Nexus Documentation Archive

Space shortcuts

Page tree

Are you looking for the latest documentation for the current versions of Nexus' products?

Go to current DOC.>>

Version: 21.04.2

Release Date: 2021-09-14

The Smart ID 21.04.2 release provides updates in Identity Manager, Self-Service, Digital Access and Physical Access. Messaging provides minor improvements and bugfixes only. All components also provide several bugfixes and library updates to ensure high quality and security.

Smart ID compatibility

Smart ID 21.04.2 is compatible with the following component versions: 

Components

Version
21.04.2

Smart ID Digital Access

6.0.7 (included in Smart ID 21.04.2)

Smart ID Messaging

3.1.4 (included in Smart ID 21.04.2)
Nexus Card SDK5.8 or 5.9
Smart ID Certificate Manager8.3

Smart ID Desktop App

1.6.0

Smart ID Mobile App

5.4.1 iOS and 5.5 Android

Smart ID Mobile SDK

3.1.0 iOS and 2.3.1 Android
Nexus Personal Desktop Client5.7.1

Related information

Detailed feature list

Features

Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging
CRED-10812

Improved ActivitiCleaner performance

By adding additional DB indices, the performance of the ActivitiCleaner is improved. Especially when running on large databases.


X

CRED-10835

Allow override of predefined filters in search task

When using a search config that contains predefined filter values in the "Execute Search" service task, it is now possible to override the predefined values with new values in the service task. 


X

CRED-11249

Support for certificates with multi-value SAN attributes for login

Improved certificate-based login implementation. It is now possible to log in with certificates that have a multi-value SAN attribute, for example, multiple email addresses or multiple User Principal Names (UPNs), in the certificate. The login process will iterate through the values until one has a unique match to a user.


X

DA-573

Ansible way of deployment for Digital Access

It is now possible to deploy a fresh instance of Digital Access using Ansible in RHEL 8 with Podman as the containerization tool. See here for more information: Deploy Digital Access on RHEL 8 using Ansible and Podman.

X


IDC-1825

Flag added to log SCIM API requests

A flag (PA_DEBUGLOG) has been added to log SCIM API requests to help debugging if an Identity Manager request is not correct. By default this flag is set to False so that it doesn’t log all the request data when not necessary. The flag is defined in the smartid.env file. Set the flag to True if required.



X


Corrected bugs

Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging
DA-21

In case of SAML, if the users logged after a certain time period, they where redirected to the access point portal instead of to the SP resource. This has now been fixed.

X


DA-163

Added connection timeout and read timeout for BankID and Freja eID. 

The default values can be modified by setting the java properties:

  • Dcom.httpclient.connection.timeout=2000
  • Dcom.httpclient.readwrite.timeout=5000
X


DA-193

Fixed Null pointer exception when doing SAML authentication with forceAuthn enabled.

X


DA-522Fixed Null pointer exception when user session does not exist.X


DA-532

Due to a thread crash, session cleanup activity gets interrupted in the policy service and eventually all the limit of concurrent session got exhausted. Fixed the null pointer exception in timer manager thread.

X


DA-535Sign message for SAML request is now getting passed to IDP when Digital Access acts as a proxy.X


DA-598Fixed the null pointer exception when Hermod gives a callback to Digital Access for expired profile.X


DA-466Added missing security headers in access point, admin, policy and distribution services. Added CSP header to be configurable.X


DA-418Updated online help for SAML "Use latest used authentication method".X


IDC-1843

EntitlementAssignment gets deleted when the same entitlement assignment is deleted and added again. This has been fixed.



X

IDC-1856

Filters on groups were not working as expected. This has been fixed.



X
CRED-10280

Improved error handling in BPMN History cleanup. When an error occurs, the cleanup job will no longer be interrupted. Instead it will continue with the rest of the cleanup.


X

CRED-10535

When creating new records via the (client-side) CSV import task, the object history entries were not always updated. This has been fixed.


X

CRED-10693

Fixed an issue when adding Expressions, (for example OR or RegEx), dynamically via a data map into an unequal filter in the search config.


X

CRED-10798

When uploading CSV files on the client-side via the upload button, empty lines in the CSV files were misinterpreted and this could lead to wrong results in the system. This has now been fixed by ignoring empty lines.


X

CRED-10833

When running the ActivitiHistoryCleaner background job, open "CallActiviti" instances was missed. This has now been fixed by including the CallActiviti instances in the clean-up.


X

CRED-10932

Fixed an issue when executing multi-level searches in batch orders.


X

CRED-10977

Fixed an issue when enrolling certificates on mobile app or Virtual Smart Card (VSC) in combination with Microsoft ADCS (missing key size parameter). 


X

CRED-11001

When doing concurrent Smart card production in multiple Identity Manager Operator clients, the system could run into an error due to concurrency. This has been fixed.


X

CRED-11022

Fixed an issue when validating date fields with "not before" condition in user forms.


X

CRED-11053

Fixed an issue about authentication profiles in the Identity Manager (IDM) migration tool.


X

CRED-11058

When logging in with SAML, the IP address of the client was not added to the user context, as it is done for other authentication profiles. This has been fixed. Now the client IP address is also available with SAML.


X

CRED-11071

Fixed logging in Microsoft ADCS PKI connector when getting concurrent requests.


X

CRED-11087

The searches behind search buttons got executed immediately in Smart ID Self-Service. This could cause issues when getting large search results. This has been fixed. Now the search needs to be executed manually by the user, to enable filter criteria to be entered and thereby limit the search results.


X

CRED-11243

Smart ID Self-Service always showed binary objects as if they had content, even if an object was empty. This made it impossible to differentiate between binary fields with and without content in the Smart ID Self-Service UI. This has now been fixed.


X

PMOB-3177

Keep-a-live is set in seconds in the configuration, but must be returned in milliseconds in the code. This was not working correctly and is now fixed.




X
PMOB-3178

Configuration refresh using the actuator/refresh endpoint and remote HermodCfgServer polling at the same time was not working. This is now fixed.




X
PMOB-3183

Handling job distribution when scaling down number of instances from 2 to 1 was not working in a correct way. This is now fixed.




X

Release announcement

Only Docker deployment is supported for the Smart ID components Identity Manager, Physical Access, Digital Access and Messaging. For full instructions, see 21.04.2 - Deploy Smart ID.

From Smart ID 20.11 and on, components now only have the Smart ID version number and not the different component version numbers. For information on previous releases, see Nexus Documentation Archive.

For details on the updated Smart ID configurations and deployment configurations, see here: 

--



Smart ID deployment configuration release note
All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.

## [Release 21.04.2-2021-09-13]
 
### Added
 
- HTTPS support for Physical Access integra. [DEVOPS-1211]
- Environment variable to control debug logging in Physical Access SCIMAPI. [DEVOPS-1211]
 
### Changed
 
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Change Import Logger to correct class. [DEVOPS-1143]
- RabbitMQ now uses external docker image. [DEVOPS-1211]

## [Release 21.04.1-2021-07-02]

### Changed
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Updated SmartID version to 21.04.1

### Removed
- Removed Self-Service config.json file. [DEVOPS-945]
- Removed hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-06-10]

### Added
- Added some Let's Encrypt root certificates. [DEVOPS-971]

### Changed
- Fixed some copy issues in the init-smartid.sh script.
- Changed the default selfservice config to include auth methods params example.
- Update Language files for IDM. [DEVOPS-1067]

### Removed
- Removed expired Let's Encrypt certificates. [DEVOPS-971]

## [Release 21.04.0-2021-05-28]

### Added
- Added new Let's Encrypt cert. [DEVOPS-946]
- Added hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-05-20]

### Added
- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/createca.sh`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `init-smartid.sh` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]

### Changed
- IDM DB will no longer be initialized through init-smartid.sh script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD_* properties to MESSAGING_*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04

### Fixed
- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]

### Removed
- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.

## [Release 20.11.2-2021-03-22]

### Added
- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]

### Changed
- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]

### Fixed
- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the copy_files.sh script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]

## [2020.11.1-2021-02-18]
 
### Added
- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+.
 
### Changed
- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1


## [Release 20.11.0-2020-12-22]

### Added
- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]

### Changed
- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `stop-smartid.sh` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `init-smartid.sh` script to work regardless of where the script is called from.
- Improved the `createca.sh` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.

### Fixed
- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.


## [Release 20.11.0-2020-12-07]

### Added
- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new system properties environment variable
  - Support for new DB properties environment variables
  - Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
  - Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
  - Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]

### Changed
- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
  - Added `identitymanager/admin/docker-compose.yml`
  - Added `identitymanager/tenant/docker-compose.yml`
  - Added `identitymanager/init-db/docker-compose.yml`
  - Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/stop-smartid.sh`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the ini-smartid.sh script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.

### Removed
- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.


## [Release 20.06.1-2020-10-27]

### Added
- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin. 
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true

### Changed
- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `init-smartid.sh` script.
- Moved seflservice to a separate docker-compose file.

### Fixed
- Fixed the jdbc url for `config/da-admin-customize.conf`.

### Removed
- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.


## [Release 20.06.0-2020-09-28]

### Added
- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
  - identitymanager/docker-compose.yml
  - traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.

### Changed
- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated `init-smartid.sh`:
  - Now check if docker and docker-compose are installed, if not the script will exit.
  - Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
    - Ask if postgres and/or mssql shall be deployed and started.

### Fixed
- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `init-smartid.sh` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.

## Removed
- Removed `init-smartid-test.sh`, it is included in init-smartid.sh.

Known issues

Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging
DEVOPS-1230

copy_files script is broken in 21.04.2

When restarting Identity Manager Admin or Identity Manager Operator, the container won't be able to restart and log an error "java.nio.file.FileAlreadyExistsException". The workaround in this case is to recreate the container instead of just restarting it. This can be achieved by running the command "docker-compose up -d --force-recreate".


X

Contact

Contact Information

For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/

Support

Nexus offers maintenance and support services for Smart ID components to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.

© 2023 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions