8.2 release

Follow

Hotfixes

8.2.4

  • Added self-service REST call to return a Digipass activation (QR) code as a Base64 encoded string that can be rendered in a DIV or IMG tag.
  • Fixed bug in getResponseBodyAsBase64 function on HttpResponse.

8.2.3

  • Filter values of principal attributes of type ENUM in the user filter widget

8.2.2

  • Fix bug in authentication rules screen when selecting an attribute with the same name as another (but different category)
  • Single logout bug when session is expired

8.2.1

  • Digipass: added support for larger cronto images
  • Update documentation digipass
  • Saml signature validation fix

8.2 release

Released in februari 2017.

The major additions and changes in this release are:

  • Java 8 build
  • Digipass Multi-Device Licensing
  • Import of SAML2 identity and service providers from metadata
  • Kerberos authentication in custom workflows
  • Communication channels
  • Reorganization of settings page
  • Restructuring of self-service portal
  • HASH data type
  • TAM adapter PDAuthContext pooling
  • Removal of Test.jsp file in TB web root
  • Gateway updates
  • Appliance maintenance

In addition of the regular Operating System security updates we bumped the versions of MariaDB (10.0.29).

Java 8 build

From this release on, TrustBuilder is built using the Java 8 JDK. Compatibility with older JRE's is not guaranteed.

Digipass Multi-Device Licensing

TrustBuilder now supports the Digipass Multi-Device Licensing model and incorporates support for Cronto activation, signing and validation.

Importing a Digipass DPX file happens in the same way as for single-device licensing.

Support is also added to revoke a token assigned to a user (SDL and MDL).

Import of SAML2 identity and service providers from metadata

To simplify the creation of SAML2 identity and service providers, these types of providers can now be created by importing a SAML2 metadata file.

Kerberos authentication in custom workflows

Custom workflow endpoints can now be protected by Kerberos authentication. If Kerberos is enabled, workflows can now access the Kerberos user if authentication is successful.

Communication channels

TrustBuilder gives administrators more control over the way which communication channels should be used for various actions like resetting a password and notifying the user that the password has been changed by the administrator.

Reorganization of settings page

As the settings page in the administration portal grew too large, the page is now split up per main category.

Restructuring of self-service portal

The self-service portal has been replaced by a single-page application containing personal profile details and consents.

HASH data type

The administrator can now define user attributes of type HASH. The HASH data type definition specifies a hash algorithm and a salt.

The values of a user attribute with HASH data type are hashed according to the following algorithm: HASH(salt + user-id + value), base64 encoded.

TAM adapter PDAuthContext pooling

Until now, pooling the PDAuthContext in the TAM adapter could be activated by specifying a pool size > 0. This feature has been deprecated. If a pool size > 0 is specified, TrustBuilder now enforces size 0, which disables PDAuthContext pooling.

Removal of Test.jsp file in TB web root

Penetration testing resulted in the removal of this test page.

Gateway updates

Naxsi 0.55.2

OpenResty 1.11.2.2

Bug fixes

This release contains various bug fixes in the REST calls, the administration portal, the gateway, the TrustBuilder workflow engine and administration tool. This includes amongst others:

  • Bug fix in application rules handling the step-up case.
  • Bug fixes in user attribute ordering in administration portal.
  • Several bug fixes and cosmetic changes in the administration portal GUI.
  • The HTTP adapter ignored the connection pool size.
  • The TBA script editor window size was sometimes too small.
  • The default port of TBA was not consistent with the documentation.
  • Bug fixes in the OTP adapter.
  • Improved validation of user authentication in some self-service REST calls.
  • Some messages were inappropriate logged at warning level instead of debug level.
  • Removed 4K limitation of Lua script blocks.
  • Fixed bug in authentication of slave Redis instances.

Appliance Maintenance

The default encoding of MariaDB is now UTF-8.

The Redis slaves were not properly authenticated.

Preparation

These are the updated TrustBuilder RPMs for this release:

  • trustbuilder-all-8.2.0-2525.noarch.rpm
  • trustbuilder-appliance-8.2-330.noarch.rpm
  • trustbuilder-core-8.2.0-2525.noarch.rpm
  • trustbuilder-crl2db-8.2.0-2525.noarch.rpm
  • trustbuilder-gateway-20170222120313-1.x86_64.rpm
  • trustbuilder-gateway-debuginfo-20170222120313-1.x86_64.rpm
  • trustbuilder-gui-8.2.0-2525.noarch.rpm
  • trustbuilder-release-8.2-330.noarch.rpm
  • trustbuilder-userportal-20170222120310-1.noarch.rpm

To start the release it is recommended to do backups. If you are using VMWare you can create a snapshot. Alternatively you can do a manual backup as described in the backup section

Backup

Create a folder to hold your backups on every node. Use this command:

mkdir -p /opt/trustbuilder/release-backup

On the gateway node(s):

Goto the instances folder. there you will have one or more instances. you can backup them by using following command:

tar cvf /opt/trustbuilder/release-backup/gw-instances-$(date +%d-%m-%Y).tgz --exclude .git --exclude "*.log*" .

On the orchestrator node(s):

Copy following files to the backup folder:

  • /opt/trustbuilder/tomcat-core/conf/server.xml
  • /opt/trustbuilder/tomcat-core/conf/context.xml
  • /opt/trustbuilder/tomcat-core/conf/Catalina/conf/<<nodename>>/*

On the repository node(s):

Make a database backup. use following command:

mysqldump --all-databases --single-transaction > database-backup-$(date +%d-%m-%Y).sql

Installation

While the installation will stop services if needed it is recommended that you stop all the services for TrustBuilder.

On the gateway node(s):

  • sudo systemctl stop tb-gw-<<instance_id>>
  • sudo systemctl stop tb-gw-<<instance_id>>-sessionstore
  • sudo systemctl stop tb-gw-<<instance_id>>-sessionstore-sentinel

On the orchestrator node(s):

  • sudo systemctl stop tomcat-core

On the repository node(s):

  • sudo systemctl stop mysql

On the admin node (node which runs tba)

  • sudo systemctl stop tomcat-gui

To start the installation of the TrustBuilder update do the following steps

On the node that runs the ansible playbook (f.e. the admin node)

  1. sudo yum update trustbuilder-appliance (this should update to 8.2-330)
  2. cd /opt/trustbuilder/appliance/config
  3. change cluster.yml with the necessary changes described above
  4. run ansible-playbook -v cluster.yml

In rare cases it could be that the Gateway Service will not start. The root cause can be found by executing the following command:

sudo systemctl status tb-gw-default

Any errors need to be fixed manually and then you can rerun the ansible-playbook again

If everything runs correctly TrustBuilder should be up and running

Have more questions? Submit a request

Comments