Release Date: 2018-11-16
Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.13.
Main new features
OpenID Connect is now supported by Hybrid Access Gateway
The federation technology OpenID Connect can now be used as an authentication method in Nexus Hybrid Access Gateway. This means that Hybrid Access Gateway can be connected to external Identity Providers (IdPs) that support OpenID Connect, for example Google, Norwegian BankID and Verimi.
Added support for Oracle database
The new version of Hybrid Access Gateway has support for Oracle database to be used as external database.
Due to required changes on a database level a dialect must be added if using an external report database before upgrading to the new version. Without the dialect entry, the connection to the reporting database will fail unless the entry was entered and the administration service was restarted. For further information, see Change report database for Hybrid Access Gateway.
Direct integration of Nexus Personal Desktop
Secure login is now even more convenient in Hybrid Access Gateway, with added smart card support via Nexus Personal Desktop, which is useful for example to make digital signatures in Nexus GO Signing.
When doing authentication, Hybrid Access Gateway sends an authentication request to Personal Messaging and then opens the Personal Desktop application of the client directly from the browser. The user needs to compare two images, same as with Personal Mobile.
Detailed feature list
|JIRA ticket no|
Support for Personal Mobile authentication on same device
The Personal Mobile authentication method was extended to improve the usability of same-device authentications. If a user wants to use a smartphone or tablet, that has Personal Mobile installed, for authentication to a resource, Hybrid Access Gateway opens the app automatically after a short period of time. This is to give the user time to remember the image displayed in the browser to compare it afterwards with the image displayed in the Personal Mobile app. This provides the same security as when using Personal Mobile out-of-band.
This new feature is enabled by checking Enable authentication on same device within the Personal Mobile authentication method.
Custom message for Mobile Text over XPI
It is now possible to send a custom SMS text template for Mobile Text authentication over XPI. The template supports the same parameters as before, such as the OTP, the lifetime, the time of OTP creation and the display name of the user. The template can be sent as an additional parameter. If no custom template is sent, the default configured message will be used.
For further information, see the XPI documentation within the administration interface.
Use self-provisioned profile directly for authentication
After a new profile of Personal Mobile was self-provisioned over the self-service, the user can from now on decide to directly use the new profile for authentication or to access the portal with the existing authentication.
To do a self-provisioning of a new Personal Mobile profile or OATH profile the user needs to authenticate with another method to prove his identity. After that the user has a valid authentication and is able to access the Hybrid Access Gateway portal. In some cases it may be required to authenticate with a higher level of assurance. The user can then use the new provisioned profile to step up the existing authentication to a higher level
Added support for Oracle database
Hybrid Access Gateway 5.13 adds support for Oracle to be used for the user-, report-, OATH- and OAuth 2.0 databases. Databases with version Oracle 12c Release 2 (22.214.171.124.0) and Oracle 11g Release 2 (11.2) are supported.
Added field for Nexus Personal Messaging API key
The API key, that needs to be defined when setting up Hybrid Access Gateway and Personal Messaging, can be configured in the administration interface from now on. This is done in the global settings of the Policy Service.
Nexus Personal Messaging relay URL was removed
The Hybrid Access Gateway proprietary LCP protocol, that is used for communication between the different services, was extended to cover Personal Messaging related exchange of information. For this featured function the need of having a public exposed web resource was removed together with the field Personal Messaging relay URL from the global settings of the Policy Service.
Attestation key is used to sign Personal Mobile provisioning response
In order to further improve the security of Personal Mobile, Hybrid Access Gateway and the Personal Mobile application (including SDK) are using an attestation key from now on. This key is used to sign the provisioning response of Personal Mobile and therefore to proof the validity of the client.
The attestation key may be changed in the global settings of the Policy Service. This is important when using Personal Mobile as SDK.
Permanent redirect for migrated Personal Mobile profiles
If Hybrid Access Gateway with a version below 5.12 is upgraded to version 5.13 or later, existing Personal Mobile profiles need to be migrated to the Nexus Personal Messaging service. Profiles, that have been created before the migration will keep asking the Hybrid Access Gateway Distribution Service for outstanding authentication requests. With Hybrid Access Gateway 5.13 and above, those requests will be answered with a permanent redirect (HTTP code 308) to the new URL of the Personal Messaging service. The Personal Mobile application will then save the new URL and starts polling to it from then on.
The URL that is sent as permanent redirect needs to be configured in the global settings of the Policy Service. This is only required if a migration of Personal Mobile profiles has been done.
OpenID Connect support for being Relying Party
From now on Hybrid Access Gateway supports authentication with OpenID Connect core functionalities based on version 1.0. Hybrid Access Gateway can be configured as Relying Party, using OpenID Connect authentication method to connect to an external Identity Provider, such as Google, Norwegian BankId or VERIMI.
The configuration information can be obtained via a discovery endpoint or by providing authorization and token endpoints separately. Supported are authorization code flow and implicit flow. Within the configuration of the new authentication method, the administrator can specify the scopes that will be sent to the authentication server as well as most optional parameters defined by the official specification.
In order to use the OpenID Connect authentication method, a client id, together with a client secret must be provided from the external Identity Provider.
Predefined resource for image API
In order to provide images for the Personal Mobile authentication, the image API needs to be made available as a web resource. To simplify the setup of Personal Mobile authentication, this web resource is available as a predefined resource from now on. The web resource is disabled and needs to be enabled manually in order to use it. Further settings may be changed on the web resource called distribution-service.
Direct integration of Nexus Personal Desktop
Besides the already existing User Certificate authentication method, the middleware Nexus Personal Desktop was integrated directly. For this featured function, the Nexus Personal Messaging service is used to handle authentication requests, similar to how it works with Personal Mobile. The user is asked to compare two images and select a suitable certificate for the authentication. Personal Desktop gets called directly from the browser.
To use this feature, Nexus Personal Desktop 4.28 or higher is required.
Added label to show callback URL
When using Personal Mobile together with the Nexus Personal Messaging service a callback URL of Hybrid Access Gateway needs to be provided in order to send authentication responses. From now on this URL is displayed in the global settings of the Policy Service to simplify the setup process.
Increased size of DN column in database
The database column DN in the table Userlink was increased in size. A value can now be up to 1024 characters long. This is required if the distinguished name of an employee is substantial longer, for example, because of many attributes.
Improved hardening of appliance
With Hybrid Access Gateway 5.13 the hardening index of the appliance was improved to be even more secure. The overall hardening score (based on Lynis) was increased to 74.
|JIRA ticket no|
Getting error if an internal cookie contains special character
When the internal cookie WA_AM was enabled, a server error occurred in the portal when the last used authentication method name contained a special character, such as 'å', 'ä' or 'ö'. This issue is fixed with the current release.
Removed unnecessary message from log
The message Failed to decrement block-counter, mechanism 9 was filling the logs unnecessarily. This was improved to only write the message if necessary.
Allow special characters inside authentication method name
An issue has been fixed where a special character, such as '&' led to error code 403 in the Access Point.
Fixed migrate user function for migration from PortWise
An issue has been fixed where the migration of user groups from a PortWise system to Hybrid Access Gateway did not work.
Changed infinite DNS cache of Java services
In previous versions of Hybrid Access Gateway the IP address of a DNS name was cached forever. If the IP address changed, the cache was not refreshed automatically. This issue is now fixed for all Java services.
Activate browser on next logon was not working in case of linking
When using user linking, the Activate browser on next logon did not work. This is fixed in the current release.
Corrected OAuth 2.0 consent page
With Hybrid Access Gateway 5.13 redirections from authorize to /rest/v3.0/oauth/authorize were fixed. Furthermore, the API resource root was changed to contain application/x-www-form-urlencoded in request and response content types so the URL rewrite works properly.
Fixed DNS resolution issue with Access Client for Mac
An issue has been fixed where MacOS was passing DNS requests by the Access Client if, for example, due to network failure the Access Client was not responding immediately.
Improved lifespan settings for authentication and signing
The meaning of the lifespan settings in Hybrid Access Gateway Policy Service has been made more clear. From now on the validity of provisioning requests may be changed with the fields:
The validity of authentication requests may be changed as an extended property on the corresponding Personal Mobile authentication method. The default value is 300 seconds (5 minutes) and may be changed in the global settings of the Policy Service (Authentication Settings).
The validity of signing requests may be changed in the global settings of the Policy Service (Authentication Settings). The default value is 300 seconds (5 minutes).
Improved database performance
The database performance was improved by implementing a smarter mechanism for handling the database sessions. Database sessions will be closed immediately after the job is done. If the session closure fails, for example, due to pending transactions, the closure is then scheduled in a separate thread.
Allowing unknown users when acting as SAML proxy led to an error
An error occurred when the system was used as a SAML proxy between 3rd-party Service Providers and an Identity Provider, if the system had been set up to allow unknown users and not to auto create users. This issue is now fixed.
Support for multi-line values in responses
An issue was fixed where multi-line values in HTTP headers weren't processed correctly.
|JIRA ticket no||Description|
Tunnel connection cannot be terminated
In some cases it could happen that the Access Client doesn't terminate the connection when the user clicks the corresponding menu button. This was observed in Hybrid Access Gateway versions 5.12 and 5.13.
Authentication method settings not updated correctly for already linked users
If an already linked user from the user storage has no authentication method enabled, it is currently not possible to update the authentication method for that user by using user linking.
Simultaneous OATH self-provisioning from multiple users can lead to tokens being set on hold
If several users do provisioning of OATH tokens simultaneously over the self-service it can happen that certain tokens will be set on hold. This can only happen in high availability mode.
End of Sales statement
End of Life statement
For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/.
Nexus offers maintenance and support services for Nexus Hybrid Access Gateway to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.