Page tree
Skip to end of metadata
Go to start of metadata

Version: 5.12

Release Date: 2018-05-07

Introduction

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.12. 

Main new features

OATH authentication with Google Authenticator et al

The OATH authentication method in Hybrid Access Gateway now supports software token like Google Authenticator or Microsoft Authenticator. The administrator can issue a new software token based on predefined OATH providers for TOTP and HOTP. In addition the end user is able to use self-service to issue software tokens. With Personal Mobile 3.7 or higher Nexus provides its own implementation of OATH as a software token.

Authentication with Freja eID

Hybrid Access Gateway now supports the authentication with the Freja eID service in version 1.0. Users could use their email address or Social Security Number (SSN) if available to authenticate. With the introduction of Freja eID, Hybrid Access Gateway now supports three different Swedish eIDs. It supports (Mobilt) BankID and Freja eID over a native interface and AB Svenska Pass over SAML.

Authentication with Personal Mobile certificate

Besides raw keys Personal Mobile also supports profiles with certificates. In this case the certificates were issued by a CA such as Nexus Certificate Manager. Hybrid Access Gateway now supports authentication with these certificates without the need to know about the user and its user name.

Detailed feature list

Features

JIRA ticket noDescription

HAG-595

Improvement of group management

Assign authentication methods to groups
Hybrid Access Gateway introduces an improvement to assign new authentication methods to already existing users. Previously authentication methods could only be assigned automatically to new users and not to already existing users.

Therefore the user linking was extended with an "Update already linked users" functionality including user linking based on groups.

The new feature provides a list of authentication methods that can be enabled for the selected users. With this list the user can change the authentication methods that should be enabled/disabled for the existing user.

Make reports based on groups
It is now possible to generate reports based on groups and not only users. Therefore a list of groups can be used. All users related to these groups will then be used for the report.

HAG-825

OATH authentication with Google Authenticator et al
The existing OATH authentication method was extended to support software tokens such as Google Authenticator or Microsoft Authenticator. Instead of uploading a PKSC file, the administrator can now issue a new software token based on predefined OATH providers for TOTP and HOTP. In addition the end user is able to use the self-service to issue software tokens.

With Personal Mobile 3.7 or higher Nexus provides its own implementation of OATH as a software token. Find more information about Personal Mobile on Nexus Doc.

Based on the settings a QR code is generated and sent out via email or displayed on screen. The end user then scans the code by using an OATH compliant software application (like Google Authenticator) to provision the corresponding profile.

Hybrid Access Gateway's TOTP and HOTP server functionalities are certified by the OATH Certification Compliance Program (OCCP).

You find further information and how to set up instructions on Nexus Doc.

HAG-900

Run auto-vacuum for internal database every night
With HAG 5.12.0 a cron job (/etc/cron.d/vacuum-hag) has been introduced that is scheduled at midnight each day. The cron job invokes a script which will start postgres full autovacuum if postgres service is running to handle dirty indexes and tables.

The execution time can be changed. This can be done within the file /etc/cron.d/vacuum-hag using crontab format.

HAG-905

Additional message parameters for SMS OTP
With HAG 5.12 additional parameters for Mobile Text SMS can be send out.

In addition to the OTP itself the administrator can now configure the Mobile Text authentication method in Hybrid Access Gateway with an additional message parameter. The Display Name of the user who receives the OTP can now be added to the text with the OTP.

Example:

Using these features Hybrid Access Gateway could send out a message such as:

The Invisible token OTP 55XxfWX7 for user1 is valid 60 seconds from Wed Sep 20 16:37:44 IST 2017

HAG-948

Configurable SAML digest and signature method
It is now possible to change the digest and signature method for SAML request and response.

In case of a response, Hybrid Access Gateway will check the SAML metadata for a method extension. Based on the extension order Hybrid Access Gateway will select the preferred method automatically. If no data is provided in the meta data the method could be configured manually in the administration interface.

For responses, the method can also be selected manually in the administration interface.

HAG-985

Name of PM provisioning request was changed to Display Name
Instead of sending a fixed value for the field name within Personal Mobile, the provisioning requests now contain the display name of the corresponding user.

HAG-1020

Authentication with Personal Mobile certificate

As well as raw keys Personal Mobile together with Hermod server also support profiles with certificates. In this case the certificates were issued by a CA such as Nexus Certificate Manager. Hybrid Access Gateway now supports authentication with these certificates without the need to know about the user and user name.

Hybrid Access Gateway sends the authentication request to the Hermod server that is responsible to perform the authentication with Personal Mobile. After the authentication was successful, Hermod sends back the certificate from the profile. Similar to the certificate authentication method, Hybrid Access Gateway then matches the certificate data to a certain user and logs it in.

For this featured function it is not required that Hybrid Access Gateway itself issues the Personal Mobile profiles for authentication. This may be done by an external application such as Nexus PRIME that performs the provisioning of Personal Mobile profiles connecting via the Hermod server.

Using Personal Mobile with raw keys is still supported. In this case the Hybrid Access Gateway instance performing the authentication must be the one that issued the Personal Mobile profile being used.

At the end it is still possible that an instance of Personal Mobile on a mobile device could have a profile with raw keys belonging to a provisioning Hybrid Access Gateway, and an instance of certified keys belonging to an issuing CA/RA, for example, CM/PRIME.

Customers who use Personal Mobile today need to deploy the Hermod Message Server in their own environment in order to continue with Personal Mobile authentication before upgrading to Hybrid Access Gateway 5.12. Contact Nexus for support.

HAG-1021

Assessment feature available for web resources
The Assessment feature is now also available for web resources. A resource that is protected by an Assessment access rule will be displayed in the Hybrid Access Gateway portal. After clicking the resource, the assessment is executed and validated. To do that, a new web page will open telling the user about the assessment.

HAG-1022

Assessment for tunnel sets
The Assessment feature is extended to be used with Tunnel sets. Only tunnel resources were supported with the initial version.

This feature can be used by assigning an Assessment access rule to a tunnel set. The tunnel set will be displayed within the portal in any case. When the user clicks the tunnel set, the assessment will be done together with the Access Client application. If the assessment fails, the Access Client will display a customizable message as popup within the Access Client.

HAG-1035

Official Support for Citrix XenServer
Hybrid Access Gateway is now officially supporting deployment on Citrix XenServers.

Since the Hybrid Access Gateway appliance runs on HVM mode (Hardware Virtualization Machine), the XenServer must be enabled to use HVM mode to support Hybrid Access Gateway.

HAG-1046

Authentication with Freja eID
Hybrid Access Gateway now supports the authentication with the Freja eID service in version 1.0. Users can use their email address or Social Security Number (SSN) if available, to authenticate.

To use the authentication method customers need first to obtain their personal client certificate from Freja eID as well as the server SSL certificate. 

The authentication can be configured to only accept LoA3 authentication with Freja eID+ if desired. In this case the SSN must be used as username.

After successful authentication, the Hybrid Access Gateway user will be defined and logged in based on the configured user attribute property (for example, SSN or email address).

With the introduction of Freja eID, Hybrid Access Gateway now supports three different Swedish eIDs. It supports (Mobilt) BankID and Freja eID over a native interface and AB Svenska Pass over SAML. Freja eID and AB Svenska Pass are approved by E‑legitimations­­nämnden and are therefore compliant with eIDAS. See further information on Nexus Doc.

HAG-1074

Applied latest fix for Spectre/Meltdown
The fix released on 22.02.2018 has been applied on the Hybrid Access Gateway appliance. The following information was provided:

Ubuntu Cloud Images have been released with retpoline compiled kernels for amd64 and i386 for Ubuntu 17.10 and Ubuntu 16.04 LTS

For more Information see: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Corrected bugs

JIRA ticket noDescription

HAG-9

Slow administration interface in case of lot of resources
An issue has been fixed where the administration interface was slow responding when editing resource objects. This was the case if a large amount of resources were configured.

HAG-513

Access Client leads to Bluescreen
An issue has been fixed where the Access Client on Windows stopped working and was responding with a Bluescreen.

HAG-594

ObjectSID in SAML Ticket is not Base64 encoded
In some scenarios where the objectSID is used as a SAML subject it is required to encode this value as base64. This was not possible before. In this version a drop down menu to select the encoding method while adding SP in SAML federation has been added. The possible values in that drop down menu for subject encoding are Base64 and None.

HAG-647

HTTP SMS plugin doesn't support TLS
An issue has been fixed where customers using SMS gateways with disabled SSLv3 were not able to send SMS.

HAG-650

Delete logs after sync
An issue has been fixed where log files weren't deleted after syncing them to a remote location.

HAG-934

Insufficient certificate check for Windows Integrated Login
In previous versions of Hybrid Access Gateway, during authentication with WIL the IIS server certificate was compared directly to the configuration CA certificate. This was not sufficient in cases where the configured CA certificate is the root of the server certificate. This mechanism was improved to check the complete certificate chain.

HAG-974

Missing algorithm suite in PKCS OATH import
Fixes an issue where the algorithm of an OATH token was not set properly during import if the suite within the PKCS file was not defined. Now Hybrid Access Gateway analyses the secret if present and selects the algorithm based on the length of the secret

HAG-993

CDP not working as expected
An issue has been fixed where Hybrid Access Gateway has disabled the CRL check if the CDPs could not be contacted and when configuration was set to:

Authentication is allowed, previous retrieved CRL is used

From now on, when any previously retrieved valid CRL is present, this will be used for validation of the certificate.

HAG-994

CDP redundancy is not working
An issue is fixed where an invalid CDP or a CDP that delivered incorrect data led to refused authentication, even when additional CDPs were configured.

HAG-998

Re-encrypt does not work and can destroy accounts
An issue as been fixed where the function for re-encrypt was not working as expected. This could be the case if multiple instances of keys are used, for example, when merging two instances of Hybrid Access Gateway into one. In this case the information on the user objects was not converted to the new key as expected.

HAG-1025

Automatic OATH authentication method deactivation
Previously the OATH authentication method for a certain user was automatically deactivated after the last OATH token has been disabled. This behavior has been changed to enable the new self provisioning functionality for software token like Personal Mobile OTP or Google Authenticator.

End of Sales statement

Refer to Supported versions of Hybrid Access Gateway.

End of Life statement

Refer to Supported versions of Hybrid Access Gateway.

Contact

Contact Information

For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/

Support

Nexus offers maintenance and support services for Nexus Hybrid Access Gateway to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.