9.0 release Notes

9.0.13 Release

  • Fixed a vulnerability in the Self-service API that could allow an account take-over
  • Fixed an issue that could lead to session ID's being leaked on the gateway
  • Fixed an issue that could cause deadlocks while reading OAUTH_TOKEN table
  • The Client secret is no longer displayed in plain text for OAuth IDP's
  • Removed the Client secret from being returned in a self-service api call
  • OpenID Connect
    • Now allows a refresh token to be used for a token exchange
    • Added additional checks and logging when an id token is requested
    • The issuer can now be modified by setting the request header x-idhub-entity-id (From 9.1 this is replaced by a config field)
  • When running the environment.yml, the files CentOS-* are deleted in the /etc/yum.repos.d/ folder
  • Fixed an issue on the digipass API to block/reinstate tokens when there are multiple token instances

9.0.12 Release

  • Digipass: A cronto will no longer be generated if there is no assigned token to a license.
  • Added the CHECK_AGENT_ID property to the trustbuilder.properties file
  • Ansible
    • Fixed an issue with the sessionstore & sentinel ports
    • Fixed a synchronization issue with Sessionstore and Sentinel
    • Added the option to ansible to bind Redis to a specific IP
    • Added idhub_use_custom_conf parameter
    • It is now possible to define the domain of the cookies. The variable 'domain' was added for this purpose inside the Gateway configuration."
    • Fixed an issue with using "logback_custom: true"  in a new environment
    • Ansible Logging is now turned on by default
    • Fixed an issue where gateway custom certificates (CA, crt and key) were not copied to a remote gateway
  • OIDC:
    • Changes several 5xx errors into 40x errors when the client makes an incorrect request
    • Now allows CORS for OPTION preflight calls to userinfo endpoint, for all origins
    • Fixed a DuplicateKeyException in Hybrid Flow

9.0.11 Release

  • Fixed an issue that prevented saving Authentication Rules on an SP
  • Added a check if a redirect uri is allowed for an OIDC logout
  • Added a global setting to change the SAML Method Comparison to be sent to IDP
  • Fixed an issue in the SAML component SLO with target parameter that was not working as expected
  • Added header in nginx for security: more_set_header 'Server: Unknown'; under server_tokens off; will prevent from a simple curl to see what webserver is being used.
  • Fixed an issue where commas were not treated as multi-value separators in the Application Rules
  • Fixed an issue where the session-hook workflow was called twice at a login
  • Fixed an issue that gateway session cookie were not invalidated by logout
  • Changed the permissions of /opt/trustbuilder to be 0700 instead of 0755 for the ssh keys.
  • Added an option to enable/disable CRL/OCSP checks in SAML Artifact resolve connection (2way SSL)
  • Fixed an issue where idp/provisioning/user returned the wrong content-type
  • Updated  the openssl version of openresty
  • Fixed an issue where a “$” character followed by a number combination in a SAML token would be seen as a parameter, even when it’s part of a text value. 
  • In IDHub DB settings, replaced:
    • maxActive by maxTotal
    • maxWait by maxWaitMillis.

9.0.10 Release

New Features

  • Thesearchable hashattribute type was added (TB-4471).

9.0.9 Release

Changes

  • Digipass: better support for escaped characters for free text authentication and improved flexibility for cronto message generation.
  • RedisService: new optional service property: Password.
  • Oidc: acr values are passed along and in derived attribute workflow the user can choose which one applies to the current request. Array of acr values can be found inside request.acr_values. The final chosen acr value should be put inside request.request.acr.

9.0.8 Release

 Bug fixes

  • Missing headers in authenticated requests (TB-3951).
  • The calldigipass/license/delete/<uid>/<license>did not delete a license (TB-4349).
  • A request after the inactivitiy timeout has reached resulted in a LUA error (TB-4350).
  • Improved error reporting for Digipass API (TB-4406).
  • Removed excessive error logging of connection pool timeouts (TB-4423).
  • Fixed some OIDC token issues (TB-4468).
  • MySQL rotate did not work properly.  Akeep_log_daysparameter was added to the database role, with default value = 30 days. (TB-4488).

Changes

  • MongoDB has been removed from the applicance (TB-4487).

New Features

  • Extended information returned from .well-known/openid-configuration call (TB-4373).
  • Added the possibility to specify a custom location of logback.xml, with thelogback_custom parameter in the orchestrator role. This will use the logback exported in TBA instead in the webapps/idhub/WEB-INF/classes/ (TB-4374).
  • Disabled the Nginx version in configuration. This will not show the nginx version if the default Nginx error page is shown. (TB-4499).

9.0.7 Release

Bug fixes

  • Tomcat keeps restarting if JVM has not enough allocated RAM [TB-4515]
  • API call PUT digipass/license/reinstate/<license> sets all instances in ASSIGNED state [TB-4525]
  • Cannot Delete User [TB-4534]
  • SAML artifact binding doesn't handle a SSL handshake exception correctly [TB-4598]

Changes & Improvements

  • Missing OIDC flow (act-as / multi-hop / on-behalf-of) [TB-4455]
  • OIDC logout functionalitiy [TB-4495]
  • RedisService MasterAndSentinels [TB-4526]
  • Finish OIDC: add scopes in access token - modify audience in token 9.2 [TB-4557]
  • The password policy of the user / password IDP is not loaded at startup [TB-4576]
  • Disable Tomcat version - Core and GUI [TB-4507]
  • Custom template for location 00_idhub.conf [TB-4574]

9.0.6 Release

Bug fixes

  • Fixed problem when multiple partners use the same certificate.
  • Enable to set up ssl on artifact resolution.
  • XSS vulnerability. Block Angular and normal Javascript XSS attacks. Occurs with translations within public pages. (TB-4203)

9.0.5 Release

Bug Fixes

  • Fix to orchestrator after updating from 9.0.3 to 9.0.4 (TB-4419)

9.0.4 Release

New Features

  • Add fields to AuthenticationRequest, which are mandatory for DigiD (TB-4252)
  • New functionality for Digipass MDL (TB-3574)
  • Add last used date for Digipass Instances with MDL (TB-4391)
  • Map subject on User attribute (TB-4277)

Bug Fixes

  • SAML issue where partnerentityid was not provided to the idp (TB-4244)
  • Warning on empty header in nginx error.log (TB-4300)
  • Session header cleared when azn cache hit (TB-4404)
  • Loading screen is scrambled in new version of Chrome (TB-4297)
  • REQUEST_SIGNATURE error (TB-4263)

9.0.3 Release

Bug fixes



Digipass

Upload DPX file (TB-4259).

Gateway

LUA error when orchestrator is accessed trough SSL (TB-3570).

 Changes

The query parameters that are being passed to the IDP selection page have slightly changed. "authmethod" became "authnmethod"

For example: 

/idhub/login.html?code=653bffff-88b4-40af-b7a1-258f22f99f7a&comparison=minimum&authmethod=2

became

/idhub/login.html?code=653bffff-88b4-40af-b7a1-258f22f99f7a&comparison=minimum&authnmethod=2

9.0.2 release

New features

Admin portal

SP locations are now case sensitive (TB-4188).

Digipass

New REST call to return a Digipass activation code as a string rather than QR code (TB-4150).

OpenID

TheOIDC token request by refresh tokennow also returns anid_token(TB-4111).

SmtpAdapter

SMTP adapter requests now support custom (single-valued) headers (TB-3905).

Bug fixes

Admin portal

Authentication rules for requests of type public_web were needlessly triggered by the application rules, which could result in certain scenarios an erroneous "access denied" response (TB-4156),

Digipass

Validating a digipass OTP by principale failed if the token had multiple applications (TB-4183).

The "last used date" field was not properly updated for MDL tokens (TB-4198).

Gateway

Browsers could drop the X-TB-CREDENTIAL cookie because of size limits, resulting in a loop during login (TB-4110).

In certain cases the original content-type and accept headers could be forgotten (TB-4223).

HttpAdapter

The getResponseBodyAsBase64 JS function called an invalid method on HTTP adapter responses (TB-4140).

PacGenerator

The DER octect string part generated for a UUID could have wrong padding (TB-4152).

Security

A cross site scripting issue was fixed (TB-4203).

STS component

Loading the STS component failed after restart of TrustBuilder (TB-4171).

9.0.1 release

New features

Digipass

Added support for larger cronto images.

9.0 release

Released in june 2017.

New Features

Admin portal

Thealgorithmandsalt settings of a user attribute of data typeHash are now editable.

Digipass

Anundooption has been added to undo a DPX file upload.

Gateway 

Extended and improved debug logging.

Several enhancements were made to the ansible installation scripts.

HttpAdapter

The HTTP adapter now supports SNI.

The subject CN of the certificate for the ssl session should match the host name defined in the host configuration in the http adapter config.

OpenID Connect / OAuth2 endpoints

A new OpenID Connect / OAuth2 service supports the following endpoints:

  • Authorization endpoint(OAuth2 / OpenID Connect). Clients must use this endpoint to start the authentication process. If successful, the result is either an access token (implicit grant) or an authorization code to be exchanged for an access token (code grant).
  • Token endpoint(OAuth2 / OpenID Connect). Exchanges an authorization code for an access token. May also be used to issue an access token in case of cient credential grants.
    User info endpoint (OpenID Connect). Returns claims about authenticated users.
  • Token revocation endpoint. Invalidates a token, and possibly other tokens based on the same authorization grant (and the grant itself).
  • Token introspection endpoint. Returns information and status of a token.
  • OpenID Configuration endpoint(OpenID Connect Discovery). Returns metadata of OpenID Connect IDP.
  • Javascript Web Key endpoint(OpenID Connect Discovery). Returns signing certificate of JWT token.

Scopes are linked to attributes.

SAML2 ACS endpoint

The ACS endpoint contains basic support for SAML2 artifact resolution.

Bug fixes

Admin portal

Constructing a filter for enum values with multiple rules (TB-3593).

Digipass

Unblocking a blocked user (TB-3840).

Date of upload format (TB-3923).

HttpAdapter

Handling of the connection pool size (TB-3798).

LdapAdapter

Logging of LDAP authentication failures (TB-3825).

Installer

Special characters allowed in root administrator password (TB-3936).

Gateway

Nginx configuration resulting in an incorrectx-forwarded-for header.

403 error when logging in as Administrator in the selfservice portal and trying to access the admin portal.

Regeneration of session cookies when authenticating users.

'LOGOUT_INCORRECT_INRESPONSETO' error when trying to logout after being denied access to the admin portal.

Redundant CRED entries for the same user in Redis during the cleanup phase.

RadiusService

Access to incoming multi-valued attributes in TrustBuilder workflows (TB-3791).

Format of vendor-specific binary response attributes (TB-3791).

SAML component

SLO problem (TB-3801).

Using the same partner as SP and IDP with same ID (TB-3877).

SAML endpoint

Handling of SAML signature validation (TB-3992).

TBA

Import of workflows without layout files (TB-3887).

Missing override values in SAML component (TB-3804).

Default port (TB-3624).

Security

Several third-party libraries were upgraded (TB-3803).

Encryption of settings and saved override properties (TB-3863).

Gateway updates

Tomcat was upgraded from 8.0 to 8.5.

Preparation

These are the updated TrustBuilder RPMs for this release:

  • tomcat-core-8.5.15-364.noarch.rpm
  • tomcat-gui-8.5.15-364.noarch.rpm
  • trustbuilder-all-9.0.0-17.noarch.rpm
  • trustbuilder-appliance-9.0-364.noarch.rpm
  • trustbuilder-core-9.0.0-17.noarch.rpm
  • trustbuilder-crl2db-9.0.0-17.noarch.rpm
  • trustbuilder-gateway-20170616140333-1.x86_64.rpm
  • trustbuilder-gateway-debuginfo-20170616140333-1.x86_64.rpm
  • trustbuilder-gui-9.0.0-17.noarch.rpm
  • trustbuilder-release-9.0-364.noarch.rpm
  • trustbuilder-userportal-20170616140329-1.noarch.rpm

To start the release it is recommended to make backups. If you are using VMWare you can create a snapshot. Alternatively you can do a manual backup as described in the backup section.

Make sure that the backup database user's password is not expired before performing an upgrade.

Backup

Create a folder to hold your backups on every node. Use this command:

mkdir -p /opt/trustbuilder/release-backup

On the gateway node(s):

Goto the instances folder. there you will have one or more instances. you can backup them by using following command:

tar zcvf /opt/trustbuilder/release-backup/gw-instances-$(date +%d-%m-%Y).tgz --exclude .git --exclude logs /opt/trustbuilder/gateway/instances

On the orchestrator node(s):

Copy following files to the backup folder:

  • /opt/trustbuilder/tomcat-core/conf/server.xml
  • /opt/trustbuilder/tomcat-core/conf/context.xml
  • /opt/trustbuilder/tomcat-core/conf/Catalina/conf/<<nodename>>/*

On the repository node(s):

Since the 8.2 release, a backup database is created and updated automatically. If, however, you want to create a database backup prior to upgrading. use following command:

mysqldump --all-databases --single-transaction > database-backup-$(date +%d-%m-%Y).sql

Installation

While the installation will stop services if needed it is recommended that you stop all the services for TrustBuilder.

On the gateway node(s):

  • sudo systemctl stop tb-gw-<<instance_id>>
  • sudo systemctl stop tb-gw-<<instance_id>>-sessionstore
  • sudo systemctl stop tb-gw-<<instance_id>>-sessionstore-sentinel

On the orchestrator node(s):

  • sudo systemctl stop tomcat-core

On the repository node(s):

  • sudo systemctl stop mysql

On the admin node (node which runs tba)

  • sudo systemctl stop tomcat-gui

To start the installation of the TrustBuilder update do the following steps.

On the node that runs the ansible playbook (f.e. the admin node), execute:

  1. sudo yum update trustbuilder-appliance (this should update to 9.0.0)
  2. cd /opt/trustbuilder/appliance/config
  3. change cluster.yml with the necessary changes described above
  4. run ansible-playbook -v your-config.yml

In rare cases it could be that the Gateway Service will not start. The root cause can be found by executing the following command:

sudo systemctl status tb-gw-default

Any errors need to be fixed manually and then you can rerun the ansible-playbook again.

If everything runs correctly TrustBuilder should be up and running.

All that is left now is to update the database scheme of idhub. You can do this by accessing https://your-hostname/idhub/install

Known issues

  • TomCat complains about unsupported MessageDispatch15Interceptor during startup.
    This can be solved by editing the template and replacing this by MessageDispatchInterceptor
    (hotfix published)
  • It might be that the mysql_backup user its account is locked due to an expired password. This can be fixed with the following command that changes the expiration date: 

    sudo chage –M 99999 –m 99999 mysql_backup

  • Uploading digipass dpx files might fail. It seems to be a workaround to upload the file twice.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.