outdated PrimeFaces and Bootstrap resources. (NEVISMETA-2180)
The Jetty upgrade from version 11 to 12 includes a namespace migration from javax.* to jakarta.* across the Jakarta EE stack. If you have any custom web components, filters, or servlets deployed into nevisMeta, they must be updated to use the jakarta.* namespace.
Deprecations
The following items were deprecated between LTS-24 and LTS-26 and will be removed in a future release.
- OAuth2 Consent REST API V1: deprecated in nevisMeta 8.2505.3.2. Migrate from OAuth2 Consent REST API V1 to REST API V3. See release notes. (NEVISMETA-2170)
- XML response type on REST services: deprecated in an earlier release. JSON is the only supported format for all REST endpoint calls as of nevisMeta 7.2402.0.3. (NEVISMETA-1956)