Skip to main content
Version: 7.2402.x.x RR

Release notes

nevisIDM 7.2402.1.8173831181 - 28.03.2024

  • FIXED: Role search works correctly if one permission is application global and the other one is restricted to an application. (NEVISIDM-9408)
  • FIXED: Unit dataroom calculated correctly if one dataroom is unit global and the other one is restricted to a unit. (NEVISIDM-9426, NEVISIDM-9400)
  • UPGRADED: We updated Spring Framework to 6.0.17. (NEVISIDM-9405)
  • UPGRADED: We updated PostgreSQL Driver to 42.6.1.

nevisIDM 7.2402.0.7902594534 - 21.02.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2402.0.79025945347.227.x

Breaking changes

General changes and new features

  • NEW: The encryption settings are settings that can be set as per Client. (NEVISIDM-9218)
  • NEW: We enhanced nevisIDM roles with credential-type specific permissions, allowing precise control over elementary rights tailored to specific credential types. Mobile Signature policy parameters create.restrictedRoles and modify.restrictedRoles are deprecated and will be removed in future versions. For further information: Credential-type specific permissions of nevisIDM roles. (NEVISIDM-9280)
  • NEW: We added dispatchTargetExtId field to Fido UAF credential. (NEVISIDM-9287)
  • NEW: We added the new fields neverLoggedInDaysNoActivity and neverLoggedInGracePeriod to UpdateUserStateJob. (NEVISIDM-9052)
  • NEW: We added the new notification NevisAdapt Notification with default Templates. (NEVISIDM-9082)
  • NEW: Application nevisAdapt added to IDM DB (NEVISIDM-9103)
  • NEW: We added the new configuration-property web.gui.textcrop.size to control multiline cropping. (NEVISIDM-9195)
  • FIXED: Property Value History displayed if multiple modification was done on the property. (NEVISIDM-9234)
  • FIXED: Application Encrypted Enum Property values now displayed correctly after creation. (NEVISIDM-9233)
  • FIXED: Client calculation for Application Dataroom now correctly sums the client for multiple datarooms. (NEVISIDM-9249, NEVISIDM-9250)
  • FIXED: Unit datarooms are now correctly handling child and parent units. (NEVISIDM-9283)
  • FIXED: SOAP AdminService webservice version 41 and 42 now in compliance with its xsd and does not display deviceId. (NEVISIDM-9301)
  • FIXED: User Search now handles multiple ordering columns correctly. (NEVISIDM-9305)
  • FIXED EncryptionFallbackCorrectorJob now has the AES/CBC/PKCS5Padding as default cipher used. (NEVISIDM-9308)
  • FIXED: The paging of queryCredentials now works properly. (NEVISIDM-9315, NEVISIDM-9374)
  • FIXED: From now on the usage of wildcards for userExtId inside queryCredentials is supported. (NEVISIDM-9225)
  • UPGRADED: We upgraded Spring Framework to 6.1.6. (NEVISIDM-9313)
  • UPGRADED: We upgraded json-path to 2.9.0. (NEVISIDM-9322)
  • FIXED: Sorting order is now incremental during role history queries. (NEVISIDM-9303)
  • FIXED: Search for Fido UAF APP_ID and KEY_ID fields now case-sensitive (NEVISIDM-9278)
  • IMPROVED: Atomikos max_timeout is now unlimited (NEVISIDM-9232) FIXED: Resolved issue with Elasticsearch query service intermittently returning cached/historical results for user assignments to units. (NEVISIDM-9227)
  • FIXED: Property Allowed value history now handles multiple property changes. (NEVISIDM-9244)
  • IMPROVED: Error message improved in getPhoneNumberInE164() (NEVISIDM-9193)

Auth States

  • IMPROVED: IdmFindUserState now can filter with firstName, name, loginId, state fields and return found user's extId in notes if only one user found. (NEVISIDM-8983)

General/Core

Web GUI

REST API

  • NEW: We added client level filtering for Fido UAF credential. (NEVISIDM-9219)

Web Services

Auth States

Configuration

Database

  • CHANGED: Users and their history tables name column sizes are increased. (NEVISIDM-9304)
    • TITLE field is increased from 20 to 64 characters;
    • NAME field is increased from 100 to 120 characters;
    • FIRST_NAME field is increased from 50 to 100 characters.
caution

We suggest to apply this migration in maintenance period because of possible high load during index recreations. In case of Oracle database the IIDMA_USER_FIRST_NAME_UP index has to be dropped before altering the FIRST_NAME column. If you have other function based index on the field FIRST_NAME (or on TITLE or NAME fields) the migration fails until you drop them manually.

Upgrading from nevisIDM 7.2311.x

Step 1: Installation

Install the packages of nevisIDM 7.2402.0.7902594534 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.2402.0.7902594534-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 7.2311.3.7525883571 - 16.01.2024

Application versionMinimal required database schema versionMaximal supported database schema version
7.2311.3.75258835717.207.x

General changes and new features

General/Core

  • IMPROVED: Atomikos max_timeout is now unlimited (NEVISIDM-9232)
  • FIXED: Search for Fido UAF APP_ID and KEY_ID fields now case-sensitive (NEVISIDM-9278)
  • FIXED: Property patch can again delete propertyValues (NEVISIDM-9239)

Database schema requirements

  • There was database level change, please perform nevisidmdb migrate to upgrade your schema.

nevisIDM 7.2311.1.7048238069 - 04.12.2023

Application versionMinimal required database schema versionMaximal supported database schema version
7.2311.1.70482380697.197.x

General changes and new features

General/Core

  • FIXED: % is usable as wildcard for user search again. (NEVISIDM-9178)
  • FIXED: Profile Details are displayable when deputy profile is set. (NEVISIDM-9196)
  • FIXED: Users with datarooms still are archiveable again. (NEVISIDM-9099)
  • UPGRADED: We upgraded Microsoft Azure Client Library For Service Bus to 7.14.6
  • IMPROVED: Improved case-insensitive filtering and searching on MariaDB. (NEVISIDM-9215)
  • FIXED: Resolved issue with Elasticsearch query service intermittently returning cached/historical results for user assignments to units. (NEVISIDM-9227)

Database schema requirements

nevisIDM 7.2311.0.6813600371 - 15.11.2023

Application versionMinimal required database schema versionMaximal supported database schema version
7.2311.0.68136003717.197.x

Breaking changes

Lucene/Elasticsearch related changes!

The index structure of the entities has been modified during refactoring, which may cause the Hibernate Query component to fail to upgrade without error. Therefore, delete all Lucene/Elasticsearch indexes associated with the IDM instance before starting. Once the IDM is started, it will re-index all entities as part of the startup process.

  • CHANGED: The nevisAuth session API only accepts String attribute values. Previously it was possible to add any value. If it was not a String, a warning was logged and it was not saved to the database. This change can be tricky with ScriptStates as groovy does not do type-safe checks for the session Map used in the scripts. It is possible to add and retrieve a non String value inside the script, but a java.lang.ClassCastException happens later. In those cases you have to check the scripts and change the behaviour to store a string value, by either changing your logic, or serialising your object to a String. (NEVISIDM-9089)

  • REMOVED: We removed the jcan-log and jcan-optrace third-party dependencies. OpTrace logging is replaced by OpenTelemetry. (NEVISIDM-9070)

General changes and new features

Auth States

General/Core

  • FIXED: UpdateUserStateJob now only sends one warning on the day when the user enters the grace period. (NEVISIDM-9085)
  • FIXED: If application.modules.event.retry.interval is not set or set to empty string, no exception is written into the application log. (NEVISIDM-8973)
  • FIXED: Role history now only displays properties set for the Role in questions. (NEVISIDM-8963)
  • FIXED: Newly changed onRoleForApp property values are now displayed correctly on Role History. (NEVISIDM-8962)
  • UPGRADED: We upgraded babel/traverse to 7.23.2. (NEVISIDM-9129)
  • UPGRADED: We upgraded AspectJ to 1.9.20.1. (NEVISIDM-9070)
  • UPGRADED: We upgraded Atomikos to 6.0.0. (NEVISIDM-9070)
  • UPGRADED: We upgraded CSRFGuard to 4.3.0-jakarta. (NEVISIDM-9070)
  • UPGRADED: We upgraded DirectWebRemoting to 3.0.4-RELEASE. (NEVISIDM-9070)
  • UPGRADED: We upgraded Spring HATEOAS to 2.1.2 (NEVISIDM-9070)
  • UPGRADED: We upgraded Artemis to 2.25.0 (NEVISIDM-9070)
  • UPGRADED: We upgraded Hibernate Commons Annotations to 6.0.6.Final. (NEVISIDM-9070)
  • UPGRADED: We upgraded Hibernate Validator to 8.0.1.Final. (NEVISIDM-9070)
  • UPGRADED: We upgraded Hibernate to 6.3.1.Final. (NEVISIDM-9070)
  • UPGRADED: We upgraded Hibernate Search to 6.2.2.Final. (NEVISIDM-9070)
  • UPGRADED: We upgraded Jakarta Mail to 2.1.2. (NEVISIDM-9070)
  • UPGRADED: We upgraded Jakarta XML Bind to 4.0.0. (NEVISIDM-9070)
  • UPGRADED: We changed Javax JSP API to Jakarta JSP API 3.1.1. (NEVISIDM-9070)
  • UPGRADED: We upgraded Xalan to 2.7.3. (NEVISIDM-9070)
  • UPGRADED: We upgraded netty to 4.1.100.Final. (NEVISIDM-9070)
  • UPGRADED: We changed Javax Persistance API to Jakarta Persistance API 3.1.4. (NEVISIDM-9070)
  • UPGRADED: We changed Javax Activation API to Jakarta Activation API 2.1.2. (NEVISIDM-9070)
  • UPGRADED: We changed Javax Authentication API to Jakarta Authentication API 3.0.0. (NEVISIDM-9070)
  • UPGRADED: We changed Javax Annotation API to Jakarta Annotation API 2.1.1. (NEVISIDM-9070)
  • UPGRADED: We changed Javax XML WS API to Jakarta XML WS API 4.0.0. (NEVISIDM-9070)
  • UPGRADED: We changed Javax JSTL JSP to Jakarta JSTL JSP 3.0.0. (NEVISIDM-9070)
  • UPGRADED: We upgraded Spring Beans API to 6.0.0. (NEVISIDM-9070)
  • UPGRADED: We changed Javax WS-Rs to Jakarta WS-RS 3.1.0. (NEVISIDM-9070)
  • UPGRADED: We upgraded Nevis Jcan Saml to 7.2311.0.2. (NEVISIDM-9070)
  • UPGRADED: We upgraded Nevis Jcan SecToken to 7.2311.0.3. (NEVISIDM-9070)
  • UPGRADED: We upgraded Nevis Ninja to 2.1.3.1. (NEVISIDM-9070)
  • UPGRADED: We upgraded slf4j to 2.0.9. (NEVISIDM-9070)
  • UPGRADED: We changed log4j-slf4j-impl to log4j-slf4j2-impl 2.20.0 (NEVISIDM-9070)
  • UPGRADED: We upgraded Snake Yaml to 2.2. (NEVISIDM-9070)
  • UPGRADED: We upgraded Spring Data to 3.1.4. (NEVISIDM-9070)
  • UPGRADED: We upgraded Spring to 6.0.12. (NEVISIDM-9070)
  • UPGRADED: We changed Apache Struts to Nevis Struts 1.4.5.8. (NEVISIDM-9070)
  • UPGRADED: We upgraded jsonSmart to 2.4.11. (NEVISIDM-9070)
  • UPGRADED: We upgraded jsonPath to 2.7.0. (NEVISIDM-9070)
  • CHANGED: Enterprise Role History now shows all assignments of a Role, not just the latest one. (NEVISIDM-9184)
  • CHANGED: User deletion performance is improved when many onProfileForAppGlobal, onProfileForApp are assigned. (NEVISIDM-9164)
  • CHANGED: Provisioning, DLQ, ExpiryQueue if SSL is used now verifies the certificate's host name. (NEVISIDM-9133)
  • CHANGED: We refactored the client history displays. The database view VIDMH_CLIENT is depreciated. Display now uses TIDMA_CLIENT_V and its related tables directly. (NEVISIDM-8838)
  • CHANGED: We refactored the personal answer displays. The database view VIDMH_PERSONAL_QUESTION is depreciated. Display now uses TIDMA_PERSONAL_QUESTION_V and its related tables directly. (NEVISIDM-8841)
  • CHANGED: We refactored the Property History related displays. The database views VIDMH_PROPERTY_ALLOWED_UNIQUE, VIDMH_PROPERTY, VIDMH_PROPERTY_UNIQUE, VIDMH_PROPERTY_VALUE_UNIQUE are deprecated. Search now uses TIDMA_PROPERTY_ALLOWED_VAL_V, TIDMA_PROPERTY_V, TIDMA_PROPERTY_VALUE_V and their related tables directly. (NEVISIDM-8844)
  • CHANGED: We refactored the template and template collection searches. The database views VIDMA_TEMP_COLL_MANAGER, VIDMA_TMPLCOLL_SEARCH_VIEW, VIDMA_TEMPLATE_DEFAULT, VIDMA_TMPL_SEARCH_VIEW and the stored query VIDMA_TEMPL_DEFAULT_SUB are deprecated. Searches are using TIDMA_TEMPLATE, TIDMA_TEMPLATE_COLLECTION and their related tables directly. (NEVISIDM-8833)
  • CHANGED: We refactored the credential history related searches. The database views VIDMH_CREDENTIAL, VIDMH_CREDENTIAL_UNIQUE, VIDMH_CRED_LOGIN_INFO, VIDMH_CRED_LOGIN_INFO_UNIQUE, and their stored queries are deprecated. Searches are using TIDMA_CREDENTIAL_V and TIDMA_CRED_LOGIN_INFO_V and their related tables directly. (NEVISIDM-8839)
  • CHANGED: We refactored the profile history related searches. The database views VIDMH_PROFILE, VIDMH_PROFILE_UNIQUE and their stored queries are deprecated. Searches are using the TIDMA_PROFILE_V and its related tables directly (NEVISIDM-8843).
  • CHANGED: We refactored the Authorization related searches. The database view VIDMA_AUTH_APPL_SEARCH, VIDMA_AUTH_CLIENT_SEARCH, VIDMA_AUTH_EROLE_SEARCH, VIDMA_AUTH_UNIT_SEARCH are deprecated. Search now uses TIDMA_AUTHORIZATION_APPL, TIDMA_AUTHORIZATION_CLIENT, TIDMA_AUTHORIZATION_EROLE, TIDMA_AUTHORIZATION_UNIT and their related tables directly. (NEVISIDM-8821)
  • CHANGED: We refactored the authorization related search. The database views VIDMA_AUTHORIZATION_SEARCH and VIDMA_AUTH_DICT_SEARCH are deprecated. Searches are using new view VIDMA_AUTHORIZATION and its related tables directly. (NEVISIDM-8820)
  • CHANGED: We refactored the Enterprise Authorization and Enterprise Role handling. The database view VIDMA_EAUTH_SEARCH_VIEW, VIDMA_EROLE_MB_MAY_ASSIGN_VIEW, VIDMA_EROLE_MEMBER_SEARCH_VIEW, VIDMA_EROLE_MEMBER_SEARCH_VIEW are deprecated. Search and display now uses TIDMA_ENTERPRISE_AUTH, TIDMA_ENTERPRISE_ROLE, TIDMA_EROLE_MEMBER and their related tables directly. (NEVISIDM-8825)
  • CHANGED: We refactored the Role handling. The database view VIDMH_ROLE, VIDMH_ROLE_UNIQUE are deprecated. Display now uses TIDMA_ROLE and its related tables directly. (NEVISIDM-8845)
  • CHANGED: We refactored the User History and User Login Info History handling. The database view VIDMH_USER, VIDMH_USER_LOGIN_INFO, VIDMH_USER_LOGIN_INFO_UNIQUE are deprecated. Display now uses TIDMA_USER_V, TIDMA_USER_LOGIN_INFO_V and their related tables directly. (NEVISIDM-8847)
  • CHANGED: We refactored the Property related searches. The database view VIDMA_PROP_ALD_VAL_SEARCH_VIEW, VIDMA_PROP_LANG_SEARCH, VIDMA_PROPERTY_SEARCH_VIEW, VIDMA_PROPERTY_VALUE_SEARCH are deprecated. Searches are using TIDMA_PROPERTY_ALLOWED_VAL, TIDMA_PROPERTY, TIDMA_PROPERTY_VALUE and their related tables directly. (NEVISIDM-8830)
  • CHANGED: We restored ClientId restriction capabilities for custom batch jobs that use UserSearchWrapper. (NEVISIDM-9051)
  • NEW: Added ch.nevis.idm.restException and ch.nevis.idm.soapException logs to log all exceptions on REST and SOAP interfaces. (NEVISIDM-9014)
  • FIXED: Without any policy assigned to it (even default policy), creation of credential is no more possible through SOAP request. (NEVISIDM-9187)

Web GUI

REST API

Web Services

  • FIXED: Searching for FIDO_UAF credentials by type and deviceId using queryCredentials on SOAP. (NEVISIDM-9083)

Auth States

Configuration

  • NEW: Added a new configuration database.connection.healthcheck.refresh that enables refreshing the connection pools before serving the health endpoint. (NEVISIDM-9016)

Database

Upgrading from nevisIDM 2.90.x

Step 1: Installation

Install the packages of nevisIDM 7.2311.0.6813600371 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.2311.0.6813600371-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.90.4.6798025192 - 15.11.2023

Database schema requirements

Application versionMinimal required database schema versionMaximal supported database schema version
2.90.4.67980251927.197.x

Breaking changes

Lucene/Elasticsearch related changes

The index structure of the entities got modified during refactoring, which may cause the Hibernate Query component to fail to upgrade without error. Therefore, delete all Lucene/Elasticsearch indexes associated with the IDM instance before starting. Once the IDM is started, it re-indexes all entities as part of the startup process.

General changes and new features

Auth States

General/Core

  • FIXED: TechnicalFilter on QueryRoles, QueryCredentails, QueryProfiles, QueryUsers works correctly again. (NEVISIDM-9186)
  • FIXED: UpdateUserStateJob now only sends warning on the days when the user enters the grace period. (NEVISIDM-9085)
  • FIXED: If application.modules.event.retry.interval is not set or set to empty string, no exception is written into the application log. (NEVISIDM-8973)
  • FIXED: Role history now only displays properties set for the Role in questions. (NEVISIDM-8963)
  • FIXED: Newly changed onRoleForApp property values are displayed correctly on Role History. (NEVISIDM-8962)
  • UPGRADED: We upgraded babel/traverse to 7.23.2. (NEVISIDM-9129)
  • UPGRADED: We upgraded jetty to 9.4.53.v20231009.
  • UPGRADED: We upgraded netty to 4.1.100.Final.
  • UPGRADED: We upgraded Snake Yaml to 2.2.
  • UPGRADED: We upgraded xmlsec to 2.3.4. (NEVISIDM-9133)
  • UPGRADED: We upgraded CSRFGuard to 4.3.0. (NEVISIDM-9094)
  • CHANGED: Enterprise Role History shows all assignments of a Role, not just the latest one. (NEVISIDM-9184)
  • CHANGED: User deletion performance is improved when many onProfileForAppGlobal, onProfileForApp are assigned. (NEVISIDM-9164)
  • CHANGED: Provisioning, DLQ, ExpiryQueue if SSL is used verifies the certificate's host name. (NEVISIDM-9133)
  • CHANGED: We refactored the client history displays. The database view VIDMH_CLIENT is depreciated. Display now is using TIDMA_CLIENT_V and its related tables directly. (NEVISIDM-8838)
  • CHANGED: We refactored the personal answer displays. The database view VIDMH_PERSONAL_QUESTION is depreciated.. Display now us ising TIDMA_PERSONAL_QUESTION_V and its related tables directly. (NEVISIDM-8841)
  • CHANGED: We refactored the Property History related displayes. The database view VIDMH_PROPERTY_ALLOWED_UNIQUE, VIDMH_PROPERTY, VIDMH_PROPERTY_UNIQUE, VIDMH_PROPERTY_VALUE_UNIQUE are deprecated. Search now uses TIDMA_PROPERTY_ALLOWED_VAL_V, TIDMA_PROPERTY_V, TIDMA_PROPERTY_VALUE_V and their related tables directly. (NEVISIDM-8844)
  • CHANGED: We refactored the template and template collection searches. The database views VIDMA_TEMP_COLL_MANAGER, VIDMA_TMPLCOLL_SEARCH_VIEW, VIDMA_TEMPLATE_DEFAULT, VIDMA_TMPL_SEARCH_VIEW and the stored query VIDMA_TEMPL_DEFAULT_SUB are deprecated. Searches use TIDMA_TEMPLATE, TIDMA_TEMPLATE_COLLECTION and their related tables directly. (NEVISIDM-8833)
  • CHANGED: We refactored the credential history related searches. The database views VIDMH_CREDENTIAL, VIDMH_CREDENTIAL_UNIQUE, VIDMH_CRED_LOGIN_INFO, VIDMH_CRED_LOGIN_INFO_UNIQUE, and their stored queries are deprecated. Searches use TIDMA_CREDENTIAL_V and TIDMA_CRED_LOGIN_INFO_V and their related tables directly. (NEVISIDM-8839)
  • CHANGED: We refactored the profile history related searches. The database views VIDMH_PROFILE, VIDMH_PROFILE_UNIQUE and their stored queries are deprecated. Searches use the TIDMA_PROFILE_V and its related tables directly (NEVISIDM-8843).
  • CHANGED: We refactored the persistent queue related searches. The database view VIDMA_PERSIST_QUEUE_SEARCH is deprecated. (NEVISIDM-8826)
  • CHANGED: We refactored the credential related search. Search uses the database view VIDMA_CREDENTIAL_SEARCH_VIEW and its related tables directly. (NEVISIDM-8823, NEVISIDM-9111)
  • CHANGED: We refactored the unit credential policy related search. The database view VIDMA_UNIT_CRED_POLICY_SEARCH is deprecated. Search uses the TIDMA_UNIT_CRED_POLICY and its related tables directly. (NEVISIDM-8834)
  • CHANGED: We refactored the data authorization related search. The database view VIDMA_DATA_AUTH_SEARCH_VIEW is deprecated. Search uses the TIDMA_PROFILE and its related tables directly. (NEVISIDM-8824)
  • CHANGED: We refactored the policy configuration history and policy parameter history related searches. The database views VIDMH_POLICY_CONFIGURATION, VIDMH_POLICY_PARAMETER are deprecated. Searches use TIDMA_POLICY_CONFIGURATION_V, TIDMA_POLICY_PARAMETER_V and their related tables directly. (NEVISIDM-8842)
  • CHANGED: We refactored the unit history related search. The database view VIDMH_UNIT and its stored queries are deprecated. Search uses the TIDMA_UNIT_V and its related tables directly. (NEVISIDM-8846)
  • CHANGED: We refactored the Enterprise Authorization History and Enterprise Role History handling. The database view VIDMH_ENTERPRISE_AUTH, VIDMH_ENTERPRISE_AUTH_UNIQUE, VIDMH_ENTERPRISE_ROLE, VIDMH_EROLE_MEMBER_UNIQUE are deprecated. Display now uses TIDMA_ENTERPRISE_AUTH_V, TIDMA_ENTERPRISE_ROLE_V, TIDMA_EROLE_MEMBER_V and their related tables directly. (NEVISIDM-8840)
  • CHANGED: We refactored the Authorization related searches. The database views VIDMA_AUTH_APPL_SEARCH, VIDMA_AUTH_CLIENT_SEARCH, VIDMA_AUTH_EROLE_SEARCH, VIDMA_AUTH_UNIT_SEARCH are deprecated. Search now uses TIDMA_AUTHORIZATION_APPL, TIDMA_AUTHORIZATION_CLIENT, TIDMA_AUTHORIZATION_EROLE, TIDMA_AUTHORIZATION_UNIT and their related tables directly. (NEVISIDM-8821)
  • CHANGED: We refactored the authorization related search. The database views VIDMA_AUTHORIZATION_SEARCH and VIDMA_AUTH_DICT_SEARCH are deprecated. Searches are using new view VIDMA_AUTHORIZATION and its related tables directly. (NEVISIDM-8820)
  • CHANGED: We refactored the Enterprise Authorization and Enterprise Role handling. The database views VIDMA_EAUTH_SEARCH_VIEW, VIDMA_EROLE_MB_MAY_ASSIGN_VIEW, VIDMA_EROLE_MEMBER_SEARCH_VIEW, VIDMA_EROLE_MEMBER_SEARCH_VIEW are deprecated. Search and display now uses TIDMA_ENTERPRISE_AUTH, TIDMA_ENTERPRISE_ROLE, TIDMA_EROLE_MEMBER and their related tables directly. (NEVISIDM-8825)
  • CHANGED: We refactored the Role handling. The database views VIDMH_ROLE, VIDMH_ROLE_UNIQUE are deprecated. Display now uses TIDMA_ROLE and its related tables directly. (NEVISIDM-8845)
  • CHANGED: We refactored the User History and User Login Info History handling. The database view VIDMH_USER, VIDMH_USER_LOGIN_INFO, VIDMH_USER_LOGIN_INFO_UNIQUE are deprecated. Display now uses TIDMA_USER_V, TIDMA_USER_LOGIN_INFO_V and their related tables directly. (NEVISIDM-8847)
  • CHANGED: We refactored the Property related searches. The database views VIDMA_PROP_ALD_VAL_SEARCH_VIEW, VIDMA_PROP_LANG_SEARCH, VIDMA_PROPERTY_SEARCH_VIEW, VIDMA_PROPERTY_VALUE_SEARCH are deprecated. Searches use TIDMA_PROPERTY_ALLOWED_VAL, TIDMA_PROPERTY, TIDMA_PROPERTY_VALUE and their related tables directly. (NEVISIDM-8830)
  • NEW: Added ch.nevis.idm.restException and ch.nevis.idm.soapException logs to log all exceptions on REST and SOAP interfaces. (NEVISIDM-9014)

Web GUI

REST API

Web Services

  • FIXED: Searching for FIDO_UAF credentials by type and deviceId using queryCredentials on SOAP. (NEVISIDM-9083)

Auth States

Configuration

  • NEW: Added a new configuration database.connection.healthcheck.refresh that enables refreshing the connection pools before serving the health endpoint. (NEVISIDM-9016)

Database

  • FIXED: Sequences are now assigned to the primary keys of the tables on PostgreSQL. (NEVISIDM-9065)
  • FIXED: Missing indexes of foreign keys are added on PostgreSQL. (NEVISIDM-9066)

Upgrading from nevisIDM 2.90.x

Step 1: Installation

Install the packages of nevisIDM 2.90.4.6798025192 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb:

rpm -U nevisidmdb-2.90.4.6798025192 -1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.90.3.6566055173 - 24.10.2023

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.90.3.65660551737.167.x

General changes and new features

General/Core

  • CHANGED: Database migration now creates Default FIDO Policy for Default Client if previously it did not have one from refdata created. (NEVISIDM-8926) ::info If you already defined a default FIDO UAF Policy, delete the newly added policy. ::
  • FIXED: Now getUserByEmail SOAP call checks for client too, thus IDMUserVerifyState issue is fixed, where it could not differentiate between similar email addresses on different clients, (NEVISIDM-9114)
  • FIXED: User search handles Last Name as case insensitive, as in previous releases before 2.90. (NEVISIDM-9128)
  • FIXED: IdmUrlTicketVerify and User Search now accommodate users whose case-insensitive fields contain characters with undefined capitalization rules, such as ß. (NEVISIDM-9095)

nevisIDM 2.90.2.6273800741 - 25.09.2023

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.90.2.62738007417.157.x

General changes and new features

General/Core

  • FIXED: Searching for deleted Personal Questions, Profiles, Enterprise Roles, Applications, Clients and Units are possible if no Display name, Question or Abbreviation was defined for the search language. (NEVISIDM-9053)
  • FIXED: Profiles assigned to a Unit displayed on Unit's page. (NEVISIDM-9058).
  • FIXED: Profiles displayed on User's page if containing unit's display name or abbreviation not set. (NEVISIDM-9058).
  • FIXED: Application search if search.dataroomrestrictions.enabled is true handles multiple role's dataroom if one of the role's dataroom is global. (NEVISIDM-9075)
  • FIXED: Resolved performance issue on detailed User search, which was also affecting login. (NEVISIDM-9074)

nevisIDM 2.90.1.5997238838 - 29.08.2023

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.90.1.59972388387.157.x

General changes and new features

General/Core

  • FIXED: Now URLTicket creation on Administration GUI, with policy parameter exposeToCaller set to true, does not generate exception, (NEVISIDM-9050).

nevisIDM 2.90.0.5832994866 - 16.08.2023

Database schema requirements

Application versionMinimal required database schema versionMaximal supported database schema version
2.90.0.58329948667.157.x

Breaking changes

  • CHANGED: Credential validity date calculation if validityFrom is set but validityTo is not, then IDM calculates validityTo date from validityFrom date instead of the current date. Previous calculation can be reactivated with validityDateCalculationVersion set to v1 in the relevant credentail policy. (NEVISIDM-8974)
  • NEW: Fido UAF policy introduced. If you use IDM on an existing instance, create a default FIDO UAF policy for every client where FIDO UAF credentials are allowed. (NEVISIDM-8926)

General changes and new features

Auth States

General/Core

  • FIXED: User injection related log messages are added back for REST and SOAP services. (NEVISIDM-9001)
  • CHANGED: We refactored the application history searches. The database views VIDMH_APPL_HISTORY_SEARCH_VIEW is deprecated. (NEVISIDM-8819)
  • CHANGED: We refactored the personal question and personal answer searches. The database views VIDMA_PERSQUESTION_SEARCH_VIEW and VIDMA_PERSANSWER_SEARCH_VIEW are deprecated. Searches are using TIDMA_PERSONAL_QUESTION, TIDMA_PERSONAL_ANSWER and their related tables directly. (NEVISIDM-8827)
  • CHANGED: We refactored and simplified the Login ID generator. IDM no longer use GENERATE_LOGIN_ID stored procedure. The generator use TIDMA_LOGIN_ID_GENERATION directly and no longer query TIDMA_USER table about possible key collision that caused very high resource consumption and possible deadlock. (NEVISIDM-8924)
  • CHANGED: We refactored the policy configuration and policy parameter searches. The database views VIDMA_POLICY_CFG_SEARCH_VIEW and VIDMA_POLICY_PARAM_SEARCH_VIEW are deprecated. Searches are using TIDMA_POLICY_CONFIGURATION, TIDMA_POLICY_PARAMETER and their related tables directly. (NEVISIDM-8828)
  • CHANGED: We refactored the role related search. The database views VIDMA_ROLE_MAY_ASSIGN_VIEW, VIDMA_ROLE_MAY_ASSIGN_VIEW_MINUS and VIDMA_ROLE_SEARCH_VIEW are deprecated. (NEVISIDM-8831)
  • CHANGED: We refactored the SAML Federation searches. The database view VIDMA_SAML_SEARCH_VIEW is deprecated. (NEVISIDM-8832)
  • FIXED: fidouaf_user_agent property is inserted on new instances. (NEVISIDM-8975)
  • CHANGED: Database trigger for MariaDB reworked to not lock TIDMA_USER table (NEVISIDM-8943).
  • CHANGED: We refactored the client searches and client application assigment searches. The database views VIDMA_CLIENT_APP_SEARCH_VIEW and VIDMA_CLIENT_SEARCH_VIEW are deprecated. Searches are using TIDMA_CLIENT, TIDMA_CLIENT_APPLICATION and their related tables directly. (NEVISIDM-8822)
  • CHANGED: We refactored the application history searches. The database view VIDMH_APPLICATION is deprecated. Searches are using TIDMA_APPLICATION_V and its related tables directly. (NEVISIDM-8836)
  • CHANGED: We refactored the user count by enterprise role and user search by roles. The database views VIDMA_USER_COUNT_BY_EROLE and VIDMA_USER_ROLE_SEARCH_VIEW are deprecated. Searches are using TIDMA_AUTHORIZATION, TIDMA_ENTERPISE_AUTH and their related tables directly. (NEVISIDM-8835)
  • CHANGED: We refactored the user searches. The database view VIDMA_USER_SEARCH_VIEW is deprecated. Searches are using TIDMA_USER and its related tables directly. (NEVISIDM-8708)
  • CHANGED: We refactored the profile searches. The database views VIDMA_PROFILE_DICT_SEARCH, VIDMA_PROFILE_SEARCH_VIEW, VIDMA_PROFILE_BY_ALL_ROLE_SRCH, VIDMA_PROFILE_BY_APPLDR_SEARCH, VIDMA_PROFILE_BY_DR_SEARCH, VIDMA_PROFILE_BY_EROLE_SEARCH, VIDMA_PROFILE_BY_EROLEDR_SRCH, VIDMA_PROFILE_BY_ROLE_SEARCH, VIDMA_PROFILE_BY_UNIT_SEARCH, VIDMA_PROFILE_BY_UNITDR_SEARCH, VIDMA_PROFILE_BY_UNITDRS_SRCH are deprecated. Searches are using TIDMA_PROFILE and its related tables directly. (NEVISIDM-8765, NEVISIDM-8829)
  • UPDATED: We upgraded Guava to 32.0.1.(NEVISIDM-8982)
  • UPDATED: We upgraded netty to 4.1.94.Final.(NEVISIDM-8982)
  • FIXED: Pending terms are now calculated correctly, when consent for previous versions exists (NEVISIDM-8956).
  • NEW: FIDO UAF credential type now has its own policy. (NEVISIDM-8926)
  • CHANGED: When a credential's policy is changed its validity is recalculated with the new policy. (NEVISIDM-8926)
  • CHANGED: The format of Recovery Codes UsageDate is changed to ISO 8601 date and time format. (NEVISIDM-8792)
  • FIXED: Importing user with Vasco Credential through SCIM without specifying an extId is now not a viable option. (NEVISIDM-8761)
  • FIXED: Importing user with Vasco Credential through SCIM is now possible even if the Vasco Token was created earlier. (NEVISIDM-8782)
  • CHANGED: On Vasco Credential management screen the fields ID and User ID are navigable to their corresponding credential and user. (NEVISIDM-8925)
  • NEW: On Vasco Credential management screen there is an additional column to unassign the Vasco Token from its user. (NEVISIDM-8925)
  • NEW: We have expanded the endpoint for retrieving units by their client to include filtering options. You can now filter units by their name, hname, extid, state, location and description fields. (NEVISIDM-8935)
  • CHANGED: MariaDB related SQL scripts were moved to specific folder. (NEVISIDM-8930)
  • EXPERIMENTAL: Introduced support for PostgreSQL 15.0-15.3 databases. (NEVISIDM-8930)

Web GUI

  • CHANGED: Report generators refactored. (NEVISIDM-8753)
    • Units report no longer use VIDMA_UNIT_SEARCH_VIEW. It uses the TIDMA_UNIT and related tables directly.
    • Applications report no longer use VIDMA_APPLICATION_SEARCH_VIEW. It uses TIDMA_APPLICATION and related tables directly.
    • Users report no longer use VIDMA_REPORT_USER_VIEW. It uses TIDMA_USER and related table directly.
    • Users per application report no longer use VIDMA_USERPERAPPL_VIEW. It uses new view VIDMA_USER_AUTHORIZATIONS.
      • The report extended with enterprise role information (NEVISIDM-8866 / EJPDIDMSUP-11)
    • Applications per user report no longer use VIDMA_APPLPERUSER_VIEW. It uses new view VIDMA_USER_AUTHORIZATIONS.
      • The report extended with enterprise role information (NEVISIDM-8866 / EJPDIDMSUP-11)
    • Users per credential report no longer use VIDMA_USERPERCRED_VIEW. It uses TIDMA_CREDENTIAL and related tables directly.
    • Data room report no longer use VIDMA_DR_REPORT_VIEW. It uses TIDMA_AUTHORIZATION and related tables directly.
      • Ordering corrected for better clarity:
        • The fifth ordering element is the user's profile name;
        • Data room elements are displayed consecutively. At first the client, then the unit level and so on.

REST API

Web Services

Auth States

  • FIXED: jcan.Op logs are also written if idm.service.locator.version=V2 is used. (NEVISIDM-8992)
  • NEW: IDMRestInterface for authStates in nevisidmcl is extended with new methods to handle request and response with oomplex objects. (NEVISIDM-8991)
  • NEW: New property requirePasswordConfirmation added to IdmPasswordResetState, with default value true. If set to false the AuthState does not require confirmation of the new password. (NEVISIDM-9004)

Configuration

Upgrading from nevisIDM 2.89.x

Step 1: Installation

Install the packages of nevisIDM 2.90.0.5832994866 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.15.0.5832994866-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.89.3.5474270617 - 10.07.2023

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.89.3.54742706177.137.x

General changes and new features

General/Core

  • CHANGED: Database trigger for MariaDB reworked to not lock TIDMA_USER table (NEVISIDM-8943).
  • FIXED: Performance issues related to the creation or update of a Unit with an extensive number of sub-units are resolved (NEVISIDM-8985 / ZD NEVISIDM-8979 / #2037).
  • FIXED: Unit data room filtering restored to use partial matching on PATH field of TIDMA_UNIT_PATH table (NEVISIDM-8970 / NEVISIDM-8961 / ZD #1991).
  • FIXED: Pending terms are now calculated correctly, when consent for previous versions exists (NEVISIDM-8956).
  • FIXED: Fix Runtime Configuration related issues about distributed event handling (NEVISIDM-8932).

nevisIDM 2.89.0.4955612706 - 17.05.2023

Database schema requirements

Application versionMinimal required database schema versionMaximal supported database schema version
2.89.0.49556127067.127.x

Breaking changes

  • UPDATED: The default value for security.properties.cipher changed to AES/GCM/NoPadding. In systems, where this value was set, no configuration change is necessary, the update will not affect the decryption process. In systems, where this value was not set, enabling the decryption fallback mechanism with security.properties.fallback.enabled is recommended. This will allow the decryption of old values, which were encrypted with the old default. Alternatively, the cipher can be set to the old value to maintain the same decryption process. (NEVISIDM-8771)

General changes and new features

Auth States

General/Core

  • UPDATED: slf4j is updated to 2.0.6 (NEVISIDM-8649)
  • UPDATED: CSRF Guard is updated to 4.2.0 (NEVISIDM-8649)
  • UPDATED: JAXB runtime is updated to 4.0.1 (NEVISIDM-8649)
  • UPDATED: aopalliance-repackaged is updated to 3.0.3 (NEVISIDM-8649)
  • UPDATED: aspectj is updated to 1.9.19 (NEVISIDM-8649)
  • UPDATED: java-jwt is updated to 4.2.2 (NEVISIDM-8649)
  • UPDATED: libphonenumber is updated to 8.13.5 (NEVISIDM-8649)
  • UPDATED: jackson is updated to 2.14.2 (NEVISIDM-8649)
  • UPDATED: nimbus-jose-jwt is updated to 9.30 (NEVISIDM-8649)
  • UPDATED: picocli is updated to 4.7.1 (NEVISIDM-8649)
  • UPDATED: Jakarta XML-Bind is updated to 4.0.0 (NEVISIDM-8649)
  • UPDATED: Apache POI updated to 5.2.3 (NEVISIDM-8649)
  • UPDATED: Spring updated to 5.3.27. (NEVISIDM-8849)
  • UPDATED: Angular updated to 15. (NEVISIDM-8633)
  • FIXED: Older audit files now get deleted, if audit backup file count exceeds maximum number of audit log backup files. Maximum number of audit log backup files can be configured with application.modules.auditing.rolling.file.max.backup.count. Zero and negative values turn off the clean-up functionality, (NEVISIDM-8622)
  • FIXED: User input would no longer be logged at URL Ticket creation. (NEVISIDM-8770)
  • FIXED: In UpdateUserStateJob the properties excludeTechnicalUsers, and excludeMainUsers are true by default. (NEVISIDM-8800)
  • FIXED: IdmPasswordResetState now only calls POLICY_FAILURE in the case when password policies are violated. (NEVISIDM-8891)
  • NEW: Reference data now contains nevisMeta application with admin and user roles. Bootstrap user has the role nevisMeta.admin. (NEVISIDM-8788)
  • NEW: Configuration property application.scim.idm.uri added to customize SCIM Meta Location URIs. (NEVISIDM-8863)
  • CHANGED: For Recovery Code credential the SCIM export sends the codes decrypted and the SCIM import encrypts the incoming codes. (NEVISIDM-8685)
  • CHANGED: For Context Password credential if it is encrypted (instead of hashed), the SCIM export sends the value of the password decrypted. In case of SCIM import the value of the password is encrypted if the chosen policy says so. If the Context Password is hashed its value is exported and imported hashed. (NEVISIDM-8686)
  • CHANGED: For Otp credential the SCIM export sends the value of the OTP Card decrypted and the SCIM import encrypts that part of the incoming data. (NEVISIDM-8684)
  • FIXED: SCIM user search by userName takes into account the application.feature.loginid.casesensitive.enabled setting and searches for the user based on that. (NEVISIDM-8713)
  • CHANGED: For OATH credential the SCIM export sends the secret decrypted and the SCIM import encrypts the incoming secret of the credential. (NEVISIDM-8682)
  • FIXED: If the permission is denied for a request by unit dataroom restrictions, the returned HTTP status code is 403 instead of 500. (NEVISIDM-8848)
  • FIXED: Deletion of Fido2, FidoUaf and MTan credential is now not possible via REST request if its corresponding user's extId is not correct. (NEVISIDM-8854)
  • CHANGED: Client, credential, enterprise role, personal question, profile, unit, and user history searches were refactored. The database views VIDMH_APPL_HISTORY_SEARCH_VIEW, VIDMH_CLIENT_HIST_SEARCH_VIEW, VIDMH_CRED_HISTORY_SEARCH_VIEW, VIDMH_EROLE_HIST_SEARCH_VIEW, VIDMH_UNIT_HISTORY_SEARCH_VIEW, VIDMH_USER_HISTORY_SEARCH_VIEW are deprecated. (NEVISIDM-8763)
  • NEW: Reference data now contains two new generic notification e-mail templates for nevisAdapt with the communication event types USER_NOTIFICATION_17, and USER_NOTIFICATION_20. (NEVISIDM-8806)

Web GUI

REST API

Web Services

Auth States

Configuration

Upgrading from nevisIDM 2.88.x

Step 1: Installation

Install the packages of nevisIDM 2.89.0.4955612706 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.12.0.4955612706-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.88.1.4678820627 - 19.04.2023

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.88.1.46788206277.117.x

General changes and new features

General/Core

  • FIXED: Remote messaging bridge session instability fixed. (NEVISIDM-8631)
  • CHANGED: Read-only transactions use non XA datasource (NEVISIDM-8773)
    • Two DB pools are initiated in case XA enabled:
      • You can configure the non XA pool independently; the read-only database can be a replication, completely independent of the read-write database;
      • In case no configuration for non XA pool the main configuration attributes are used (XA pool configuration);
      • See new configuration attributes in DB connection and DB connection pooling;
    • Only one DB pool is initiated in case XA disabled.

Upgrading from nevisIDM 2.87.x

Step 1: Installation

Install the packages of nevisIDM 2.88.1.4678820627 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This removes the current installed version of nevisidmdb.

rpm -U nevisidmdb-7.11.1.4678820627-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.

Restart the affected nevisAuth instances.

nevisIDM 2.88.0.4105994907 - 15.02.2023

Database schema requirements

Application versionMinimal required database schema versionMaximal supported database schema version
2.88.0.41059949077.117.x

Breaking changes

  • CHANGED: We upgraded MariaDB Driver is to 2.7.6. (NEVISIDM-8480)
    • In Connection URL in nevisidm an nevisidmdb properties file must contain useMysqlMetadata=true query parameter
  • CHANGED: We renamed the following fields of the SCIM interface, to be standard compliant. For usage of these objects, check apib. (NEVISIDM-8694)
    • The resources field to Resources in ListResponse
    • The operations field to Operations in BulkRequest
    • The operations field to Operations in BulkResponse

General changes and new features

Auth States

  • CHANGED: The nevisIDM REST client factory (class ch.nevis.idm.client.IdmRestClientFactory) is now a Singleton which means you have to adapt your Groovy scripts to access nevisIdm. The new client supports connection pooling and uses the new HttpClient provided by nevisAuth which gives additional configuration options. (NEVISIDM-8612)

General/Core

  • FIXED: The provisioning data now contains the same version of applications, and roles as the history tables. (NEVISIDM-8285)
  • CHANGED: The default value for the size of the JMS Connection Pool is changed to 10 from 1 and configurable in nevisidm-prod.properties. This was necessary because with the original value the JMS template built a new connection for each message and that took a lot of heap and processing time. (NEVISIDM-8507)
  • CHANGED: We replaced the HTTP session with cache for SOAP and Rest services to hold authentication data. The solution highly reduces memory consumption. (NEVISIDM-8524)
  • UPGRADED: We upgraded netty to 4.1.86.Final. (NEVISIDM-8588)
  • UPGRADED: We upgraded Apache CXF to 3.5.5. (NEVISIDM-8589)
  • UPGRADED: We upgraded Azure Servicebus to 7.13.0. (NEVISIDM-8596)
  • UPGRADED: We upgraded Angular to 14.2.12. (NEVISIDM-8682)
  • CHANGED: We improved the performance of certificate login. (NEVISIDM-8487)
  • NEW: We enabled prepared statement caching to improve performance. (NEVISIDM-8480)
  • NEW: We reworked UpdateUserStateJob. No configuration changed. (NEVISIDM-4399)
  • Upgraded: We upgraded ninja to 2.1.3.1. (NEVISIDM-8579)
  • CHANGED: Policy search performance improve by using table directly instead of view. (NEVISIDM-8572).
  • PERFORMANCE: The health check endpoint invocation uses less memory (NEVISIDM-8476).
  • PERFORMANCE: Server side prerepare statement caching is now used in nevisIDM. (NEVISIDM-8480)
    • In case of MariaDB usage we advice setting the following query parameters is IDM connection string cachePrepStmts=true, useServerPrepStmts=true, prepStmtCacheSize=1000
  • PERFORMANCE: Improved certificate authentication performance. (NEVISIDM-8487)
  • NEW: IDMCreateCredential AuthState now has a new parameter addPolicyViolationsToNotes which if set true, the Authstate adds the failed policy verifications to the notes section of its output. (PAT-185)
  • FIXED: Property and client import now handles incorrect imports, and imports correct ones even if there is one incorrect defined (NEVISID-8518)
  • NEW: NevisIDM officially supports MariaDB 10.6. (NEVISIDM-8545)
  • FIXED: Failure of custom property and client creation at start up time is now fixed. (NEVISIDM-8517)
  • NEW: From now on, PDF file is sent out to /tmp/printing when an OTP card with PDFstore sending method is created.

Web GUI

REST API

  • FIXED: jcan.Op now logs REST requests. (NEVISIDM-8556)
  • FIXED: SCIM user creation now provides useful information in case of invalid roleExtId.
  • NEW: Kerberos credential is now supported by the SCIM interface. From now on, you can see and send the Kerberos credential details. (NEVISIDM-7831)
  • NEW: Vasco credential is now supported by the SCIM interface. From now on, you can see and send the Vasco credential details. (NEVISIDM-7833)
  • NEW: URL Ticket credential is now supported by the SCIM interface. From now on, you can see and send the URL Ticket credential details. (NEVISIDM-7835)
  • NEW: Device Password credential is now supported by the SCIM interface. From now on, you can see and send the Device Password credential details. (NEVISIDM-7836)
  • NEW: Mobile Signature credential is now supported by the SCIM interface. From now on, you can see and send the Mobile Signature credential details. (NEVISIDM-7837)
  • NEW: Oath credential is now supported by the SCIM interface. From now on, you can see and send the Oath credential details. (NEVISIDM-7841)
  • NEW: One Time Password (OTP) credential is now supported by the SCIM interface. From now on, you can see and send the OTP credential details. (NEVISIDM-8630)
  • NEW: SAML federation credential is now supported by the SCIM interface. From now on, you can see and send the SAML federation credential details. (NEVISIDM-7838)
  • NEW: Security question credential is now supported by the SCIM interface. From now on, you can see and send the Security Question credential details. (NEVISIDM-7839)
  • NEW: The endpoint login-info is added to the User REST Services for updating login information. UserGetDTO is extended with the lastSuccessfulLoginDate, and lastFailedLoginDate attributes. (NEVISIDM-8616)
  • NEW: Verify password auth REST service is introduced. (NEVISIDM-8617)
  • NEW: Verify device password auth REST service is introduced. (NEVISIDM-8618)
  • NEW: Verify context password auth REST service is introduced. (NEVISIDM-8619)
  • NEW: From now on, you can filter SCIM users by credential-specific attributes. (NEVISIDM-8629)

Web Services

  • FIXED: Application can now be specified for a new authorization in a multi-client environment on SOAP, even if it is not for the client defined for the authorization but for one of the authorized clients (NEVISIDM-8406)

Auth States

  • NEW: To align the IDM AuthStates TLS key material configuration with the new HttpClient configuration options in nevisAuth, new properties are available. Note that the IDM AuthStates still use the SOAP client, so available options are limited to TLS. For more information see the migration guide (NEVISIDM-8612)

Configuration

  • CHANGED: We removed the webservice.limits.httpsession.inactiveinterval configuration, and introduced webservice.limits.auth.cache.expire.after and webservice.limits.auth.cache.max.size, see Configuration Files. (NEVISIDM-8524).
  • NEW: We introduced the database.connection.xa.enabled configuration, to enable switching off XA in case of provisioning disabled. (NEVISIDM-8562)

Database

  • CHANGED: In the case of MariaDB, transaction ID is generated based on the XA configuration. (NEVISIDM-8562)

Upgrading from nevisIDM 2.87.x

Step 1: Installation

Install the packages of nevisIDM 2.88.0.4105994907 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This will remove the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.11.0.4105994907-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.87.1.3581212047 - 02.12.2022

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.87.1.35812120477.107.x

General changes and new features

General/Core

  • FIXED: We fixed the healthcheck endpoint. From now on, you do not need to use liveness. (NEVISIDM-8476)
  • FIXED: Service locator V2 now maintains HTTP sessions as well to avoid creating new sessions for each SOAP call from nevisAuth. (NEVISIDM-8528)
  • FIXED: You can now configure the provisioning JMS queue connection factory pool size through application.jms.connection.pool.size in nevisidm-prod.properties to avoid creating new connections for each provisioning message. and The default value is 10 instead of 1. (NEVISIDM-8507)

Upgrading from nevisIDM 2.86.x

Step 1: Installation

Install the packages of nevisIDM 2.87.1.3581212047 on the server.

Step 2: Configuration files

In nevisidm-prod.properties you can control JMS connection factory pool size with application.jms.connection.pool.size configuration property. The default value is 10.

Step 3: Database

Update the nevisidmdb package with the following command. This will remove the current installed version of nevisidmdb.

rpm -U nevisidmdb-7.10.1.3581212047-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.

Restart the affected nevisAuth instances.

nevisIDM 2.87.0.3469446643 - 16.11.2022

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.87.0.34694466437.107.x

Breaking changes

General/Core

  • CHANGED: We introduced Atomikos XA transaction management to avoid provisioning inconsistency. (NEVISIDM-7963)
  • CHANGED: Policy type LoginPolicy is planned to be removed in May 2023. To stay up-to-date with our software versions, make the necessary changes in your configuration, see LoginPolicy.
  • REMOVED: Some Admin CLI commands are removed with the November Rolling Release. For more information, see Administrative command-line interface.
  • CHANGED: As a consequence of the admin CLI changes, the directory structure in the RPM installation also changed, it does not contain the version number anymore. Consider this when trying to access the installed directories, for example when configuring the classpath for nevisAuth.

General changes and new features

General/Core

  • CHANGED: Custom property caching now covers all scopes with the newly introduced distributed event handling. This means if you have more than one nevisIDM instances, each property definition modification triggers notification to refresh cache on all instances. In SCIM, you can filter for the onProfileForApp and onRoleForApp properties as well. (NEVISIDM-8231)
  • UPGRADED: We upgraded Jackson-dataformat-properties to 2.13.4. (NEVISIDM-8340)
  • UPGRADED: We upgraded Jackson-dataformat-yaml to 2.13.4. (NEVISIDM-8340)
  • UPGRADED: We upgraded Jackson-dataformat-properties to 2.13.4. (NEVISIDM-8340)
  • UPGRADED: We upgraded Jackson-databind to 2.13.4. (NEVISIDM-8340)
  • UPGRADED: We upgraded Jackson-core to 2.13.4. (NEVISIDM-8340)
  • UPGRADED: We upgraded Angular to 14. (NEVISIDM-8159)
  • UPGRADED: We upgraded Woodstox to 6.4.0. (NEVISIDM-8483)
  • UPGRADED: We upgraded CXF to 3.5.4. (NEVISIDM-8483)
  • UPGRADED: We upgraded Ninja to 2.1.2.1. (NEVISIDM-8483)
  • UPGRADED: We upgraded Snakeyaml to 1.32. (NEVISIDM-8370)
  • UPGRADED: We upgraded Apache Commons Text to 1.10.0. (NEVISIDM-8457)
  • REMOVED: We removed the com.microsoft.azure:azure-servicebus library. (NEVISIDM-8121)
  • NEW: We added the com.azure:azure-messaging-servicebus library with version 7.10.1. (NEVISIDM-8121)
  • NEW: FIDO2 credential now allowed in the default unit policy. (NEVISIDM-8260)
  • FIXED: Now we show all role assigments of the same role to a user, not just the latest one. (NEVISIDM-8166)
  • FIXED: You can now store and modify certificates that are longer than 4000 characters. (NEVISIDM-8349)
  • FIXED: From now on, if you delete a temporary locked credential, it does not leave any record in the Persist Queue. (NEVISIDM-8404)
  • FIXED: From now on, date locale is generated from template language. (NEVISIDM-8328)
  • FIXED: Now emails are correctly sent when running on Oracle database. (NEVISIDM-8330)
  • FIXED: UpdateUserStateJob now handles if daysNoAcitivitySinceReactiviation is not set. (NEVISIDM-8336)
  • FIXED: We fixed the issue with UpdateUserStateJob that disabling of users did not consider daysNoActivity. (NEVISIDM-8481)
  • FIXED: UpdateUserStateJob now only logs configuration properties once. (NEVISIDM-8337)
  • FIXED: If you modify a user property, then only one USER_MODIFY audit action is created. (NEVISIDM-8265)
  • FIXED: When a PrintJob, EmailJob, or SMSViaSmtpJob encounters an error decrypting job details, the job gets to the failed state correctly in the event queue. (NEVISIDM-8287)
  • PERFORMANCE: User duplicate check query is limited to one result only. (NEVISIDM-8225)

Web GUI

  • CHANGED: From now on, you can create custom properties with spaces in their name. (NEVISIDM-8071)
  • FIXED: We made user report generation faster. (NEVISIDM-8319)

REST API

  • NEW: Certificate credential is now supported by the SCIM interface. From now on, you can see and send the Certificate credential details (NEVISIDM-7826)
  • NEW: Fido UAF credential is now supported by the SCIM interface. From now on, you can see and send the Fido UAF credential details. (NEVISIDM-7830)
  • NEW: Context Password credential is now supported by the SCIM interface. From now on, you can see and send the Context Password credential details (NEVISIDM-7840)
  • NEW: Policy is now supported by the SCIM credential interface. From now on, you can see and send policy external IDs along with credential details.
  • NEW: SCIM search is now able to search for properties with space in their name if the property name is within ' marks. (NEVISIDM-8274)
  • NEW: The SCIM user import now handles if the profile is not given extId at creation. (NEVISIDM-8290)
  • FIXED: Property filtering of the Core REST API now generates the queried data faster.
  • FIXED: From now on, you can filter out the addresses attribute in SCIM search. (NEVISIDM-8306)
  • FIXED: Property values are fetched in bulk mode not one by one for each property. The correction enhances both SCIM and Core Rest API property related queries. This results in less and more efficient DB operations, less memory and processor usage. (NEVISIDM-8397)
  • FIXED: Not requested SCIM result elements (using attributes or excludedAttributes parameters) are not fetched and mapped to speed up result processing. (NEVISIDM-8398)

Configuration

  • FIXED: From now on, no need to empty the TIDMQ_* tables after batchContext.xml changes. The batch context can be modified while IDM is running, it triggers context refresh and database update. Uniform batch context configuration is strongly recommended for IDM clusters. (NEVISIDM-8255)

Upgrading from nevisIDM 2.86.x

Step 1: Installation

Install the packages of nevisIDM 2.87.0.3469446643 on the server.

Step 2: Configuration files

Make sure that the DB connection and DB connection pooling properties are set for what Atomikos expects.

Step 3: Database

Update the nevisidmdb package with the following command. This will remove the current installed version of nevisidmdb:

rpm -U nevisidmdb-7.10.0.3469446643-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.

Restart the affected nevisAuth instances.

Step 6: Upgrade the ORIG_ID field in the database history tables

MariaDB database instance

No action needed, MariaDB was unaffected by the issue.

Oracle database instance

For all history tables with less than a million records, the update automatically happens during migration.

If a table is not updated, a log message in a separate table is added: TIDMA_TABLE_UPDATE_LOG. To run a manual update:

Copy and run the ALTER_TABLE line in an SQL terminal from the TIDMA_TABLE_UPDATE_LOG table. The line looks something like this:

Table not updated, because there are too many records: `{table_name}`.
For a successful update, run the following command manually at maintenance time.
`ALTER TABLE {table_name} MODIFY ORIG_ID NUMBER(19,0);`

nevisIDM 2.86.3.3263417751 - 24.10.2022

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.86.3.32634177517.77.x

General changes and new features

General/Core

  • FIXED: You can now store and modify certificates that are longer than 4000 characters. (NEVISIDM-8349)

Upgrading from nevisIDM 2.86.x

Step 1: Installation

Install the packages of nevisIDM 2.86.3.3263417751 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This will remove the current installed version of nevisidmdb.

rpm -U nevisidmdb-7.7.3.3263417751-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.

Restart the affected nevisAuth instances.

nevisIDM 2.86.2.3028299852 - 12.09.2022

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.86.2.30282998527.67.x

General changes and new features

General/Core

  • FIXED: If there was no custom property in the system with the scope global for enterprise role, then deleting an enterprise role returned an error. (NEVISIDM-8357)

Upgrading from nevisIDM 2.86.x

Step 1: Installation

Install the packages of nevisIDM 2.86.2.3028299852 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This will remove the current installed version of nevisidmdb.

rpm -U nevisidmdb-7.6.2.3028299852-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.

Restart the affected nevisAuth instances.

nevisIDM 2.86.1.2934490781 - 31.08.2022

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.86.1.29344907817.67.x

General changes and new features

Web Services

  • FIXED: We fixed the issue of queryCredential operation for FIDO UAF credentials causing FIDO UAF registration and logins to fail. (NEVISIDM-8326)

Upgrading from nevisIDM 2.86.0.x

Step 1: Installation

Install the packages of nevisIDM 2.86.1.2934490781 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This will remove the current installed version of nevisidmdb.

rpm -U nevisidmdb-7.6.1.2934490781-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.

Restart the affected nevisAuth instances.

nevisIDM 2.86.0.2833457136 - 17.08.2022

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.86.0.28334571367.67.x

Breaking changes

General/Core

  • FIXED: The bug is fixed that in some cases at the unit dataroom check, when the user had an archived profile it still had an effect on the result. (NEVISIDM-8015)
  • FIXED: For mTAN, we do not accept mobile numbers with 00 prefix anymore. (NEVISIDM-8147)

General changes and new features

General/Core

  • NEW: Pre-loading clients to the database is supported similar to pre-loading custom properties. (NEVISIDM-8057)
  • NEW: The new configuration property application.dataroom.relaxed.permissions is added, that can define permissions for which the dataroom check should be loosened. (NEVISIDM-8015)
  • NEW: Bridging of local ExpiryQueue and DLQ is possible with the setting of the two properties (messaging.remote.expiryQueueUri and messaging.remote.dlqUri) in similar manner as the Provisioning queue. (NEVISIDM-8076)
  • NEW: SELinux policy templates are now available at /opt/nevisidm/selinux. (NEVISAPPLIANCE-569)
  • NEW: We added a new type of batch job to fix issues when the default encryption key is used after a new encryption key is set, and some of the credential and property values were not decipherable. (NEVISIDM-8201)
  • CHANGED: The preferred way for pre-loading custom properties to the database now uses separate files for each property. The old way of of putting multiple properties to one file still works, but is deprecated. (NEVISIDM-8057)
  • CHANGED: From now on, you can see the external ID of the incorrect credential in the fault massage of the SCIM user creation. (NEVISIDM-8109)
  • CHANGED: Log category of CSRFGuard is changed from Owasp.CsrfGuard to org.owasp. (NEVISIDM-8122)
  • FIXED: Failed pre-loading of a custom property does not stop the pre-loading mechanism any more. (NEVISIDM-8057)
  • FIXED: Failed to load properties before quartz jobs run, therefore NullPointerException has thrown. This issue is fixed (NEVISIDM-8115)
  • FIXED: Status check of instances no longer shows a wrong status if ExecStartPre is configured. (NEVISIDM-8210)
  • FIXED: Hibernate Search indexes are automatically purged after the removal of any indexed entities both for Lucene and Elastichsearch backends. (NEVISIDM-8146)
  • UPGRADED: We upgraded Hibernate to 5.6.9.Final. (NEVISIDM-8126)
  • UPGRADED: We upgraded Hibernate Search to 6.1.5.Final. (NEVISIDM-8126)
  • UPGRADED: We upgraded CSRFGuard to 4.1.4. (NEVISIDM-8122)
  • UPGRADED: We upgraded Angular to 13. (NEVISIDM-7890)
  • UPGRADED: We upgraded Spring to 5.3.21.
  • UPGRADED: We upgraded jetty to 9.4.48.v20220622. (NEVISIDM-8219)
  • UPGRADED: We upgraded the Apache commons-configuration2 dependency to 2.8.0.
  • UPGRADED: We upgraded the transitive dependency gson to 2.8.9.
  • UPGRADED: We upgraded Ninja to 2.1.1.1. (NEVISIDM-8259)
  • UPGRADED: We upgraded loader-utils to 2.0.4 (NEVISIDM-8519)
  • UPGRADED: We upgraded the NevisAuth dependency to 4.38.0.8. (NEVISIDM-8612)

Web GUI

  • NEW: From now on, the query REST interface is able to handle the finding of mTan credentials like phone number or credential type. (NEVISIDM-8067)
  • NEW: Admin and SelfAdmin forms are created to manage FIDO2 credentials. (NEVISIDM-7747, NEVISIDM-7748)
  • FIXED: From now on, the query REST interface is able to handle the properties search immediately after the property was saved. (NEVISIDM-8106)

REST API

  • NEW: Parameter bulkImportFormat added that enables ScimBulkRequest output with create operations instead of ScimListResponse in user list endpoint to help import. (NEVISIDM-7975)
  • NEW: UserInfo endpoint support HTTP POST method. (NEVISIDM-8142)
  • NEW: FIDO2 credentials are live from now on. (NEVISIDM-8151)
  • NEW: We added a new REST endpoint to update the time of the last user login. The REST endpoint also counts the login attempts with an mTan credential. A successful login resets the failed login counter to 0. (NEVISIDM-7886)
  • NEW: mTan credential is now supported by the SCIM interface. From now on, you can see and send the mTan credential details. (NEVISIDM-7832)
  • NEW: Recovery Code credential is now supported by the SCIM interface. From now on, you can see and send the Recovery Code credential details. (NEVISIDM-7843)
  • NEW: Temporary Strong Password credential is now supported by the SCIM interface. From now on, you can see and send the Temporary Strong Password credential details. (NEVISIDM-7830)
  • NEW: Recovery Code credential is now supported by the SCIM interface. From now on, you can see and send the Recovery Code credential details. (NEVISIDM-7843)
  • NEW: SecurID credential is now supported by the SCIM interface. From now on, you can see and send the SecurID credential details. (NEVISIDM-7827)
  • NEW: Safeword user mapping credentials is now supported by the SCIM interface. From now on, you can see and send the Safeword user mapping credential details. (NEVISIDM-7829)
  • NEW: PUK code credential is now supported by the SCIM interface. From now on, you can see and send the PUK code credential details. (NEVISIDM-7834)
  • NEW: We expanded SCIM filtering with properties. From now on, you can send filters for custom global properties. (NEVISIDM-8208)
  • FIXED: User creation with an invalid property created the user without the property, but still returned an error message. Now it just returns an error message. (NEVISIDM-8010)
  • CHANGED: The error message of failing password creations now contains the list of policy violations. (NEVISIDM-8145)
  • CHANGED: From now on, when a login attempt with recovery code fails with an error, it returns the correct HTTP status code and state. (NEVISIDM-7885)

Web Services

  • CHANGED: The queryCredentials operation does not use the VIDMA_CREDENTIAL_SEARCH_VIEW view anymore in case of searches for FIDO_UAF credential types, it has its own generated query. (NEVISIDM-8110)
  • FIXED: In getUser and queryUser related responses lastLogin and lastLoginFailure now correctly shows up with userDetailLevel set to MEDIUM. (NEVISIDM-8781)

Auth States

  • NEW: You can now define the following attributes and properties in the IdmCreateUserState user profile: name, extId, remarks, deputedExtId, modificationComment. (NEVISIDM-8103)
  • NEW: We introduced the AuthState service locator V2 failover strategy, see Properties shared among all nevisIDM authentication plug-ins.

Database

Configuration

Upgrading from nevisIDM 2.85.0.x

Step 1: Installation

Install the packages of nevisIDM 2.86.0.2833457136 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command. This will remove the current installed version of nevisidmdb.

rpm -U nevisidmdb-7.6.0.2833457136-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.

Restart the affected nevisAuth instances.

nevisIDM 2.85.0.2301361554 - 18.05.2022

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.85.0.23013615547.67.x

Breaking changes

General/Core

  • UPGRADED: the Spring dependency was updated to 5.3.19. As a result, the Quartz scheduler of the batch jobs needs to be configured with the class org.springframework.scheduling.quartz.LocalDataSourceJobStore instead of org.quartz.impl.jdbcjobstore.JobStoreTX. (NEVISIDM-8095)

General changes and new features

General/Core

  • NEW: We added a new endpoint to create a new user and profile with one call. (NEVISIDM-7654)
  • CHANGED: We removed automatic trimming of loginId and emailAddress fields due to security concerns. (NEVISIDM-7514)
  • CHANGED: UpdateCredentialStateJob now supports all credential types with policy types defined for disabling credentials, including generic credentials. (NEVISIDM-7899)
  • CHANGED: Ninja debug logs can be controlled by the trace group ch.nevis.ninja. There is no need to set property server.auth.ninja.log-debug to enable ninja debug mode anymore. (NEVISIDM-8086)
  • CHANGED: Pre-loading custom properties to the database now also supports enum type custom properties. (NEVISIDM-7900)
  • CHANGED: In Query API sorting field referenced without apostrophes now return 400 Bad Requested instead of 500 Internal Server Error. (NEVISIDM-8027)
  • CHANGED: Logging in authstates now uses slf4j 1.7.36 instead of jbc. (NEVISIDM-8012).
  • CHANGED: Writing login information is improved to handle multiple parallel logins. (NEVISIDM-8011)
  • FIXED: The issue where CTL_TCN fields were not updated properly during deletion is now fixed. (NEVISIDM-8044)
  • UPGRADED: Version of the underlying Artemis is upgraded to 2.19.1. (NEVISIDM-7974)
  • UPGRADED: The jdom dependency is changed to jdom2. (NEVISIDM-8022)
  • UPGRADED: The CXF dependency is updated to 3.5.1. (NEVISIDM-8023)
  • UPGRADED: The netty dependency is updated to 4.1.74.Final. (NEVISIDM-8020)
  • UPGRADED: The xmlbeans dependency is upgraded to 3.1.0. (NEVISIDM-7413)
  • UPGRADED: The xmlsec dependency is upgraded to 2.3.0. (NEVISIDM-7413)
  • UPGRADED: The Spring dependency is upgraded to 5.2.20.RELEASE. (NEVISIDM-8052)
  • UPGRADED: The NevisAuth dependency is upgraded to 4.35.0.1. (NEVISIDM-8012)
  • UPGRADED: The transient jgroups dependency is excluded from the Artemis dependency. (NEVISIDM-8018)

Web GUI

  • CHANGED: Compression is disabled and MIME types are corrected for all font files (woff, woff2, ttf and eot). (NEVISIDM-8008)

Rest API

  • NEW: We extended generic credential creation on REST to contain validity information. (NEVISIDM-7898)
  • NEW: We added an endpoint to delete URL-Ticket credentials. (NEVISIDM-7808)
  • NEW: The notification sending method can now be HTML email in addition to email. (NEVISIDM-7973)
  • CHANGED: Query API error handling is now unified with the other API's error handling. (NEVISIDM-7770)
  • CHANGED: LoginId policy violations on the REST interface now return an improved description of the specific policy that is breached. (NEVISIDM-7912)
  • FIXED: Cases when the mobile number of a User with an empty number is updated, and there is an mTan credential linked to the previous number, now return a descriptive error. (NEVISIDM-7858)
  • NEW: We created a REST endpoint for clients, that returns all the custom properties that are in the client with filtering. (NEVISIDM-7995)
  • NEW: We introduced SCIM 2.0 server implementation for exporting and importing identities. For now, only password, generic and ticket credentials are supported. (NEVISIDM-7851)

Configuration

  • NEW: We introduced the configuration property application.queryservice.instance.index.prefix to configure Elastic/Lucene with instance specific prefix for indices. This enables the use of a single Elastic/Lucene backend by multiple nevisIDM instances. (NEVISIDM-7921)

Upgrading from nevisIDM 2.84.0.x

Step 1: Installation

Install the packages of nevisIDM 2.85.0.2301361554 on the server.

Step 2: Configuration files

No changes

Step 3: Database

Update the nevisidmdb package with the following command. This will remove the current installed version of nevisidmdb:

rpm -U nevisidmdb- 7.6.0.2301361554-1.noarch.rpm

Migrate the database schema with the following command:

| nevisidmdb migrate |

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.84.0.1816761841 - 16.02.2022

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.84.0.18167618417.67.x

Breaking changes

General/Core

  • CHANGED: Security key is now mandatory. Fallback mechanism introduced if the default key is changed on a live system. Mechanism can be enabled with the security.properties.fallback.enabled application property. (NEVISIDM-7759)

Rest API

  • FIXED: ClientGetDTO now expects extId field instead of previous extid.(NEVISIDM-7736)

General changes and new features

General/Core

  • NEW: Added maxCredSuccessCount policy parameter to Password, Context Password and Device Password policies, which can be used to define maximum number of successful credential usage before the credential becomes disabled. (NEVISIDM-7786)
  • CHANGED: Log4j2 is updated to version 2.17.1. (NEVISIDM-7871)
  • CHANGED: Netty is updated to version 4.1.72.Final. (NEVISIDM-7868)
  • CHANGED: The extId filter in query credential is now case-sensitive to fix related database performance issues. The full table scan becomes IIDMA_CREDENTIAL_EXTID index scan. (NEVISIDM-7862)
  • FIXED: IdmCredStatusCheckState returns noCredential transition on both condition of updateLoginState if there is no appropriate credential. (NEVISIDM-7804)
  • FIXED: Made loadpwddictionary server command visible. (NEVISIDM-7795)
  • FIXED: IdmPasswordResetState now considers resetLockedPasswords parameter if input validation fails. (NEVISIDM-7683)
  • FIXED: Login identifier Policy now correctly validates identifier before modification on SOAP interface. (NEVISIDM-7875)
  • FIXED: Login with PUK credential handles maxCredSuccessCount policy correctly, that is, allows maxCredSuccessCount login instead of one less. (NEVISIDM-7930)
  • FIXED: The version number CTL_TCN was wrongly provisioned after creation or modification of Applications, Units, Clients and Users. The bug is now fixed. (NEVISIDM-7943)

Web GUI

  • FIXED: We corrected French translations of File upload and Download template. (NEVISIDM-7717)
  • FIXED: Changing loginId now displays the same error message as creating loginId if loginId policy violation occurs. (NEVISIDM-7756)

Rest API

  • NEW : URLTicket GET endpoint supports URL prefixes. (NEVISIDM-7679)
  • NEW: Query REST service supports the sorting of users by their first name. (NEVISIDM-7771)
  • FIXED: Improved returned information if client or unit does not allow a type of credential to be created. (NEVISIDM-7799)
  • FIXED: Fetching the FIDO UAF credentials now correctly filters disabled credentials when the database contains generic credentials and mobile auth credentials which are inconsistently disabled. (NEVISIDM-7515)
  • FIXED: Now FIDO UAF and Certificate returns HTTP 404 Not Found (instead of HTTP 500 Internal Server Error) when trying to update or retrieve a non-existing credential in self-admin model. (NEVISIDM-7811)

Web Services

  • CHANGED: Communication between nevisAuth and nevisIDM is refactored. From this version the auth states by default use CXF library with circuit breaker failover mechanism. (NEVISIDM-7753)

Configuration

  • NEW: Created new configuration properties application.modules.provisioning.jmsqueue.max-size-bytes and application.modules.provisioning.jmsqueue.page-size-bytes to control the messaging queue paging. (NEVISIDM-7769)
  • NEW: Created five new configuration properties to provide control over encryption and integrity checking when nevisIDM is connecting to an Oracle database. (NEVISIDM-7785)
  • CHANGED: Communication between nevisAuth and nevisIDM refactored. Configuration property idm.service.locator.version introduced for esauth4.xml with default value of V2. (NEVISIDM-7753)

Upgrading from nevisIDM 2.83.0.x

Step 1: Installation

Install the packages of nevisIDM 2.84.0.1816761841 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Update the nevisidmdb package with the following command (this removes the current installed version of nevisidmdb):

rpm -U nevisidmdb- 7.6.0.1816761841-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.83.1.1582843141 - 17.12.2021

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.83.1.15828431417.57.x

General changes and new features

General/Core

  • CHANGED: Log4j2 is updated to version 2.16.0. (NEVISIDM-7860)

Upgrading from nevisIDM 2.83.0.x

Step 1: Installation

Install the packages of nevisIDM 2.83.1.1582843141 on the server.

Step 2: Configuration files

No changes

Step 3: Database

Update the nevisidmdb package with the following command (this will remove the current installed version of nevisidmdb):

rpm -U nevisidmdb- 7.5.1.1582843141-1.noarch.rpm

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.83.0.1443644301 - 17.11.2021

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.83.0.14436443017.57.x

Breaking changes

  • FIXED: Audit logging of consent creation now returns consent ID as consentId not the related terms extId. (NEVISIDM-7650)
  • CHANGED: If you use nevisAdmin 4, you have upgrade the Standard Patterns. (NEVISADMV4-7752)

General changes and new features

General/Core

  • NEW: Uniqueness scope settings of custom properties imported at startup are verified during startup. (NEVISIDM-7638)
  • CHANGED: User entity deletion forces deleting dependent objects and related audit processing in batch mode to enhance performance. (NEVISIDM-7583)
  • CHANGED: Audit logging of consent creation now contains extId of the terms and extId of the user. (NEVISIDM-7625)
  • CHANGED: the logging level is now ERROR in case the BatchContextRefreshService cannot be started if the configuration file is inaccessible or missing. (NEVISIDM-7523)
  • FIXED: Auditing events which indicate a change in property values, but actually contain no change in the property value are no longer generated. (NEVISIDM-7596)
  • FIXED: Auditing events which indicate a change in enum property values now generated. (NEVISIDM-7642)
  • FIXED: Policy violation instantiation problem has been fixed. (NEVISIDM-7619)
  • FIXED: the maxResetCount of the password policy is considered again. (NEVISIDM-7581)
  • FIXED: IdmSetPropertiesState does not write a misleading log message in method setUserProperties anymore. (NEVISIDM-7671)
  • FIXED: Login IDs which have the same upper case, but a different lower case, are not considered equal when case insensitivity is turned on. (NEVISIDM-7669)
  • FIXED: In authstate IdmCredStatusCheck when updateLoginState is false, no error is caused and no error log is created when no credential is found. (NEVISIDM-7644)
  • FIXED. Now both minHistoryTime and minHistory rules can be applied the same time. (NEVISIDM-7661)
  • FIXED: History event is correctly written when a custom property is changed after a user attribute has been changed. (NEVISIDM-7604)
  • UPGRADED: OWASP CSRFGuard has been upgraded to 4.0.0. If you face problems, clear your browser cache. (NEVISIDM-7626)
  • UPGRADED: Versions of the underlying Artemis and embedded container were upgraded. (NEVISIDM-7702)

Web GUI

  • CHANGED: The Terms and Conditions UI was upgraded to Angular 12 and its dependencies. Also, the UI now uses the new Nevis logo instead of the old one. (NEVISIDM-7509)
  • FIXED: Changing language settings on the User Search page caused a technical error. (NEVISIDM-7640)
  • FIXED: When changing a password, password policy information was displayed incorrectly. Now it is displayed consistently and shows the correct severity (NEVISIDM-7723)
  • FIXED: Checking the PolicyHistory page threw a technical error previously. (NEVISIDM-7725)

Rest API

  • NEW: nevisIDM now provides a REST service to fetch all consents of a user. For more details, see the REST API documentation. (NEVISIDM-7627)
  • NEW: Elasticsearch support has been introduced in Query REST service as a possible backend alongside the default Lucene. In a multi IDM instance environment this feature is recommended. For new configuration properties, see the reference guide. (NEVISIDM-7547)
  • NEW: Querying users now returns the custom properties of the queried users if the caller has authorization to see them. (NEVISIDM-7577)
  • CHANGED: Second based indexing has been introduced. Filtering is now available by the second for timestamp values. (NEVISIDM-7575)
  • CHANGED: Added new User.loginInfo field to Query REST service with data from TIDMA_USER_LOGIN_INFO table with following properties (NEVISIDM-7575):
  • CHANGED: Added new full text search indexes to improve Query REST service (NEVISIDM-7575)
  • CHANGED Day based indexing has been improved to second based indexing for properties: (NEVISIDM-7575)
  • CHANGED: The Query REST service now supports the sorting of the user results by name, status, e-mail, last login and last failed login. (NEVISIDM-7576)
  • FIXED: Query REST service now hides attributes with null values in compliance with the JSON Standard. (NEVISIDM-7648)

Web services

  • FIXED: When unit is updated, now it checks for extId and client. (NEVISIDM-7670)

Database

  • NEW: New tables defined for Quartz's to support JDBC job store and scheduler cluster mechanism. (NEVISIDM-7570)
  • FIXED: Property history can handle more than 1000 transactions. (NEVISIDM-7621)
  • PERFORMANCE: Application deletion was made faster with improvements of dependent objects deletion. (NEVISIDM-7647)
  • PERFORMANCE: Property deletion was made faster with improvements of dependent objects deletion. (NEVISIDM-7665)

Configuration

  • NEW: Added support for database level configuration of a job store for the scheduler cluster to enable the same batch context configuration on multiple IDM environments. (NEVISIDM-7570)
  • NEW: The Login identifier of the character restriction version can now be configured. By default, the restrictions are used and it is possible to enable accepting ASCII characters from ! to ~, ASCII 0x21 to 0x7E. (NEVISIDM-7659)
  • NEW: Added two configuration settings to handle forms with more than 20,000 bytes of content or with more than 333 fields (server.max-form-content-size and server.max-form-keys). (NEVISIDM.7666)

Upgrading from nevisIDM 2.82.0.x

Step 1: Installation

Install the packages of nevisIDM 2.83.0.1443644301 on the server.

Step 2: Configuration files

No changes

Step 3: Database

Update the nevisidmdb package with the following command. This operation will remove the current installed version of nevisidmdb):

rpm -U nevisidmdb-7.5.0.1443644301-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.82.0.1117104689 - 18.08.2021

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.82.0.11171046897.47.x

Breaking changes

The index creation and the search functionality behind the Query REST services were upgraded (NEVISIDM-7526). As a consequence, delete the old indexes in the application.queryservice.index.dir folder.

The index folders are also changed to avoid conflicts during upgrade. These are the changes:

  • For applications: Application_Index → Application
  • For clients: Client_Index → Client
  • For roles: Role_Index → Role
  • For clients: Unit_Index → Unit
  • For clients: User_Index → User

Furthermore, the search for custom properties changed slightly. Previously, it was possible to search for values with the following two syntaxes:

  • With "property" as the static keyword: "property: property_value"
  • With the name of the property definition as the keyword: "property_name: property_value"

As of this release, you can still use "property" as a static keyword:

  • "property: property_value"

But if you want to use the property name definition as a keyword, add the "properties." static keyword as a prefix:

  • "properties.property_name: property_value"

The nevisIDM reference guide is updated accordingly. For more details, see the chapter "Query Service and Quick Search Feature".

The CTL_MOD_DAT field of the TIDMA_PROPERTY_VALUE table is no longer updated for each modification on a related scope (for example, on TIDMA_USER). Also, custom property update events are no longer written into the TIDMA_PROPERTY_VALUE_V table, to reduce database space consumption. Direct modifications on custom properties are still incorporated into property tables, but only the ones that were changed.

If you count on the above mentioned records, for example in your nevisDP scripts, calculate them based on earlier history events, as nevisIDM does in the background. You could also use the SOAP history services. (NEVISIDM-7545)

General changes and new features

General/Core

  • NEW: It is now possible to ensure the creation of custom properties at startup. The custom properties are loaded from JSON files placed at the directory <instance directory>/conf/import. For the exact format, see the section "Pre-loading other data" in the chapter "Database Preparing" of the nevisIDM reference guide. (NEVISIDM-7541)
  • CHANGED: The query that fetches the units in the user's data room is improved. (NEVISIDM-7518)
  • CHANGED: The SecToken library was updated. (NEVISIDM-7536)
  • FIXED: The IdmGetPropertiesState did not fetch the profile indicated by its property chooseProfileFromSession in all cases. This bug is now fixed. (NEVISIDM-7501)
  • FIXED: Property value changes were not audited correctly. This bug is now fixed. (NEVISIDM-7533)

Rest API

  • NEW: It is now possible to filter mobile auth credentials when fetching the credentials. This allows you, for example, to only fetch the active credentials. (NEVISIDM-6975)
  • NEW: It is now possible to filter users based on their custom properties when fetching the users. (NEVISIDM-7012)
  • NEW: You can now set the custom properties of a user in the same call in which you create or modify the user. In the User rest service, you require the following additional permissions if you want to use this functionality:
  • NEW: The Client rest service now provides custom properties in the user list response. This new functionality requires the following additional permissions:
  • FIXED: The custom properties were not returned when you queried and modified user data in selfAdmin mode. This bug is now fixed. (NEVISIDM-7483)
  • FIXED: You could not use some common English words to search on the Query REST interface. This bug is now fixed. (NEVISIDM-7526)
  • FIXED: Once the terms & conditions were consented by a first user, no other user was asked for a consent any more - the service always returned an empty list. This bug is now fixed. From now on, multiple users can accept the same terms & conditions one after another. (NEVISIDM-7566)
  • FIXED: The transaction timeout was sometimes logged in the log file as 30 seconds (the default value), even though you had set the timeout differently (for example, to 60 seconds). This bug is fixed. From now on, the configured timeout appears in the log file. (NEVISIDM-7574)
  • FIXED: "Direct Printing" did no longer work in conjunction with adnooprint 1.2.x. This issue is now fixed, and printing works again with LibreOffice 5.3.6 and adnooprint 1.2.x. (NEVISIDM-7594)

Web GUI

  • FIXED: The Search unit screen was not loaded properly in Firefox. This bug is now fixed. (NEVISIDM-7494)

Database

  • CHANGED: To reduce database space consumption, custom property update events are no longer written into the relevant table if only the related scope is modified. (NEVISIDM-7545)
  • FIXED: The event queue processing locking problems resolved. (NEVISIDM-7573)

Configuration

  • NEW: The nevisidm-prod.properties configuration file contains the new property application.cache.permission.unit. You can use this property to define whether the unitIds are cached during user session creation. If the property is set to "false", the unitIds are not cached during session creation, but fetched each time they are needed. (NEVISIDM-7518)
  • CHANGED: The properties login.service.connection and admin.service.connection must be configured for all nevisIDM AuthStates. You can use the propertyRef feature to refer to an existing configuration. For more information, see the chapter "Properties shared among all nevisIDM authentication plug-ins" in the nevisIDM reference guide. (NEVISIDM-7498)

Upgrading from nevisIDM 2.81.0.x

Step 1: Installation

Install the packages of nevisIDM 2.82.0.1117104689 on the server.

Remove the folders within application.queryservice.index.dir.

Step 2: Configuration files

No changes

Step 3: Database

Replace the currently installed version of nevisidmdb with the following command:

rpm -U nevisidmdb-7.4.0.1117104689-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

  1. Remove the software packages of the old nevisIDM release from the server.
  2. Restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.81.0.830749540 - 19.05.2021

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.81.0.8307495407.47.x

Breaking changes

  • CHANGED: The GUI has been updated with the new Nevis design. If you use custom facing on the GUI, then this change might break existing CSS styling. (NEVISIDM-7436)

General changes and new features

General/Core

  • NEW: The following languages are now available: Bihari languages, Hebrew, Indonesian, Yiddish. Use the language code iw for Hebrew, in for Indonesian, and ji for Yiddish. (NEVISIDM-7452)
  • CHANGED: Startup logs are updated according to the new Nevis design. (NEVISIDM-7436)
  • CHANGED: From now on, multiple instances can handle events without concurrency issues. (NEVISIDM-7451)
  • FIXED: The bug is fixed where for assigning Vasco credentials to a user, the global-client data room was needed. From now on, only the client data room is needed. (NEVISIDM-7385)
  • FIXED: The bug is fixed where the SMS template did not resolve user-related placeholders. (NEVISIDM-7430)
  • FIXED: A bug caused a memory leak in adnooprint 1.1.0.0. The installation of adnooprint 1.2.0.x supporting LibreOffice 5.3.6.1 fixes the bug. For more details, see "Installation of adnooprint version 1.2.0.x and LibreOffice" in the reference guide. (NEVISIDM-7456)
  • FIXED: The bug is fixed where the GUI was displayed in IdmOTPState, even if the attribute challengeRequired was set to false, and the response was already present in Vasco tokens. From now on, the GUI is not displayed in this case. (NEVISIDM-7449)
  • FIXED: The bug is fixed where the properties of type enum were not indexed for the query service (NEVISIDM-7479).
  • FIXED: The bug is fixed where the fingerprint of certificates was not checked properly. (NEVISIDM-7497)
  • FIXED: The bug is fixed that allowed importing the same Vasco token multiple times. (NEVISIDM-7495)

Web GUI

  • FIXED: A bug is fixed that caused wrong sorting of possible Property values. (NEVISIDM-7445)
  • FIXED: A bug is fixed where in some cases, empty fields returned empty strings. (NEVISIDM-7418)
  • FIXED: A bug is fixed that caused wrong sorting of the Gender and Technical userselection on the User search screen for French and Italian GUI versions. (NEVISIDM-7453)
  • FIXED: A bug is fixed that caused wrong sorting of the Assigned token selection on the Vasco administration screen for French and Italian GUI versions. (NEVISIDM-7453)

Rest API

  • NEW: You can now assign custom property values when creating Generic credentials. (NEVISIDM-7364)
  • NEW: nevisIDM now provides a REST service to count the active mobile authentication credentials of a user. The endpoint supports filtering. (NEVISIDM-7330)

Web services

  • FIXED: An error occurred when you created a user profile with data room restrictions for a client and units that are not in the user's own client. From now on, the client specified in the authorized unit definition is used. (NEVISIDM-7389)

Database

  • NEW: An index is added to the TIMESTAMP column of the TIDMA_PERSIST_QUEUE table. (NEVISIDM-7407)

Configuration

  • NEW: In the configuration file nevisidm-prod.properties, you can now use the new attribute application.modules.event.retry.interval to configure the timeout for event handling. (NEVISIDM-7451)

Upgrading from nevisIDM 2.80.0.x

Step 1: Installation

Install the packages of nevisIDM 2.81.0.830749540 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

Replace the currently installed version of nevisidmdb with the following command:

rpm -U nevisidmdb-7.4.0.830749540-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

  1. Remove the software packages of the old nevisIDM release from the server.
  2. Restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.80.0.552486535 - 17.02.2021

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.80.0.5524865357.37.x

Breaking changes

  • CHANGED: During user creation on the REST interface, the login ID generator can now generate a loginId if no ID value is provided and the generator is enabled. If the caller wants to override the generated loginId, by providing a value for it in the request, the caller needs the AccessControl.LoginIdOverride right. (NEVISIDM-7374)
  • CHANGED: The unique check of the credential's extId and the client's id now takes place on database level, in a new table called TIDMA_CREDENTIAL_CLIENT. Previously, this check happened in the Java business logic. Because the uniqueness constraint may already be violated in some cases, execute specific manual steps before starting the database migration. For more details, see section Upgrading from nevisIDM 2.79.0.x]
  • CHANGED: When removing old, archived users, the UpdateUserStateJob now also removes users who were created with the Archived state and never had their state changed. That is, these user's STATE_CHANGED_DATE is "null". (NEVISIDM-7349)

General changes and new features

General/Core

  • NEW: It is now possible to control the logging of the CSRFGuard with the logger Owasp.CsrfGuard. (NEVISIDM-7353)
  • NEW: The Content-Security-Policy header is now added to */nevisidm/**. (NEVISIDM-7357)
  • CHANGED: The default profile name now contains only the first 80 characters of the loginId, in case the loginId is longer than 80 characters. (NEVISIDM-7306)
  • CHANGED: Provisioning messages are now paged to disk, when the size of all messages in memory for a specific address exceeds the maximum size. (NEVISIDM-7355)
  • CHANGED: The country list is updated. (NEVISIDM-7350)
  • CHANGED: URL tickets can no longer end with dots. (NEVISIDM-7307)
  • CHANGED: Dates are aligned with the user's locale when sending notifications from templates. (NEVISIDM-6665)
  • FIXED: The bug where validation errors of the messaging log did not log the correct truststore configurations. (NEVISIDM-7371)
  • KNOWN BUG: There is a bug in the underlying OpenOffice used by adnooprint 1.1.0.0, which causes a memory leak. As a workaround it is recommended restarting adnooprint periodically with a cron job. (NEVISIDM-5525)

More Information

For more information on the underlying bug, see Issue 41675 - memory leak while converting](https://bz.apache.org/ooo/show_bug.cgi?id=41675)".

  • UPGRADED: Versions of the underlying Artemis and embedded container were upgraded. (NEVISIDM-7370)

Web GUI

  • FIXED: The bug where URL parameters could not be parsed due to an exception in the language resolution logic. (NEVISIDM-7335)
  • FIXED: The bug where the default value of the Template Collection drop-down menu in the User Search screen was set to the default template collection. Now it is set to "All" (template collections) by default. (NEVISIDM-7327)

Rest API

  • NEW: nevisIDM now provides a REST service to count the amount of users of clients. For more details, see the separate REST API documentation. (NEVISIDM-6976)
  • NEW: nevisIDM now provides a REST service to create URL ticket credentials with the possibility to see the URL in the JSON response. (NEVISIDM-7305)
  • NEW: nevisIDM now provides a REST service to fetch the permissions of the caller. (NEVISIDM-7259)
  • CHANGED: When querying the user data, the result now contains the custom properties of the user. (NEVISIDM-6972)
  • CHANGED: When querying a generic credential, the result now contains the custom properties of the credential. (NEVISIDM-7061)
  • CHANGED: The response of the GET method /{clientExtId}/users/{userExtId}/mauths/ includes the new field stateName. This field contains the active state of the credential in the database. The available field/state options are "active" or "disabled". (NEVISIDM-7289)

Database

  • NEW: The nevisidmdb tool now supports the repair command for failed database migrations. (NEVISIDM-7381)
  • CHANGED: The LOGIN_ID column of the TIDMA_USER table is extended to 300 characters. Due to this change, indexes that hold the LOGIN_ID column must be rebuilt during migration. Furthermore, the indexes iidma_user_client_login_id_up and iidma_user_login_id_num of Oracle databasesare dropped and recreated. As a consequence, the migration may take longer. Therefore, plan your migration accordingly. (NEVISIDM-7306)
  • REMOVED: Legacy procedures of the nevisIDM database version 2.60.0.0 have been removed. (NEVISIDM-7246)

Configuration

  • NEW: The nevisidm-prod.properties file contains the following new configuration parameters:

For more information on both new parameters, see the chapter Configuration Files]".

  • CHANGED: Deprecated configuration properties now generate a warning in the logs if they are set. (NEVISIDM-7331)
  • FIXED: The bug where the provisioning truststore configuration did not fall back to the truststore provided in the system property javax.net .ssl.trustStore , if the configuration property messaging.remote.tls.truststore was not set. (NEVISIDM-7372)

Upgrading from nevisIDM 2.79.0.x

Step 1: Installation

Install the packages of nevisIDM 2.80.0.552486535 on the server.

Step 2: Configuration files

No changes.

Step 3: Database

The unique check of the credential's extId and the client's id now takes place on database level, in a new table called TIDMA_CREDENTIAL_CLIENT. Previously, this check happened in the Java business logic. As a consequence of this change, the credential extId must be unique for each credential within the same client. Because this uniqueness constraint may already be violated in some cases, execute the following manual steps before starting the database migration.

The violation of the uniqueness constraint may have happened in the past, when two concurrent threads inserted credentials with the same extId into the same client. Existing applications (nevisIDM instances running versions below 2.80.0.X) can still insert inconsistent data to the database. Therefore, make sure that existing applications do not add new credentials or assign Vasco credentials to the database after the migration took place. Otherwise, check the uniqueness constraint again manually.

  1. Find all credentials that violate the constraint, with the following query. The query lists all the credential extIds that are duplicated within the same clients.
SELECT CREDENTIAL.EXTID AS credentialExtid,
COUNT(CREDENTIAL.EXTID) AS credentialCount,
TU.CLIENT_ID AS clientId
FROM TIDMA_CREDENTIAL CREDENTIAL
LEFT OUTER JOIN TIDMA_USER TU ON CREDENTIAL.USER_ID = TU.USER_ID
GROUP BY TU.CLIENT_ID, CREDENTIAL.EXTID
HAVING COUNT(CREDENTIAL.EXTID) > 1
;
  1. Change the extId for the credentials listed by the query. Not change the extId for all credentials - one credential per listed extId can keep this extId. But change the extId for all other credentials with the same extId. For example, you have credentialCount=2 for a specific credential extId "123". One of the credentials with extId "123" can keep the extId "123". But give the other credential with extId "123" a new, unique, extId.
  2. Only the users who own the affected credentials know the secrets in these credentials (because the values are hashed). This means that administrators cannot re-create the credentials with the same secrets. In this context, there are three possible options to change the affected credentials:
  • The users delete the credentials on their own and create new ones through one of our APIs (GUI, REST, SOAP).

  • The administrators delete the credentials and create new ones through our APIs (GUI, REST, SOAP). With this option, the secrets of the new credentials must be communicated to the affected users.

  • The administrators manually change the extId of the credentials directly in the database. However, by doing so, the changes are neither written to the audit log nor to the provisioning queue. Use the following statement in case synchronise these manual changes to another system (replace NEW_VALUE with the new extId value):

    for each row in the query above, get the credentialExtId and the clientId and do:
    SELECT CREDENTIAL_ID as credentialId WHERE EXTID='credentialExtId' and CLIENT_ID=clientId;
    for all but one credentialId do:
    UPDATE TIDMA_CREDENTIAL SET EXTID='__NEW_VALUE__' WHERE CREDENTIAL_ID=credentialId;

Best Choice

Which of the above options is the best for you depends on the kind of external systems, the involved clients, the number of affected users and credentials, as well as the kind of credentials. You can now start the database schema migration. Update the nevisidmdb package with the following command (this will remove the current installed version of nevisidmdb):

rpm -U nevisidmdb-7.3.0.552486535-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.79.0.347578032 - 18.11.2020

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.79.0.3475780326.07.x

General changes and new features

General/Core

  • NEW: nevisIDM now supports external placeholders. The values of these placeholders are not resolved or generated by nevisIDM but provided by a client calling the nevisIDM REST API. (NEVISIDM-7188)
  • NEW: The separate nevisIDM Integration Guide now includes documentation and example source code on how to write external batch jobs. (NEVISIDM-6636)
  • CHANGED: An improved startup is now available. From this release on, startup only fails on unrecoverable errors. Furthermore, there is no unique_email migration anymore during startup even if the configuration parameters authentication.loginWithEmail.enabledor application.feature.emaillogin.enabled are enabled. (NEVISIDM-7187)
  • CHANGED: From now on, nevisIDM only restores event queues at startup if the configuration parameter application.modules.event.autostartup.enabled is set to "true". (NEVISIDM-7267)
  • FIXED: The bug where the wrong authentication type was indicated in the log message in case of an unsuccessful login. (NEVISIDM-7162)
  • FIXED: The bug that prevented authentication with SAML assertions. (NEVISIDM-7183)
  • FIXED: The bug where transaction timeout did not work in some cases. (NEVISIDM-7220)
  • FIXED: The bug in the single-client inconsistency check. From now on, the check no longer considers authorizations of the special nevisIDM roles SelfAdmin and TechUser. (NEVISIDM-7243)
  • REMOVED: The nevisIDM command reinit batchhas been removed. From now on, nevisIDM automatically refreshes the batch context when modifying the configuration file. (NEVISIDM-7166)

Web GUI

  • FIXED: The bug where Ecuador was not displayed correctly in the country drop-down menu. (NEVISIDM-7257)
  • FIXED: The bug where the user history page showed a huge amount of data. (NEVISIDM-7252)
  • FIXED: The bug concerning the custom property validation in case of blank values. (NEVISIDM-7224)
  • FIXED: The bug where the countries were ordered and displayed incorrectly in the country drop-down menu on the user screens. (NEVISIDM-7249)

REST API

  • NEW: The following new REST services are now available:

For more details about the new REST services, see the separate REST API documentation.* CHANGED: The permission checks for property REST service endpoints are now consistent. nevisIDM now checks the permission of the entity determined by the property scope as well as the general permission for properties, for all endpoints. (NEVISIDM-7181)

  • CHANGED: The SelfAdmin interface now supports:

Configuration

  • NEW: nevisIDM now automatically detects logging configuration changes every 5 seconds for newly created instances. To configure this for existing instances, add the parameter monitorInterval: 5 to the log configuration. The minimum interval is 5 seconds. (NEVISIDM-7004)
  • NEW: There is a new configuration parameter server.auth.ninja.log-debug, which enables the debugging of the Ninja login module. (NEVISIDM-7176)
  • NEW: It is now possible to configure the transaction timeout, with the new configuration parameter database.transaction.timeout. (NEVISIDM-7220)
  • CHANGED: The location of the default temporary directory has been changed from /tmp to /var/opt/nevisidm/{instance_name}/tmp. (NEVISIDM-7168)
  • REMOVED: The configuration property application.feature.envers.enabled has been removed. As the feature behind it (Envers) has also been removed, the property has become useless. (NEVISIDM-7169)

Upgrading from nevisIDM 2.78.0.x

Step 1: Installation

Install the packages of nevisIDM 2.79.0.347578032 on the server.

Step 2: Configuration files

To implement autodetection of log configuration changes, add the parameter monitorInterval: 5 to the log configuration. The unit of measure for the parameter is seconds, the minimum interval is 5 seconds. See also the following sample code snippet:

monitorInterval setting

Configuration:

monitorInterval: 5
properties:
property:
name: LOG_PATTERN
value: "%d{ISO8601} %-15.15t %-40.40c %-5.5p %m%n"

appenders:
...

Step 3: Database

Update the nevisidmdb package with the following command (this will remove the current installed version of nevisidmdb):

rpm -U nevisidmdb-6.0.??-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.78.0.207381899 - 19.08.2020

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.78.0.2073818995.46.x

Breaking changes

  • CHANGED: The server truststore is no longer used for outbound TLS connections (for example, SMTP or messaging). Instead, you can configure independent truststores for each outbound TLS use case. If there is no independent truststore configured, the system truststore will be used for outbound TLS. (NEVISIDM-6702)

General changes and new features

General/Core

  • NEW: You can now configure outbound TLS truststores (for the SMTP or messaging) independently of the server truststore. If there is no independent truststore configured, the system truststore will be used. (NEVISIDM-6702)
  • NEW: The new credential type Recovery Code with CREDENTIAL_TYPE=22 is now available. (NEVISIDM-6731)
  • NEW: The UpdateUserStateJob has a new configuration: daysNoActivitySinceReactivation, which provides a grace period before deactivating users who have been recently reactivated. (NEVISIDM-6873)
  • CHANGED: SecTokens will now always use the default encoding of the JVM. The default encoding can be controlled with the JVM system property -Dfile.encoding. In addition, the JVM system property -Dsectoken.data.charset must be configured accordingly to match the default JVM encoding. Be aware that encoding changes might require users to log in again. (NEVISIDM-6651)
  • CHANGED: The "User per application" report now contains the street and house number of the users if the client policy address.ech0010.enabled is set to "true". (NEVISIDM-6937)
  • CHANGED: The PruneHistoryJob for the Oracle database type now provides a better performance. (NEVISIDM-7050)
  • FIXED: The bug where the nowLocked transition of the IdmPasswordVerifyState was not triggered correctly has been fixed. The IdmPasswordVerifyState now returns a nowLocked transition if the credential was locked in the current authentication attempt (only if the nowLocked transition is configured in the state, otherwise it returns locked). (NEVISIDM-6865)
  • FIXED: The bug where the nevisidm status command erroneously displayed warnings related to lsof. (NEVISIDM-6908)
  • FIXED: The bug where the nevisidm status command erroneously required sudo. (NEVISIDM-6952)
  • FIXED: The bug in the logging.yml template where the level "OFF" was not parsed correctly. (NEVISIDM-7017)
  • FIXED: The bug where the expiration and dead letter messaging queues were not configured. (NEVISIDM-6991)
  • FIXED: The bug where case insensitive indices where missing for the Oracle database type. The fix results in a better performance of the login with Oracle. (NEVISIDM-7062)

Web GUI

  • NEW: nevisIDM now provides a new single page application web admin GUI. Currently, this new application contains pages to administer Terms and Conditions. A user with the required elementary rights for Terms and Conditions can access the application with the Terms and Conditions link in the sidebar of the existing GUI.
  • NEW: The Admin GUI now supports Managing Recovery Code credentials. (NEVISIDM-6941)
  • NEW: The SelfAdmin GUI now supports Recovery Code regeneration. (NEVISIDM-6942)
  • FIXED: The bug regarding the sorting of users and policies in the Admin GUI. (NEVISIDM-7059)
  • FIXED: The bug where the drop-down selection got lost when you selected a unit during user creation. (NEVISIDM-6676)
  • FIXED: The bug where the unit search in the classic mode did not work correctly from the second page onwards. (NEVISIDM-7134)
  • DEPRECATED: The SelfAdmin GUI has been deprecated and will be removed in the November 2021 release. It is recommended that you solve SelfAdmin use cases by means of a custom GUI, which accesses the REST API of nevisIDM. For further information, refer to the "nevisIDM Client Developer Guide". Contact Nevis customer support if you rely on the SelfAdmin GUI.

Rest API

  • NEW: A new service (/auth) for authentication related endpoints is now available. For more details, see the separate REST API documentation. (NEVISIDM-7060)
  • NEW: nevisIDM now provides REST services to create, fetch and delete recovery codes, and to authenticate with recovery codes. For more details, see the separate REST API documentation. (NEVISIDM-6760, -6761, -7005, and -6798, respectively)
  • NEW: nevisIDM now provides REST services to reset and unlock passwords. For more details, see the separate REST API documentation. (NEVISIDM-6957 and -7072)

Web services

  • CHANGED: Violated password policies are now included in the error messages. (NEVISIDM-6774)

Database

  • NEW: There is a new table, TIDMA_RECOVERY_CODE, to store recovery codes. (NEVISIDM-6759)
  • CHANGED: The VIDMH_AUTHORIZATION_UNIQUE view now provides a better performance. (NEVISIDM-6967)
  • FIXED: The bug where nevisIDM with a MariaDB database did not work when autocommit was set to "0" in the MariaDB server and on the connection URL. From now on, the nevisIDM application with a MariaDB database supports the autocommit being disabled (value set to "0") both in the server configuration and through the database.connection.url property in the nevisidm-prod.properties file. (NEVISIDM-6903)

Configuration

  • NEW: It is now possible to configure the size of the request and response headers, via the new server.max-http-header-size property (nevisidm-prod.properties configuration file). (NEVISIDM-6966)

Upgrading from nevisIDM 2.77.0.x

Step 1: Installation

Install the packages of nevisIDM 2.78.0.207381899 on the server.

Step 2: Configuration files

No changes

Step 3: Database

Update the nevisidmdb package with the following command (this will remove the current installed version of nevisidmdb):

rpm -U nevisidmdb-5.4.0.207381899-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.76.4.80 / June 23, 2020

Changes

General

  • FIXED: The bug that the yaml reserved keyword, OFF, was misinterpreted during parsing is now fixed. (NEVISIDM-7017)
  • FIXED: The bug that jcan.op logging did not work in version 2.76.2 has been fixed. (NEVISIDM-6986)

Upgrading from nevisIDM 2.76.x.0

To upgrade from nevisIDM 2.76.x.0, install the new packages and restart nevisIDM.

nevisIDM 2.77.1.83 - 02.06.2020

Changes

General

  • FIXED: The bug that the yaml reserved keyword, OFF, was misinterpreted during parsing is now fixed. (NEVISIDM-7017)
  • FIXED: The bug that jcan.op logging did not work in version 2.76.2 has been fixed. (NEVISIDM-6986)

Upgrading from nevisIDM 2.77.x.0

To upgrade from nevisIDM 2.77.x.0, install the new packages and restart nevisIDM.

nevisIDM 2.77.0.75 - 20.05.2020

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.77.0.754.45.x

Breaking changes

  • REMOVED: The Oracle JDBC jar is no longer bundled into the application. For details, see the section [Upgrading from nevisIDM 2.76]

General changes and new features

General/Core

  • KNOWN BUG: No dead letter address and no expiry queue is currently configured in the messaging. The corresponding warnings AMQ222165 and AMQ222166 may occur in the application log. (NEVISIDM-6874)
  • NEW: Version 1.45 of the Web Service is now available. (NEVISIDM-6653)
  • CHANGED: From now on, the IdmCreateUserState loads the client external ID (clientExtId) and the client name (clientName) in the user DTO of the session, if the loadUser flag is set to "true". (NEVISIDM-6852)
  • FIXED: The bug that occurred when you used an empty file as ${exec:...} command for the property value replacement in the nevisidm-prod.properties configuration file. (NEVISIDM-6723)
  • FIXED: The bug with the blocking messaging queue when the default maximum disk usage of 90% was reached. From now on, writing to the messaging queue will fail when the maximum disk usage threshold of 99% is reached. In case of any failure with the provisioning, the system will write an error message in the application.log file. (NEVISIDM-6813)
  • DEPRECATED: The status servlet is deprecated. To retrieve runtime and database statistics information, use the management service instead ").

Web GUI

  • CHANGED: The elements of the drop-down menus are now shown in alphabetical order. (NEVISIDM-6675)
  • FIXED: The issue with the displaying of the Oracle database version. The status servlet now displays the proper Oracle database version. (NEVISIDM-6699)
  • FIXED: The bug where the GUI did not show all fields with fine-grained permissions. (NEVISIDM-6714)

REST API

  • NEW: nevisIDM now provides a REST service to update the SecurID credential of a user with a given external ID (by means of the PATCH method). For more details, see the separate REST API documentation. (NEVISIDM-5354)
  • NEW: nevisIDM now provides a REST service to get and delete the Mobile Authentication credentials of a user (by means of the GET and DELETE methods). For more details, see the separate REST API documentation. (NEVISIDM-6770, NEVISIDM-6797)

Web Services

  • NEW: The Web Service supports additional user notifications (10-20) from version 1.45 on. (NEVISIDM-6653)
  • FIXED: The bug concerning the nevisidm-ws-client.jar file, which contained duplicated WSDL files. (NEVISIDM-6728)
  • FIXED: The bug where the web services did not accept unknown SOAPAction headers. From now on, nevisIDM no longer evaluates the SOAPAction header and ignores its value. (NEVISIDM-6710)

Database

  • KNOWN_BUG: The nevisIDM application with a MariaDB database does not support the autocommit being set to "false" in both the server configuration and through the database.connection.url property in the nevisidm-prod.properties file. As a workaround, enable the auto-commit either on the server or on the client. (NEVISIDM-6878)
  • FIXED: The bug in MariaDB where the nevisidmdb tool did not commit the last entry in the history table. This happened when autocommit was set to "false" in the server configuration and on the connection URL. (NEVISIDM-6858)

Upgrading from nevisIDM 2.76.2.x

Step 1: Installation

Install the packages of nevisIDM 2.77.0.75 on the server.

Step 2: Configuration filesNo changes

Step 3: Database

Steps to perform for Oracle DB only

  • Head to the Oracle JDBC driver](https://www.oracle.com/database/technologies/jdbc-ucp-122-downloads.html)" download page and download the appropriate driver. The driver file will be called something like ojdbc8.jar.
  • Create a lib folder (if it does not exist) under the nevisIDM instance folder (mkdir -p /var/opt/nevisidm/$INSTANCE/lib).
  • Copy the downloaded driver to the newly created lib folder (/var/opt/nevisidm/$INSTANCE/lib).
  • Copy the downloaded driver to the lib folder of nevisidmdb tool (/var/opt/nevisidmdb/lib). Update the nevisidmdb package with the following command (this will remove the current installed version of nevisidmdb):
rpm -U nevisidmdb-4.4.0.75-1.noarch.rpm

Migrate the database schema with the following command:

nevisidmdb migrate

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.76.2.63 - 19.02.2020

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.76.2.633.14.x

Breaking changes

  • REMOVED: nevisIDM no longer supports adnwildfly. For adnwildfly,use nevisIDM version 2.75.x.x for long term support (LTS). (NEVISIDM-6188)
  • REMOVED: The auditing provider fileAuditProvider is removed. Use the auditing provider jsonAuditProvider instead. (NEVISIDM-6026)
  • DEPRECATED: The auditing provider jcanLogAuditProvider is deprecated. Use the auditing provider jsonAuditProvider instead. (NEVISIDM-6026)
  • CHANGED: As of this release, jsonAuditProvider is the default auditing provider. (NEVISIDM-6026)
  • CHANGED: nevisIDM now uses Log4j 2, instead of Log4j, for logging. Therefore, migrate all logging configurations to Log4j 2 files. See chapter Step 2: Configuration Files.
  • CHANGED: From now on, the status code of a REST request with a missing body is "400" (Bad Request). Previously, it was "422" (Unprocessable Entity). (NEVISIDM-6161)
  • CHANGED: As of this release, REST requests with unknown fields in the request body will fail. (NEVISIDM-6161)

General changes and new features

General/Core

  • KNOWN BUG: Logging for jcan.op does not work. It is fixed in version 2.76.3.77 (NEVISIDM-6986).
  • NEW: You can now configure the jsonAuditProvider auditing provider such that it rolls the log files daily and/or by file size. (NEVISIDM-6026)
  • NEW: From now on the provided logging template is in YAML format. YAML is also the recommended format. (NEVISIDM-6414)
  • CHANGED: The package of the UserServiceRequestInjectingFilter has been changed. Adjust the logging configurations such that they point to the new packagech.adnovum.nevisidm.web.filters.UserServiceRequestInjectingFilter. (NEVISIDM-5838)
  • FIXED: The issue where device password credentials were not properly locked after reaching the maximum attempt counter. (NEVISIDM-6261)
  • FIXED: The issue with the initialization vector randomness. Now the initialization vector is chosen at random for every new encryption. This deprecates the property security.properties.iv.(NEVISIDM-5916).
  • REMOVED: Custom batch jobs are no longer supported. As a replacement, use an external job scheduler (for example, Cron), which accesses nevisIDM via the official nevisIDM API's.

Web GUI

  • FIXED: The issue where the Event queue manager screen did not load because of too many events. (NEVISIDM-5633)
  • FIXED: The issue where the Unit Search Tree was not loaded on the first request. (NEVISIDM-6236)
  • FIXED: The issue where the application drop-down list was larger than the Assign clients to application screen when the display name of one of the applications was too long. (NEVISIDM-5919)
  • FIXED: The issue where Internet Explorer used older versions in compatibility mode, which broke the layout. The system now enforces version 11+ in compatibility mode. (NEVISIDM-6411)

Rest API

  • NEW: The endpoint that retrieves a user's pending terms now also supports pagination. (NEVISIDM-6072)
  • NEW: New REST services for enterprise roles and enterprise roles authorizations are now available. For more details, see the separate REST API documentation. (NEVISIDM-6178)
  • NEW: The Roles endpoint of the Profiles REST service now also returns roles assigned over enterprise roles. (NEVISIDM-6333)
  • CHANGED: Password creation will now also return the "201" (CREATED) status code and a location header for the created password credential even if no password fragment is returned in the response. (NEVISIDM-6186)
  • CHANGED (Edge Case): Paginated REST calls now return elements that are created at the exact same timestamp in the correct order. (NEVISIDM-6168).
  • CHANGED: From now on, fields of POST request DTOs are marked as mandatory or optional in the separately available REST API documentation. (NEVISIDM-6160)
  • CHANGED: As of this release, REST requests with unknown fields in the request body will fail. (NEVISIDM-6161)
  • CHANGED: From now on, the status code of a REST request with a missing body is "400" (Bad Request). Previously, it was "422" (Unprocessable Entity). (NEVISIDM-6161)

Database

  • NEW: As of this release, the user nevisfido for mobile authentication is available as reference data for newly created nevisIDM databases. (NEVISIDM-6216)
  • NEW: This release introduces the new nevisidmdb tool. You will find more information in chapter nevisidmdb Usage and Configuration Properties]".
  • FIXED: The issue where the creation of VIDMH_UNIT_UNIQUE was skipped at migration when you used Oracle. (NEVISIDM-6281)
  • REMOVED: The existing nevisidmdb database has been removed and replaced. The following operations are not supported anymore: If you need multiple instances, you can use the nevisidmdb database with different configuration files. Chapter Database Preparing]" includes information on how to perform the initial setup now. Dropping the database is critical in a productive environment. But if you really need to drop the database, you will find more information in chapter Drop nevisIDM database]". This is not supported anymore. From now on, choose the kind of access during the initial database setup. Accessing the database directly is not recommended. If it is required nevertheless, use an alternative client, for example the Oracle Instant Client. SQL files are not included in the RPM's anymore. Use the nevisidmdb tool for database schema migrations.
  • REMOVED: The DELETE_CREDENTIAL_HISTORY procedure has been removed. (NEVISIDM-6997)

Upgrading from nevisIDM 2.75.0.x

Step 1: Installation

Install the package nevisidm 2.76.2.63 on the server.

Step 2: Configuration files

  • The configuration property application.modules.auditing.provider of the nevisidm-prod.properties file has a new default: jsonAuditProvider.

  • nevisIDM now uses Log4j2 for logging. The existing log4j.xml logging configuration file is not compatible with Log4j2 and is therefore not supported anymore. The default recommended configuration file format for Log4j2 is YAML. The default logging configuration file is now named logging.yml. Perform the following steps to migrate configuration files of existing instances:

    • Manually migrate custom logging configurations contained in the old log4j.xml file to the instance's logging.yml file. You will find further information about the new Log4j2 configuration format in the template and on this website: (http://logging.apache.org/log4j/2.x/manual/migration.html).

Step 3: Database

  1. If not done yet, first upgrade the database schema to version 2.75.0.0 according to chapter Upgrade database to version 2.75.0.0]".
  2. Update the nevisidmdb package with the following command (this will remove the current installed version of nevisidmdb):
rpm -U nevisidmdb-3.1.2.63-1.noarch.rpm
  1. When you update the nevisidmdb package, the system will migrate existing legacy env.conf configurations to the new configuration properties file format. Existing instances will be zipped to /var/opt/nevisidmdb/legacy_instance_<instance-name>.tar.gz. → Go to the directory /var/opt/nevisidmdb/conf/ and double-check that the migrated configuration file is correct. You can find further information on the configuration properties file in chapter nevisidmdb configuration properties file]".

Manually migrating conf files when using nevisAppliance

In case nevisAppliance is used, then the nevisidmdb package is already updated during build time of the nevisAppliance image. In this case, migrate the configuration files manually. Proceed as follows:

  1. Create a backup (archive) of the existing configurations (/var/opt/nevisidmdb/<instance-name>/conf/).

  2. Create a new properties file called nevisidmdb.properties in /var/opt/nevisidmdb/conf/.

  3. Migrate your existing configurations from the env.conf file to nevisidmdb.properties file as follows (the variables surrounded by underscores are the current variable values from your env.conf file):

  4. In case of an Oracle database:

  5. database.connection.url=jdbc:oracle:thin:@//*_DBHOST_*:*_DBPORT_*/*_ORACLE_SID_*

  6. database.owner.name=*_DBOWNER_NAME_*

  7. database.owner.password=*_DBOWNER_PASSWORD_*

  8. database.role.appl=*_ROLE_APPL_*

  9. database.ts.index=*_DBTS_INDEX_*

  10. database.ts.data=*_DBTS_DATA_*

  11. In case of a MariaDB database:

  12. database.connection.url=jdbc:mysql://*_DBHOST_MYSQL*_:*_DBPORT_MYSQL_*/nevisidm

  13. database.owner.name=*_DBOWNER_NAME_MYSQL_*

  14. database.owner.password=*_DBOWNER_PASSWORD_MYSQL_*

  15. Copy /opt/nevisidmdb/template/env.conf to /var/opt/nevisidmdb/conf/, which can be used to configure environment variables.

  16. Migrate the database schema with the following command:

nevisidmdb migrate
## with a custom configuration:
nevisidmdb migrate -c /var/opt/nevisidmdb/conf/custom-nevisidmdb.properties

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server. Restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.

nevisIDM 2.75.1.34 - 20.11.2019

Highlights

We are pleased to present nevisIDM 2.75.

  • Read the upgrade notes for important information about this release.
  • See the full list of resolved issues below.

Terms and Conditions

A new concept for terms and conditions management has been introduced. nevisIDM is able to administrate information about terms and conditions. In addition user consent information regarding accepted terms and conditions, including the version and acceptance date, is kept track of. For further information see the chapters [Terms and conditions].

Database schema requirement

Application versionMinimal required database schema versionMaximal supported database schema version
2.75.1.342.75.03.x

Breaking changes

  • NEW: New web service with version 44 has been introduced where the default client dataroom is not automatically added to authorizations of nevisIDM roles. (NEVISIDM-5819)
  • For MariaDB installations: The file idm_call_reset_autoincrement.sql is not needed anymore. The init-file parameter must be removed from the MariaDB configuration.
  • For Oracle installations: The root database password will require an upgrade. Make sure a logon trigger is created before updating the application or the database schema. For further information refer to the [upgrade chapter].

General changes and new features

General/Core

  • DEPRECATED: Adnwildfly has been deprecated. Support will be removed in release 2.76.
  • CHANGED: The password credential of the bootstrap user expires on 2020-01-01. The database patch extends the validity from 2020-01-01 to 2030-01-01. (NEVISIDM-5955)
  • CHANGED: Top level domain list was updated to version 2019090400. (NEVISIDM-6043)
  • CHANGED: Generated URL tickets no longer contain dashes (-). This provides out-of-the-box ModSecurity Paranoia Level II compatibility. (NEVISIDM-5918)
  • FIXED: The bug where nevisidmdb with MariaDB required sudo or root rights. (NEVISIDM-5804)
  • FIXED: The performance issue with the dataroom check in single client mode. (NEVISIDM-5947)
  • FIXED: The bug where the Lucene index regarding dict entries was not updated properly when an entity containing dict entries (client, application, or unit) was created. (NEVISIDM-5417)
  • FIXED: The bug where the batch job SingleClientDataConsistencyJobincorrectly added default client datarooms. The batch job now only adds the default client dataroom to authorizations of nevisIDM roles which have no global client dataroom. (NEVISIDM-6099)
  • FIXED: The bug where the deletion of OATH, SAML federation and FIDO UAF credentials was not audited correctly. (NEVISIDM-6011).
  • FIXED: The bug where an invalid init.d folder was added to the nevisidm instance folder. The invalid template directory init.d has now been removed from the nevisidm instance folder. (NEVISIDM-5855).

Web services

  • NEW: Web service versions can now be selectively enabled with the configuration webservice.versions to speed up the deployment start-up time of nevisIDM. For newly created standalone instances, only the latest and previous web service versions will be enabled by default. For further information refer to the reference guide. (NEVISIDM-6004)
  • CHANGED: The userUpdate SOAP call no longer copies the user state to the profile states. (NEVISIDM-5802)

Rest API

  • NEW: New REST services for administering terms and conditions have been released. See the separately available REST API documentation for more details. (NEVISIDM-6104)
  • NEW: Added REST request logging to the Wildfly standalone.xml template. (NEVISIDM-5899)
  • CHANGED: Null and empty values (including nested objects) are now excluded in all REST responses. (NEVISIDM-5853)
  • FIXED: The bug regarding default profile creation. Now, the first profile created for a user will automatically become the default profile. (NEVISIDM-5949)

Database

  • NEW: nevisIDM now also supports Oracle database version 19c. (NEVISIDM-5979)
  • NEW: Reference data for Nevis Mobile Authentication is now available. (NEVISIDM-5899)
  • CHANGED: For Oracle databases: All synonyms have been dropped and replaced with a logon trigger. For further information refer to the upgrade chapter. (NEVISIDM-5956)
  • REMOVED: The file idm_call_reset_autoincrement.sql is not needed anymore. Make sure to remove the init-file parameter from the MariaDB configuration. (NEVISIDM-5957)
  • REMOVED: The tables TIDMR_COUNTRY and TIDMR_STATE have been removed. (NEVISIDM-6009)
  • REMOVED: The technical attributes from the TIDMA_PERSIST_QUEUE table have been removed. (NEVISIDM-6158)

Upgrading from nevisIDM 2.74.0.x

Step 1: Installation

Install the packages of nevisIDM 2.75.0.510 on the server.

Step 2: Configuration files

No changes

Step 3: Database

Preparation: Stop the nevisIDM instance. Execution: Patch the DB of nevisIDM 2.74.x.x to 2.75.0.510. Therefore, perform the following steps: Oracle

  1. Create a logon trigger. The logon trigger is required to set the current schema of the user to the database owner when connecting to the database.
  • Connect to the database with system user:
$> nevisidmdb sqlplus <system>

Execute the following SQL statement by replacing the database owner and user name accordingly. Note that the db owner name defaults to UIDM01 and the db user name defaults to *UIDM02:

SQL> CREATE OR REPLACE TRIGGER <db user name>.after_logon_trg AFTER LOGON ON <db user name>.SCHEMA
BEGIN
EXECUTE IMMEDIATE 'ALTER SESSION SET CURRENT_SCHEMA = <db owner name>';
END;
/
  1. On the server's terminal, execute the command below. Note that the db owner name defaults to UIDM01 and the db user name defaults to UIDM02.
$> nevisidmdb patch 2.74.0 2.75.0 <db owner name> <db owner password> <db user name> <db user password>
  1. Recommendation: Refresh the DB statistics and flush the shared pool with the old query plans. Thus, the Oracle DB creates new query plans that are optimized for the upgraded nevisIDM data model.

  2. Optional: Check for invalid DB objects. Proceed as follows:

  • Connect to the database as DBOWNER (defaults to UIDM01) with sqlplus.
  • Search for invalid DB objects (such as db_user or db_owner):
SQL> select OBJECT_NAME, OBJECT_TYPE from user_objects where status = 'INVALID';
  • Generate a script to recompile invalid objects:
SQL> Select decode( object_type, 'PACKAGE BODY', 'ALTER PACKAGE ' || OBJECT_NAME ||
' COMPILE BODY;','ALTER ' || OBJECT_TYPE || ' ' || OBJECT_NAME || ' compile;' )
from user_objects where status = 'INVALID' order by object_type;
  • Execute the generated script.

The nevisIDMpatchdbscripts are tested for invalid objects. If everything is correct, no invalid objects should be created.*Some invalid objects are *automatically recompiled when you first access them. So in terms of corruption, they are not really invalid.

MariaDB

  1. On the server's terminal, execute the command below. Note that the db owner name defaults to UIDM01:
$> nevisidmdb patch 2.74.0 2.75.0 <db owner name> <db owner password>
  1. Remove the init-file parameter for idm_call_reset_autoincrement.sql from the MariaDb configuration.

Post-processing: Start the nevisIDM instance.

Step 4: Cleanup

Remove the software packages of the old nevisIDM release from the server and restart the affected nevisIDM instances.

Step 5: nevisAuth configuration

  1. Install the new nevisidmcl package on all nevisAuth instances that connect to the upgraded nevisIDM instance.
  2. Restart the affected nevisAuth instances.