9.0 release

Follow

 

9.0.10 Release

Bug fixes

  • Tomcat keeps restarting if JVM has not enough allocated RAM [TB-4515]
  • API call PUT digipass/license/reinstate/<license> sets all instances in ASSIGNED state [TB-4525]
  • Cannot Delete User [TB-4534]
  • SAML artifact binding doesn't handle a SSL handshake exception correctly [TB-4598]

Changes & Improvements

  • Missing OIDC flow (act-as / multi-hop / on-behalf-of) [TB-4455]
  • OIDC logout functionalitiy [TB-4495]
  • RedisService MasterAndSentinels [TB-4526]
  • Finish OIDC: add scopes in access token - modify audience in token 9.2 [TB-4557]
  • The password policy of the user / password IDP is not loaded at startup [TB-4576]
  • Disable Tomcat version - Core and GUI [TB-4507]
  • Custom template for location 00_idhub.conf [TB-4574]

 

9.0.9 Release

Changes

  • Digipass: better support for escaped characters for free text authentication and improved flexibility for cronto message generation.
  • RedisService: new optional service property: Password.
  • Oidc: acr values are passed along and in derived attribute workflow the user can choose which one applies to the current request. Array of acr values can be found inside request.acr_values. The final chosen acr value should be put inside request.request.acr.

9.0.8 Release

 Bug fixes

  • Missing headers in authenticated requests (TB-3951).
  • The call digipass/license/delete/<uid>/<license> did not delete a license (TB-4349).
  • A request after the inactivitiy timeout has reached resulted in a LUA error (TB-4350).
  • Improved error reporting for Digipass API (TB-4406).
  • Removed excessive error logging of connection pool timeouts (TB-4423).
  • Fixed some OIDC token issues (TB-4468).
  • MySQL rotate did not work properly.  A keep_log_days parameter was added to the database role, with default value = 30 days. (TB-4488).

Changes

  • MongoDB has been removed from the applicance (TB-4487).

New Features

  • Added ability to added cookies in session hook workflow (TB-4513).
  • Extended information returned from .well-known/openid-configuration call (TB-4373).
  • Added the possibility to specify a custom location of logback.xml, with the logback_custom parameter in the orchestrator role. This will use the logback exported in TBA instead in the webapps/idhub/WEB-INF/classes/ (TB-4374).
  • Disabled the Nginx version in configuration. This will not show the nginx version if the default Nginx error page is shown. (TB-4499).

9.0.7 Release

New Features

  • The searchable hash attribute type was added (TB-4471).

9.0.6 Release

Bug fixes

  • Fixed problem when multiple partners use the same certificate.
  • Enable to set up ssl on artifact resolution.
  • XSS vulnerability. Block Angular and normal Javascript XSS attacks. Occurs with translations within public pages. (TB-4203)

9.0.5 Release

Bug Fixes

  • Fix to orchestrator after updating from 9.0.3 to 9.0.4 (TB-4419)

9.0.4 Release

New Features

  • Add fields to AuthenticationRequest, which are mandatory for DigiD (TB-4252)
  • New functionality for Digipass MDL (TB-3574)
  • Add last used date for Digipass Instances with MDL (TB-4391)
  • Map subject on User attribute (TB-4277)

Bug Fixes

  • SAML issue where partnerentityid was not provided to the idp (TB-4244)
  • Warning on empty header in nginx error.log (TB-4300)
  • Session header cleared when azn cache hit (TB-4404)
  • Loading screen is scrambled in new version of Chrome (TB-4297)
  • REQUEST_SIGNATURE error (TB-4263)

9.0.3 Release

Bug fixes

Digipass

Upload DPX file (TB-4259).

Gateway

LUA error when orchestrator is accessed trough SSL (TB-3570).

 Changes

The query parameters that are being passed to the IDP selection page have slightly changed. "authmethod" became "authnmethod"

For example: 

/idhub/login.html?code=653bffff-88b4-40af-b7a1-258f22f99f7a&comparison=minimum&authmethod=2

became

/idhub/login.html?code=653bffff-88b4-40af-b7a1-258f22f99f7a&comparison=minimum&authnmethod=2

 

 

 9.0.2 release

New features

Admin portal

SP locations are now case sensitive (TB-4188).

Digipass

New REST call to return a Digipass activation code as a string rather than QR code (TB-4150).

OpenID

The OIDC token request by refresh token now also returns an id_token (TB-4111).

SmtpAdapter

SMTP adapter requests now support custom (single-valued) headers (TB-3905).

Bug fixes

Admin portal

Authentication rules for requests of type public_web were needlessly triggered by the application rules, which could result in certain scenarios an erroneous "access denied" response (TB-4156),

Digipass

Validating a digipass OTP by principale failed if the token had multiple applications (TB-4183).

The "last used date" field was not properly updated for MDL tokens (TB-4198).

Gateway

Browsers could drop the X-TB-CREDENTIAL cookie because of size limits, resulting in a loop during login (TB-4110).

In certain cases the original content-type and accept headers could be forgotten (TB-4223).

HttpAdapter

The getResponseBodyAsBase64 JS function called an invalid method on HTTP adapter responses (TB-4140).

PacGenerator

The DER octect string part generated for a UUID could have wrong padding (TB-4152).

Security

A cross site scripting issue was fixed (TB-4203).

STS component

Loading the STS component failed after restart of TrustBuilder (TB-4171).

 

9.0.1 release

New features

Digipass

Added support for larger cronto images.

 

9.0 release

Released in june 2017.

New features

Admin portal

The algorithm and salt settings of a user attribute of data type Hash are now editable.

Digipass

An undo option has been added to undo a DPX file upload.

Gateway 

Extended and improved debug logging.

Several enhancements were made to the ansible installation scripts.

HttpAdapter

The HTTP adapter now supports SNI.

The subject CN of the certificate for the ssl session should match the host name defined in the host configuration in the http adapter config.

OpenID Connect / OAuth2 endpoints

A new OpenID Connect / OAuth2 service supports the following endpoints:

  • Authorization endpoint (OAuth2 / OpenID Connect). Clients must use this endpoint to start the authentication process. If successful, the result is either an access token (implicit grant) or an authorization code to be exchanged for an access token (code grant).
  • Token endpoint (OAuth2 / OpenID Connect). Exchanges an authorization code for an access token. May also be used to issue an access token in case of cient credential grants.
    User info endpoint (OpenID Connect). Returns claims about authenticated users.
  • Token revocation endpoint. Invalidates a token, and possibly other tokens based on the same authorization grant (and the grant itself).
  • Token introspection endpoint. Returns information and status of a token.
  • OpenID Configuration endpoint (OpenID Connect Discovery). Returns metadata of OpenID Connect IDP.
  • Javascript Web Key endpoint (OpenID Connect Discovery). Returns signing certificate of JWT token.

Scopes are linked to attributes.

SAML2 ACS endpoint

The ACS endpoint contains basic support for SAML2 artifact resolution.

Bug fixes 

Admin portal

Constructing a filter for enum values with multiple rules (TB-3593).

Digipass

Unblocking a blocked user (TB-3840).

Date of upload format (TB-3923).

HttpAdapter

Handling of the connection pool size (TB-3798).

LdapAdapter

Logging of LDAP authentication failures (TB-3825).

Installer

Special characters allowed in root administrator password (TB-3936).

Gateway

Nginx configuration resulting in an incorrect x-forwarded-for header.

403 error when logging in as Administrator in the selfservice portal and trying to access the admin portal.

Regeneration of session cookies when authenticating users.

'LOGOUT_INCORRECT_INRESPONSETO' error when trying to logout after being denied access to the admin portal.

Redundant CRED entries for the same user in Redis during the cleanup phase.

RadiusService

Access to incoming multi-valued attributes in TrustBuilder workflows (TB-3791).

Format of vendor-specific binary response attributes (TB-3791).

SAML component

SLO problem (TB-3801).

Using the same partner as SP and IDP with same ID (TB-3877).

SAML endpoint

Handling of SAML signature validation (TB-3992).

TBA

Import of workflows without layout files (TB-3887).

Missing override values in SAML component (TB-3804).

Default port (TB-3624).

 

Security

Several third-party libraries were upgraded (TB-3803).

Encryption of settings and saved override properties (TB-3863).

 

Gateway updates

Tomcat was upgraded from 8.0 to 8.5.

 

Preparation

These are the updated TrustBuilder RPMs for this release:

  • tomcat-core-8.5.15-364.noarch.rpm
  • tomcat-gui-8.5.15-364.noarch.rpm
  • trustbuilder-all-9.0.0-17.noarch.rpm
  • trustbuilder-appliance-9.0-364.noarch.rpm
  • trustbuilder-core-9.0.0-17.noarch.rpm
  • trustbuilder-crl2db-9.0.0-17.noarch.rpm
  • trustbuilder-gateway-20170616140333-1.x86_64.rpm
  • trustbuilder-gateway-debuginfo-20170616140333-1.x86_64.rpm
  • trustbuilder-gui-9.0.0-17.noarch.rpm
  • trustbuilder-release-9.0-364.noarch.rpm
  • trustbuilder-userportal-20170616140329-1.noarch.rpm

To start the release it is recommended to make backups. If you are using VMWare you can create a snapshot. Alternatively you can do a manual backup as described in the backup section.

Make sure that the backup database user's password is not expired before performing an upgrade.

 

Backup

Create a folder to hold your backups on every node. Use this command:

mkdir -p /opt/trustbuilder/release-backup

On the gateway node(s):

Goto the instances folder. there you will have one or more instances. you can backup them by using following command:

tar zcvf /opt/trustbuilder/release-backup/gw-instances-$(date +%d-%m-%Y).tgz --exclude .git --exclude logs /opt/trustbuilder/gateway/instances

On the orchestrator node(s):

Copy following files to the backup folder:

  • /opt/trustbuilder/tomcat-core/conf/server.xml
  • /opt/trustbuilder/tomcat-core/conf/context.xml
  • /opt/trustbuilder/tomcat-core/conf/Catalina/conf/<<nodename>>/*

On the repository node(s):

Since the 8.2 release, a backup database is created and updated automatically. If, however, you want to create a database backup prior to upgrading. use following command:

mysqldump --all-databases --single-transaction > database-backup-$(date +%d-%m-%Y).sql

 

Installation

While the installation will stop services if needed it is recommended that you stop all the services for TrustBuilder.

On the gateway node(s):

  • sudo systemctl stop tb-gw-<<instance_id>>
  • sudo systemctl stop tb-gw-<<instance_id>>-sessionstore
  • sudo systemctl stop tb-gw-<<instance_id>>-sessionstore-sentinel

On the orchestrator node(s):

  • sudo systemctl stop tomcat-core

On the repository node(s):

  • sudo systemctl stop mysql

On the admin node (node which runs tba)

  • sudo systemctl stop tomcat-gui

To start the installation of the TrustBuilder update do the following steps.

On the node that runs the ansible playbook (f.e. the admin node), execute:

  1. sudo yum update trustbuilder-appliance (this should update to 9.0.0)
  2. cd /opt/trustbuilder/appliance/config
  3. change cluster.yml with the necessary changes described above
  4. run ansible-playbook -v your-config.yml

In rare cases it could be that the Gateway Service will not start. The root cause can be found by executing the following command:

sudo systemctl status tb-gw-default

Any errors need to be fixed manually and then you can rerun the ansible-playbook again.

If everything runs correctly TrustBuilder should be up and running.

All that is left now is to update the database scheme of idhub. You can do this by accessing https://your-hostname/idhub/install

Known issues

  • TomCat complains about unsupported MessageDispatch15Interceptor during startup.
    This can be solved by editing the template and replacing this by MessageDispatchInterceptor
    (hotfix published)
  • It might be that the mysql_backup user its account is locked due to an expired password. This can be fixed with the following command that changes the expiration date: 

    sudo chage –M 99999 –m 99999 mysql_backup

  • Uploading digipass dpx files might fail. It seems to be a workaround to upload the file twice.
Have more questions? Submit a request

Comments