Skip to main content
Version: 1.17.x.x RR

Release notes

nevisMeta 1.17.0.1 - 16.11.2022

Changes and new features

General

  • UPGRADED: We upgraded moment.js to 2.29.4. (NEVISMETA-1788)
  • UPGRADED: We upgraded jackson to 2.13.4. (NEVISMETA-1792)
  • UPGRADED: We upgraded jettison to 1.5.1. (NEVISMETA-1799)
  • UPGRADED: We upgraded Ninja to 2.1.2.1. (NEVISMETA-1808)
  • UPGRADED: We upgraded Primefaces to 12.0.0. (NEVISMETA-1790)
  • FIXED: During client creation, jwks_uri is now expected as a URI, not only the prefix of jwks.json. (NEVISMETA-1759)
  • NEW: We introduced the client.rest.match-certificate-with-jwks property for making the check optional between jwks or jwks_uri with client certificate while creating new client with REST service. (NEVISMETA-1787)
  • NEW: During item creation via REST, the error message of duplicated items gave too much information so it might cause a security issue. We have reduced the error message for duplicated items. (NEVISMETA-1794)
  • REMOVED: Some Admin CLI commands are removed. For more information, see Admin CLI and RPM Installation Changes in 11.2021 RR Release. (NEVISMETA-1777)
  • REMOVED: xstream is removed. (NEVISMETA-1798)

nevisMeta 1.16.0.1 - 17.08.2022

Changes and new features

Breaking changes

  • Response for client creation via REST service is changed for RFC 7591. The response message change includes the following response types:

Notes: This is an experiential release for RFC 7591 - Dynamic Client Registration - compliance.

General

  • UPGRADED: Spring is upgraded to 5.3.20. (NEVISMETA-1747)
  • UPGRADED: moment.js is upgraded to 2.29.3. (NEVISMETA-1738)
  • UPGRADED: handlebars.js is upgraded to 4.7.7. (NEVISMETA-1742)
  • UPGRADED: angularjs is upgraded to 1.8.2. (NEVISMETA-1743)
  • UPGRADED: Jetty is upgraded to 9.4.48.v20220622. (NEVISMETA-1766)
  • UPGRADED: ninja is upgraded to 2.1.1.1. (NEVISMETA-1773)
  • NEW: There is a new property available for client authentication in TLS settings: server.tls.client-auth. This property is the successor of the property server.tls.require-client-auth. It provides the options "required", "requested", and "disabled". The old property server.tls.require-client-auth is deprecated but remains backwards compatible. If you use the new property server.tls.client-auth, the system ignores the property server.tls.require-client-auth and logs a warning. (NEVISMETA-1529)
  • NEW: We introduced new fields for client: JWKS, JWKS URI, Logo URI, ToS URI, Policy URI, Token Endpoint Auth Method. (NEVISMETA-1722)
  • NEW: When exporting a client or resource server with the option Export state at specific date, the dates in the dropdown are sorted. (NEVISMETA-1593)
  • NEW: We adapted the REST service response message for client creation for RFC 7591 compliance. (NEVISMETA-1726)
  • NEW: We introduced the property client.rest.creation.response.rfc for backward compatibility. (NEVISMETA-1726)

nevisMeta 1.15.0.3 - 17.05.2022

Changes and new features

Breaking changes

  • CHANGED: The previous bc and jcan-log logging using log4j1 is replaced by slf4j using log4j2. jcan-log is now only used by the jcan-optrace, which relies on the slf4j implementation of jcan-log (NEVISMETA-1702).

Log4j2 uses a different configuration structure than log4j1, and they are not compatible. If you are not using nevisAdmin4, you have to migrate the logging configuration manually. Check the default template supplied in the RPM.

nevisMeta requires a logging.yml file in the instance config directory. If it is missing, or the file is incorrectly formatted, a default configuration will log into the stdout which can be viewed in the systemd journal.

  • REMOVED: NevisSyslogAppenderis no longer available. As a replacement we suggest SocketAppender. Reasons and example can be found in the Logging configuration / Syslog section in the reference guide. (NEVISMETA-1702).
  • NEW: The automatic reload of logging configuration is supported by using the monitorInterval property of(https://logging.apache.org/log4j/2.x/manual/configuration.html#ConfigurationSyntax). (NEVISMETA-1702).

General

  • CHANGED: Ninja debug logs can be controlled by the tracegroup ch.nevis.ninja. There is no need to set property server.auth.ninja.log-debug to enable ninja debug mode anymore. (NEVISMETA-1705)
  • CHANGED: The location of the default temporary directory changed from /tmp to /var/opt/nevismeta/{instance_name}/tmp. (NEVISMETA-1719)
  • UPGRADED: Xstream version is upgraded to 1.4.19.
  • UPGRADED: Jackson is upgraded to 2.13.2. (NEVISMETA-1712)
  • UPGRADED: Jackson-databind is upgraded to 2.13.2.2. (NEVISMETA-1712)
  • UPGRADED: Guava is upgraded to 31.0.1-jre. (NEVISMETA-1714)
  • UPGRADED: Jetty is upgraded to 9.4.45.v20220203. (NEVISMETA-1714)
  • UPGRADED: Spring is upgraded to 5.3.19. (NEVISMETA-1730)

nevisMeta 1.14.0.0 - 16.02.2022

Changes and new features

Breaking changes

There are no breaking changes in this release.

General

  • UPDATE: We improved the performance of client deletion with a huge number of refresh tokens and resource servers. (NEVISMETA-1676)
  • CHANGED: We improved handler and error message when an invalid database type is configurated in nevismeta.property file. (NEVISMETA-1490)
  • CHANGED: JSF is upgraded to version 2.3.9. (NEVISMETA-1683)
  • UPGRADED: Log4j version is upgraded to 1.2.17. (NEVISMETA-1691)
  • REMOVED: The supplied log4j version 1.2.17 is patched to remove vulnerable classes org/apache/log4j/net/JMSAppender.class and org/apache/log4j/net/SocketServer.class. (NEVISMETA-1691)

nevisMeta 1.13.0.0 - 17.11.2021

Changes and new features

Breaking changes

There are no breaking changes in this release.

General

  • NEW: Added validation for redirectURIs of the clients on GUI and REST. Now redirectURIs cannot contain whitespace and fragment. (For more information see Configuration > OAuth 2.0 > Entities.)

nevisMeta 1.12.0.0 - 18.08.2021

Changes and new features

Breaking changes

  • Moved an undocumented endpoint for getting a token in REST API V2 to a correct path and adapted the official documentation accordingly. This includes the following changes:

More information

For more information, see the chapter "Resources" in the nevisMeta reference guide.

General

  • NEW: This release provides new REST endpoints for deleting refresh tokens. Both a user and an admin can now delete one token or all tokens of a user under one setup. For more information, see the chapter "Resources" in the nevisMeta reference guide.
  • FIXED: When deleting a resource server with scopes configured as consent persisted, nevisMeta showed an error message and the resource server could not be deleted. This bug is now fixed.
  • FIXED: The GUI did not show the validation for the duplication of the valid_from setting when you edited an entity (setup, resource server, client) with a validity in the future. This feature already existed in the REST API. This bug is now fixed.

nevisMeta 1.11.0.5 - 05.07.2021

Changes and new features

General

  • FIXED: The bug that resulted in missing scopes from the client has been fixed. This bug happened when the maximum ID value was used to determine the newest active resource server states. Now the validity date is used instead of the ID.

nevisMeta 1.11.0.3 - 19.05.2021

Changes and new features

Breaking changes

  • It is no longer possible to create scopes in a resource server whose name already exists in the same setup. This restriction is enforced during the creation and import of a scope (either via the REST API or the GUI). If the database already contains previously created duplicates, a warning message appears in the log file, allowing you to solve the conflict manually by renaming the duplicates.

General

  • NEW: During the startup of a nevisMeta instance, the new Nevis logo is shown as ASCII art in nevismeta.log.
  • NEW: When accessing nevisMeta via the REST API, clients can now authenticate with an X509 certificate only; authentication via nevisProxy is no longer necessary. The certificate must include the Role attribute, as nevisMeta requires roles to create/edit/modify certain data.
  • FIXED: The shutdown of nevisMeta interrupted ongoing connections. From now on, once the stopcommand is executed, nevisMeta waits a maximum of 30 seconds until all connections are stopped, and then nevisMeta itself stops.
  • FIXED: In case the client secret was empty, nevisMeta stored it as an empty string. From now on, nevisMeta stores an empty client secret as NULL.
  • FIXED: When restoring a deleted future state, the default validity option was Valid immediately, which not only reset the state, but changed the date as well. The default is now Keep validity date as is. This change also corrects the behavior of the function Restore overrides future state changes, which erroneously restored past states as well.
  • FIXED: Queries for a client via the REST API erroneously also returned inactive/deleted client scope names. This bug is fixed. Now, only the active scope names of a client are returned.

nevisMeta 1.10.0.0 - 17.02.2021

Changes and new features

General

  • CHANGED: As of this release, it is possible to create clients with an empty grant_type and response_type via the REST API. Because of this change, the behavior of the REST API is now in line with that of the Web Console when creating a new client.
  • FIXED: The bug where a resource server disappeared from its original setup after you exported and reimported the server into another setup.
  • FIXED: The bug where responses in the REST API contained the Expires field twice. One of these fields was incorrect (it showed an 1970 expiry date). Now the field appears only once and with the correct value.
  • FIXED: The bug where the mapping of roles and userID using the Ninja configuration in the file nevismeta.properties did not work correctly.
  • REMOVED: The GlassFish deployment has been removed. Use the standalone deployment instead.

Breaking changes

  • As of this release, the REST API no longer returns soft deleted states by default.

nevisMeta 1.9.0.110 - 18.11.2020

Support for standalone deployment only

From this release on, only standalone deployment is supported, as mentioned in the NEVIS Product Lifetime and Platform Support Matrix.Support for MariaDB database only

From this release on, only MariaDB is supported, as mentioned in the NEVIS Product Lifetime and Platform Support Matrix.Changes and new features

General

  • FIXED: The bug that caused an incorrect WARN message to appear while starting nevisMeta. The incorrect WARN message has been removed.

Breaking changes

  • NEW: nevisMeta now enables the usage of the validAt query parameter on the following endpoints:

    If you do not provide the validAt query parameter, the system will use the default current time. This means that always only one snapshot will be returned.

    To search without checking the state validity, supply the value "any" for the validAt query parameter.

nevisMeta 1.8.0.98 - 19.08.2020

Changes and new features

General

  • NEW: nevisMeta now supports enabling hostname verification when client authentication is required in a standalone deployment. See the new verify-hostname attribute in the "Deployment Types" chapter of the reference guide for additional information.
  • FIXED: The Cancel button was not working properly when editing the Client / Resource server name on the UI. This issue has now been fixed.
  • FIXED: A typo in the configuration property server.auth.ninja.log-debug, server.auth.ninja.log_debug prevented detailed Ninja debug logs even if the appropriate package was set in the log4j.xml. This is now fixed.
  • FIXED: The bug that caused the nevismeta status command to write warning messages such as "lsof: WARNING: can't stat() ..." in the standard output (standalone deployment type) has been fixed.
  • FIXED: An error message in the log files incorrectly stating certain configuration options to be invalid has been fixed.
  • FIXED: We fixed a bug related to spaces inside jvm arguments in JAVA_OPTS (env.conf) for Standalone deployments. It caused an error: "Error: Could not find or load main class" and prevented nevisMeta from starting. New definition syntax as array is introduced for JAVA_OPTS, which now also allows comments to be used between new lines. The old string type definition is still supported, but to fix the previously mentioned error, you will need to change to the array type definition. For more, see the "Deployment Types" chapter of the reference guide.

When directly using the server CLI to start nevisMeta, the manual sourcing of env.conf is no longer necessary. See the section "Example usage of the standalone CLI" in the "Deployment Types" chapter of the reference guide.

  • FIXED: Syntax errors while installing nevisMeta RPM (Examples: "invalid format character", "invalid group ID") have been fixed.

Breaking changes

  • User can create new nevismeta database with the nevismeta command (see the chapter "Persistence backend"). The old way cannot be used any longer.

nevisMeta 1.7.0.68 - 07.05.2020

Changes and new features

General

  • NEW: We now provide support for query parameters when querying the client and resource server identifiers in a given setup. Currently supported for MariaDB only.
  • NEW: We now provide support for query parameters when querying the setup identifiers. Currently supported for MariaDB only.
  • CHANGED: The web-based tool for migrating to MariaDB has been replaced by a command line tool (see "Migrating from Couchbase to MariaDB"). This tool is experimental.
  • CHANGED: For security reasons, the number of TLS protocols and ciphers supported by default by the standalone server has been reduced. See Server Configuration Properties in the nevisMeta Reference Guide for the updated list of supported ciphers and protocols.

This change may break existing deployments. If you use the protocols and ciphers supported by default and your clients do not support them, it is recommended that you update your HTTP clients. If this is not possible:

  • FIXED: The concurrency issue that generated unauthorized (401) and forbidden (403) HTTP errors has been fixed.
  • FIXED: The misconfiguration issue where the HTTP server in standalone deployments logged a WARNING on startup has been fixed.
  • DEPRECATED: The Couchbase Server persistence back end has been deprecated. It will be removed in the November 2020 rolling release. Migrating to MariaDB is recommended .
  • DEPRECATED: REST services do not include the identifier links in the response header.

This change may break existing deployments. If you require the identifiers in the response headers, add the attribute response.linkheader.enabled with the value "true" to the nevismeta.properties configuration file. Enabling this property could result in errors when a large number of results is returned by the query request, because the HTTP header size limit may be exceeded.

This backwards compatibility mode may be removed in future releases.

nevisMeta 1.6.0.46 - 10.04.2020

Changes and new features

  • FIXED: A concurrency issue that generated unauthorized (401) and forbidden (403) HTTP errors.

nevisMeta 1.6.0.45 - 13.02.2020

Changes and new features

General

  • FIXED: The bug where the truststore's passphrase could be left empty in the nevismeta.properties configuration file. (Ticket NEVISMETA-739)
  • FIXED: The bug where an exception was thrown at the startup of an application when the TLS connection configuration was missing. (Ticket NEVISMETA-740)
  • FIXED: The bug where the user could not re-import an existing setup. (Ticket NEVISMETA-730)
  • FIXED: The bug where the Force Reauthentication icon was missing when you created a Client entity based on the Setup's default values. (Ticket NEVISMETA-1142)
  • FIXED: The bug where you could create refresh tokens, even though this was not allowed (because the value of the Client attribute Refresh Token Grant was set to "Disallowed"). (Ticket NEVISMETA-1170)
  • FIXED: The bug where the client_id attribute was updated unintentionally when you modified a Client entity via the REST facade. (Ticket NEVISMETA-1174)
  • FIXED: The bug that caused a wrong error message to appear when you created or edited a Client with an invalid response type for the Authorization Code Grant. (Ticket NEVISMETA-1171)
  • FIXED: The bug where restoring a setup with the option Valid immediately resulted in an erroneous future active state of 00:00 on the next day. (Ticket NEVISMETA-1141)
  • FIXED: The bug where you could delete an entity's last remaining state via the nevisMeta Web GUI. This bug occurred when the remaining state was a future state, that is, had a future validity date. (Ticket NEVISMETA-1162)
  • DEPRECATED: The GlassFish deployment has been deprecated. It will be removed in the next release. It is recommended using the standalone deployment instead.
  • DEPRECATED: The Couchbase Server persistence backend has been deprecated. It will be removed in a future rolling release. Migrating to MariaDB is recommended .

Upgrading from nevisMeta 1.5.3.x

Couchbase as persistence backend

There are no changes to the data model and configuration properties.

MariaDB as persistence backend

There are no changes to the data model and configuration properties.

nevisMeta 1.5.3.71 - 20.11.2019

Changes and new features

General

  • CHANGED: Revocation console improvements. (Tickets NEVISMETA-1108, NEVISMETA-1143)
  • CHANGED: Enable OAuth2 public clients with optional client secret. (Ticket NEVISMETA-1139)
  • CHANGED: nevisMeta supports PKCE mode from now on. Refer to, section Client Resource, for more details about the new attribute. (Ticket NEVISMETA-1136)
  • CHANGED: Implement a mechanism to trigger the database schema update manually (mariaDb only). (Tickets NEVISMETA-1091, NEVISMETA-1146)
  • CHANGED: Make Management Probes host configurable by adding a new key "management.server.host" in config file. (Ticket NEVISMETA-1039)
  • FIXED: The bug where duplicate error messages are shown when creating "Resource server" without "Entity name". (Ticket NEVISMETA-1019)
  • FIXED: The bug where all the scheduled deleted states were restored when the user restored a state. (Ticket NEVISMETA-729)
  • FIXED: The bug where the user is not able to restore the scheduled delete state on the same date. (Ticket NEVISMETA-713)
  • FIXED: The bug where the icon of "Force Reauthentication" is incorrect when the default value is "Reauthentication enforced". (Ticket NEVISMETA-852)
  • FIXED: The bug that prevents the user from restoring a deactivated entity on the same date as delete date. (Ticket NEVISMETA-1121)
  • FIXED: The bug where the user can input "zero" values into "TTL" fields when creating or editing an entity. (Ticket NEVISMETA-1125)
  • FIXED: Improve Repair tool to remove AuthorizationServer. Refer to: Couchbase inconsistency repair tool for more details about the tool. (Ticket NEVISMETA-1168)

Known bug

  • Only on couchbase, due to the limited function of couchbase. The total results always show the total number of refresh tokens/ persisted consents in database instead of the finding result.

Upgrading from nevisMeta 1.5.2.1

Couchbase as persistence backend

There are no changes to the data model and configuration properties.

MariaDB as persistence backend

As from this release, 1.5.3.71, nevisMeta supports PKCE, there is an update in the mariaDB database structure. To migrate to the newest database version, refer to(.