Release note Smart ID 21.04

Version: 21.04

Release Date: 2021-05-20

The Smart ID 21.04 release provides major updates in Identity Manager, Self-Service, Digital Access and Physical Access. Messaging provides minor improvements and bugfixes only. All components also provide several bugfixes and library updates to ensure high quality and security.

See Upgrade Smart ID with information regarding upgrade from 20.11 to 21.04.

Main new features

Identity Manager login page revised

In this Smart ID release, several changes around login for Identity Manager have been done. The tenant pre-selection page has been removed, selecting tenant is now part of the main login page. Also, there are now dedicated login buttons for SSO (via SAML) and certificate based login, so that users can select the login method on the UI (instead of selecting SAML and certificate login just via URLs). At the same time, the logout button for SAML was introduced in Self-Service and Identity Manager Operator in order to close the user sessions via the UI.

Furthermore, it is now possible to configure in the Admin panel of Identity Manager Operator, which authentication methods will be visible per tenant (e.g. to enforce strong authentication in Identity Manager and disable username/ password).

Improved Batch Sync in Identity Manager

With Smart ID 21.04, it is now possible to control the Batch Sync jobs in the runtime system (in the Admin tab of Identity Manager Operator). New buttons have been introduced in the Batch Sync job list, to start/stop/execute scheduled jobs from there. Besides that, improvements in the paging behavior of the searches have been done for Batch Sync.

Introducing Interflex 6040 connector

This release of Smart ID introduces a standard connector to the Interflex 6040 PACS system in Physical Access, supporting the standard use cases of Smart ID Physical Access.

Search AD user groups in Digital Access

In Digital Access Admin, the handling of selecting and assigning AD user groups has been improved. Instead of listing the available AD groups in dropdown menus, a search has been introduced to support selecting user groups in large AD environments with more than 1000 AD groups.

Smart ID compatibility

Smart ID 21.04 is compatible with the following component versions:

Components	Version
Smart ID Identity Manager Smart ID Self-Service Smart ID Digital Access Smart ID Messaging Smart ID Physical Access	21.04
Smart ID Digital Access	6.0.5 (included in Smart ID 21.04)
Smart ID Messaging	3.0.0 (included in Smart ID 21.04)
Nexus Card SDK	5.7 or 5.8
Smart ID Certificate Manager	8.3
Smart ID Desktop App	1.5.6
Smart ID Mobile App	5.3 (iOS) and 5.3 (Android), see Smart ID Mobile App news
Smart ID Mobile SDK	2.3.0 (iOS) and 2.3.1 (Android), see Smart ID Mobile SDK news
Nexus Personal Desktop Client	5.7

Detailed feature list

Features

Jira ticket no	Description	Digital Access	Identity Manager & Self-Service	Physical Access
DEVOPS-738	Added instance ID in Docker config for self-service It is now possible to set the instance id (used to differentiate the applications when running multiple instances) for the Self-Service via the docker-compose environment variable. Set properties for Smart ID Self-Service.		X
DEVOPS-468	Improved standard password issuing process So far the standard process in the Identity Manager Base package was that every new employee gets automatically username/password for self-service sent per email and printed as PDF during user activation. Now the standard process has been adjusted so that is easier to choose if optionally either PDF or mail is used to issue the username/password. See Enter person data manually - Digital ID.		X
DEVOPS-599	Supporting ObjectGUID attribute in LDAP It is now possible to use the ObjectGUID attribute - or in general attributes in binary format - in LDAP as a datapool field or in an export configuration in Identity Manager. This means that the GUID can now be used as a unique identifier for import/export, especially in large AD forests when no other uid is available.		X
DEVOPS-588	Improved password complexity The default settings in the standard Identity Manager packages for generating passwords have been updated. The password complexity has been increased (16 digits, number, upper case character and special character) in order to increase security.		X
DEVOPS-485	French translations Added some missing French translations in the standard workflow packages for Identity Manager.		X
DEVOPS-445	Added tenant id in docker config for self-service It is now possible to set the tenant id for the self-service via the docker-compose environment variable.See Set properties for Smart ID Self-Service		X
CRED-10588	Return certificate chain with QuoVadis PKI The QuoVadis PKI connector did not return the certificate chain (root, issuing CA) as part of the certificate requests. In some use cases it is required to write also the whole chain on smart cards or to deliver the chain in soft tokens. This functionality has been added now as well to the QuoVadis connector. See Cert QuoVadis PKI - Standard service tasks in Identity Manager.		X
CRED-10649	Added certificate chain parameter to soft-token task The soft-token service task got an additional parameter to decide if the whole certificate chain will be added to the Pkcs#12 soft-token or not. Before, the chain was always added, and this is still the default behavior. But with the new parameter, customers can deactivate the chain, so that only the end user certificate will be added to the Pkcs#12. See "Cert: PGP Soft Token" in Standard service tasks in Identity Manager.		X
CRED-10575	Obsolete JSPs removed Removed obsolete .jsp sub pages for PDF printing in the form designer. These sub pages are leftovers from the former java-based clients and do no longer work on the HTML5 clients in Identity Manager.		X
CRED-10541	Standard service task cleanup The standard service tasks have been aligned with the new Smart ID naming conventions (e.g. changed terms like Personal X, HAG etc. to the new names). This does not affect the functionality, also no change in the configuration is needed because of the name changes. Also the deprecated "generateAndArchivePasswordAccordingPasswordPolicyTask" and the old soft token task "executeSoftTokenRequestAndRecovery" are removed with 21.04. Customers, that are still using these tasks have to switch to the successor tasks. See Smart ID Messaging - Standard service tasks in Identity Manager.		X
CRED-10617	Improved error handing for BPMN rollback When the BPMN process engine does a rollback due to an error during execution of a process task, the default behavior is that the BPMN engine does infinite retries every 5 min, if the error is not caught properly in the BPMN design, e.g. via ErrorBoundaryEvents. To prevent endless retries, when the error is not handled in the BPMN design, the implementation limits now to 3 retires max.		X
CRED-8882	Updated SAML algorithms Specifically the hash algorithm is updated to SHA-256 now.		X
CRED-10473	Extended filter capabilities in multi-level search When searching through multiple levels in a coreObject hierarchy, in general the filters can be applied on both - the source and the target data pool. There was one limitation so far on that - when using the same data pool as source and as target, the filters could only be set on the source so far. With 21.04, this has been improved, now we can also apply filters on both - source and target - even if both is the same data pool.		X
CRED-10600	New revocation service task Added new service task for certificate revocation that can fetch states also dynamically from the process map, e.g. for easier automated revocation via APIs. See "Cert: Revoke Certificate" in Standard service tasks in Identity Manager.		X
CRED-9538	Allow BatchSync to modify data in data source The BatchSync functionality in Identity Manager had so far a limitation when using the same data pool as source and target. Use case e.g. if mass card blocking is done, the search will read on the same source that is used later on for writing in the blocking process. In that case, when processing a large amount of records, BatchSync did not process all records in the first run but needed multiple iterations (due to an internal paging). This has been improved with Smart ID 21.04 - BatchSync will process now all records in one run for all use cases.		X
CRED-10400	History migration from SmartACT/ProACT The migration tool to move from the old (EOL products) SmartACT/ ProACT has been extended, now also SmartACT/ ProACT history tables can be migrated into the IDM ObjectHistory.		X
CRED-9117	"start/stop/execute" for BatchSync User experience has been improved for BatchSync. So far the only way how to execute the Batch Jobs was the cron expression in the configuration. Now it is possible to start/stop the scheduled jobs and also execute them immediately in the Admin panel in Identity Manager Operator. See Identity Manager Operator and Set up scheduled jobs in Identity Manager.		X
CRED-10089	Domain registration for QuoVadis PKI With this release a new standard service task has been added to Identity Manager to do domain registration when using QuoVadis PKI. Use case is: when customer wants to issue TLS certificates for a new domain, the registration of the new hostname can now be done directly via workflows in Identity Manager instead of going through the QuoVadis Portal. See Cert QuoVadis PKI - Standard service tasks in Identity Manager		X
CRED-10552	Enabling/disabling authentication methods in Identity Manager As part of the redesign of the Identity Manager Operator login screen, we also added the possibility to enable/disable dedicated authentication methods (such as username/password, SAML SSO or certificate based login). A corresponding configuration was added to the Admin Panel in Identity Manager Operator to do that configuration. This means that e.g. username/password can be deactivated to enforce strong authentication. The separate configuration of authentication methods for Smart ID Self-Service remains, so that authentication methods can be differentiated for Identity Manager Operator and Self-Service. See Identity Manager Operator.		X
CRED-9115	Connect to PKI service providers via Proxy For our connectors in Identity Manager to PKI service providers (D-Trust and QuoVadis) we have now introduced the possibility to set up an HTTP proxy. Customers that have no direct access to Internet from the application server can now route the traffic to the PKI service providers via a web proxy. See Integrate Identity Manager with D-Trust connector and Integrate Identity Manager with QuoVadis connector.		X
CRED-10498	Added Eject parameter to Card Encoding via Card SDK From Smart ID 21.04 on, it is possible to control the eject behavior in of card printers, when printing and encoding cards via Identity Manager and Card SDK. In previous versions, when doing integrated encoding in the card printer, by default the card was ejected when card personalization was finished. In some cases, a second encoding process is required (after a round-trip to Identity Manager for execution of additional business logic). For that purpose, an additional parameter was introduced in the encoding files to decide if the card should remain in the printer or if it should be ejected. See Structure of an encoding description in Identity Manager.		X
CRED-10528	Performance improvement in CM Connector The implementation of the CM Connector has been improved in Identity Manager in order to improve performance, specifically request throughput, in high load scenarios. The new implementation (based on the CM Toolkit) will reuse an established TLS session again for subsequent requests.		X
CRED-10648	Delete objects via SCIM With this release we added the possibility to delete also objects in a SCIM service. The standard "delete Object" BPNM process task can now be used also on a SCIM data pool. When executing that task on SCIM, the system will trigger deleting the selected record in the foreign SCIM resource. See Set up process in Identity Manager.		X
CRED-10142	SAML Logout in Identity Manager Operator and Self-Service With Smart ID 21.04 we are introducing a session logout for Identity Manager Operator and Self-Service. This means that users that authenticate via SAML can now logout also with the ordinary logout button. Please note that this is just an ordinary invalidation of user session in Identity Manager and not a SAML SLO. The SAML ticket still remains valid after logout in Identity Manager or Self-Service. See Identity Manager Operator.		X
CRED-10204	Improved REST Process API The Process REST API was extended to make querying data at a given user-task more reliable: added a new optional parameter the process "start" command (backwards-compatible) added two additional commands Interaction with existing clients will behave as before. Client changes are required to take advantage of the new features. See Identity Manager Process REST API for details. Setting certificate validity dates now also supports the lexical xsd:dateTime format (see https://www.w3.org/TR/xmlschema-2/#dateTime). Using this (with timezone, ideally UTC) is recommended over the legacy format "yyyy-MM-dd HH:mm:ss", which depends on the server's local timezone.		X
IDC-1723	Support added for Interflex IF-6040 PACS connector Interflex IF-6040 PACS connector from Interflex Datensysteme GmbH (Allegion Group) is supported for all standard use cases in Smart ID Physical Access. See Set up integration with Interflex IF-6040.			X
IDC-1765	Docker Compose updates Environment variables are now used for setting and reading configuration settings instead of app.config.			X
DA-100	Added ability to search user groups Added ability to search user groups instead of having dropdown at multiple places so that groups can be searched and added even if there are more than 1000 AD groups.	X
DA-141	Local users can be added as delegated administrator Added ability to add local users as delegated administrator under Delegated Management. This works both for Digital Access Admin and XPIs.	X
DA-143	Ericom client has been removed Removed EricomClient / Access now references from Digital Access Admin under Resources. This will only be removed from the default standard resources and not the ones specifically added by users. Resources added by users will have to be manually removed.	X
DA-164	Upgraded to Guacamole version 1.3.0 Added option to url encode for guacamole web resource.	X
DA-166	Added support for TLS version 1.3.0 Added support for TLS version 1.3.0. Removed the support for SSL v2 and v3. Removed weak ciphers for TLS v1.0, 1.1. Disabled weak ciphers by default for TLS v1.2. Known bug: User certificate authentication method fails when TLS1.3 is enabled. The work around is to disable TLS1.3. The fix for the same will be included in the later DA releases that will be communicated once released.	X
DA-397	Added Docker Swarm orchestration Added Docker Swarm orchestration for Digital Access deployment in virtual appliance. Read more here: Deploy Digital Access component. From version 6.0.5 onward, there will be only the command line way to upgrade Digital Access versions (both Online and Offline upgrade). Removed the v-apps and admin GUI upgrade options. More details can be found in the upgrade instructions document for different setups, see here Upgrade Digital Access component. Also, upgrade to 6.0.5 and above will remove the existing orchestrator and replace it with industry adopted standard docker-swarm.	X

Corrected bugs

Jira ticket no	Description	Digital Access	Identity Manager & Self-Service
CRED-10785	Fixed setting password in EST registration service task.		X
CRED-10769	Fixed handling empty files that are mapped to encrypted fields in CSV import.		X
CRED-10678	Fixed translations of coreObject state, template name and change state reason in Self-Service.		X
CRED-10571	Fixed escaping of special characters (such as "/") in DN of an LDAP string.		X
CRED-10566	When changing a field value in Self-Service to "blank", the value was not removed from the BPMN process map, therefore the previous value was applied again. This has been fixed.		X
CRED-10463	It could happen, if a check box is selected as default value in the form designer, that the value is not shown correctly in the form when using the form during runtime. this is fixed now.		X
CRED-10485	Fixed a client side memory leak, when doing smart card production via the java PKI encoding client in combination CardOS API.		X
CRED-10563	Avoid NullPointerException if a configured certificate template is not found during card encoding.		X
CRED-10667	Card production and card operation process tasks did create wrong card -> certificate object relations if another certificate was already in the BPMN process before the card production was executed. This has been fixed now.		X
CRED-10729	Fixed a security issue in SCEP Registration task: when doing the SCEP registration via Identity Manager, the plain SCEP registration password, remained in the BPMN process map - immediate cleanup of the map was missing.		X
CRED-10723	Card state change could end in an endless BPMN loop in a certain scenario: state change runs into an error (e.g. invalid transition) on the process level and at the same time a database rollback happens (e.g. due to concurrent read/write). This has been fixed now.		X
CRED-10706	Fixed a performance issue when switching between the main tabs in Identity Manager Operator (PRIME Explorer). In a very large environments (lot of runtime data and lots of different configuration items) it could happen that switching between the tabs ("Start", "Search", "In Progress") takes up to 30 seconds. Switching tabs does no also perform well in these scenarios.		X
DEVOPS-737	The templates for Identity Manager database initialization for MS SQL DB was wrong in the Smart ID environment file. Template is corrected now.		X
CRED-10254	A dedicated error page for unexpected SAML authentication errors was missing so far. This has been fixed, now in any case a user-friendly error message is shown when SAML login fails.		X
CRED-8289	Search results in Identity Manager extended search could not be sorted by states by clicking the headline in the search result so far. Now sorting will be done on the symbolic name of the states when clicking the headline.		X
CRED-10489	Fixed an SQL statement in BPMN history cleaner, that could cause to incomplete cleanup and slow down the cleanup.		X
CRED-10565	File upload in self-service user tasks was not working anymore. This is fixed now.		X
CRED-8059	The name of the Batch Sync jobs in the Admin tab of Identity Manager Operator was not shown correctly - ID instead of the name was displayed. Now the correct name is shown in the job list.		X
CRED-10359	Improved error handling of the "build ZIP file" standard service task. In some cases (e.g. when fields could not resolved to build the filename) an exception was thrown. These errors are now handled correctly.		X
CRED-10704	When copying the username from the authentication context via the standard service task in self-service, a wrong username was returned. This has been fixed, now also in self-service the correct login name is returned.		X
CRED-10401	When exporting and importing the Identity Manager configuration, the order of the assigned card applications (encodings) in the card templates could get lost/changed. this has been fixed with this release.		X
CRED-10675	When importing records from a CSV file via client side upload (and corresponding service task), it could happen that records are added to the "updatedCoreObjectDescriptorList" parameter in the BPMN process map even if the records have not been changed. This is fixed now.		X
CRED-10139	When setting up "generate date" as initialization value in the form designer in Identity Manager Admin, an exception was thrown. Fixed in 21.04.		X
CRED-10542	Search for fields of type datetime in LDAP didn't work correctly. This has been fixed in 21.04		X
CRED-9938	Time zones have been resolved differently in the Self-Service in contrast to Identity Manager Operator. This did lead to different results between Self-Service and Identity Manager Operator when listing or displaying dates and times. Issue is fixed in 21.04.		X
CRED-8761	When executing a search via search button in a user form in Identity Manager Operator, it could happen that the list did not get filled up til the end of the screen (unused space at the end). This has been fixed now.		X
CRED-9217	When switching from cards with encoding to printable cards only in card template configuration in Identity Manager Admin, the encoding got not disabled and still executed. This has been fixed now, when switching to printable card, encodings get properly removed.		X
CRED-10396	Session handling in Self-Service was not implemented correctly: unnecessary sessions where opened and not closed anymore. This has been fixed in 21.04		X
CRED-10390	Swedish language files where not set correctly in Identity Manager. This has been fixed.		X
CRED-10444	Fixed vulnerability in Self-Service API. Entity reference IDs are now encrypted in the communication between Self-Service and Identity Manager Operator,		X
CRED-10578	Card production failed in Identity Manager if no validity date was present in the request process. This is fixed now, valid from/to is not mandatory anymore for card production.		X
CRED-10495	Initialization values in Self-Service did not work in combination with dropdown-boxes. Has been fixed in this release.		X
CRED-10472	When setting "valid from" parameter for dates in user forms, the date picker in Self-Service and Identity Manager Operator did not evaluate the borders correctly (due to wrong timezone handling). This has been fixed now.		X
CRED-10334	When editing secret fields in a user form, the current field value are masked with "dots". When changing the content, the masked dummy values have not been removed automatically. This could lead to wrong input data, containing the dummy values behind the dots. This has been fixed now.		X
CRED-10195	When adding new fields in a datapool in Identity manager Admin, the check for the name "id" (which is a system field) was done on the translation instead of the symbolic name. Fixed in this release.		X
CRED-10694	Self-Service did show ids instead of display names in comboboxes with static content. Fixed in this release.		X
CRED-10494	Fixed an issue when evaluating the client IP in Self-Service, that is written in object history or read via the "copyValuesOfLoggedInUser" task. Previously the server IP was provided instead of the client IP.		X
CRED-9042	Device name was not passed to Card Operation Task for RFID encoding. Fixed now.		X
CRED-10576	Preview of PDF report templates in Identity Manager Admin was broken. Fixed in this release.		X
CRED-10232	When changing the content of an already saved Batch Order (e.g. removing or adding items in the order), an error was thrown. This has been fixed now. Please note that a new field "search config" has been introduced in the orders for that fix, that has to be configured now (see update instructions). See Upgrade Smart ID Identity Manager from 20.11 to 21.04.		X
DA-130	Signatures over Web service API produced orphan sessions.	X
DA-132	Added ‘cacheDuration’ attribute of value 15 minutes in SAML metadata when Digital Access acts as an IDP.	X
DA-144	While importing server certificate, encrypted private key with newer encryption algorithm like PBE-SHA1-3DES works now. All PKCS#5 v1.5 and PKCS#12 algorithms are supported now.	X
DA-145	Improved performance when many SAML attributes are added by reducing the unneeded repetitive storage calls.	X
DA-148	Update the default NPS URL to ‘nps.go.nexusgroup.com’	X
DA-154	Improved on the Docker health check logging to monitor the Docker health at service level to avoid log cluttering.	X
DA-176	WS federation stops working after an upgrade to 6.0.x, this has been fixed.	X
DA-188	If we Use Organization ID service for Freja authentication, then the registration level set in the Force authentication dropdown does not have any effect on the authentication. Hence disabled force authentication control if Use Org ID service is checked.	X
DA-213	Oauth2 Discovery returns 202 Accepted when according to spec it should be 200 OK, this has been fixed.	X
DA-320	Failing to delete profile connected to Smart ID Mobile App through XPI services, this has been fixed.	X
DA-327	Upgraded openSSL version to 1.1.1k to fix the CVE-2021-3449 vulnerability.	X

Release announcement

From this release, only Docker deployment is supported for the Smart ID components Identity Manager, Physical Access, Digital Access and Messaging. For full instructions, see Deploy Smart ID.

From Smart ID 20.11 and on, components now only have the Smart ID version number and not the different component version numbers. For information on previous releases, see Nexus Documentation Archive.

For details on the updated Smart ID configurations and deployment configurations, see here:

Smart ID configuration release note

Smart ID 21.04

Key

Description

DEVOPS-468

Identity Management- Optional Password and PIN Letter

New configuration options to send the password information by mail or Pin letter.

For more information, see:

Enter person data manually

DEVOPS-588

Improved complexity of password generation in IDM

In the following processes and forms we improved the complexity of password generation.

Enter person data manually (BaseProcCreateActivateEmployee)

Reset forgotten password (BaseProcUSSPForgetPassword)

We added a regular expressions to the forms were the user can enter a new password, to require complexity:

BaseFormUSSPSetPassword (Process Set password in Self-Service)
BaseFormChangePassword (Process BaseProcChangePassword)

Due to the deletion of the service task ${generateAndArchivePasswordAccordingPasswordPolicyTask}, we updated the affected processes with the service task ${generateAndArchivePasswordWithMaxLengthAndAllowedCharactersTask} in the following processes:

BaseProcCreateOperator
PcmProcActivatePMProfile.xml
PcmProcRenewMobileId.xml
PcmProcRenewVirtualSmartcard.xml
PcmProcUSSPRenewEmployeeCard.xml
PcmProcProvisioningCertificateToVSC.bpmn
PcmProcReplaceVSC.bpmn
BaseProcCreateActivateEmployee.xml

Smart ID deployment configuration release note

CODE

All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.

## [Release 23.10.2-2023-10-27]

### Added

### Changed
- Modified permissions of the 'certs' directory in init-smartid.sh to 755 (to allow Hermod to read the directory). [CRED-16526]
- Updated Prime Connectors version. [CRED-16153]

## [Release 23.04.9-2023-10-31]

### Added

### Changed
- Modified permissions of the 'certs' directory in init-smartid.sh to 755 (to allow Hermod to read the directory). [CRED-16526]

## [Release 23.04.7-2023-08-28]

### Added
- Added missing attestation key config to signencrypt.xml (fixes VSC). [CRED-16128]  

## [Release 23.04.5-2023-07-17]

### Added
- Added a readme-wsl-dev.txt how to setup SmartID Docker containers in a WSL environment. [CRED-15948]
- Added environment variable to docker-compose.yml of authentication service.

### Changed
- Restored environment references for Digital Access and Physical Access containers [CRED-15915]

## [Release 23.04.4-2023-06-30]

### Added
- Added restart-all.sh for easy stopping and starting of all containers or a subset of them. [CRED-15854]

### Changed
- The variable DOCKER_NETWORK_MTU has the default value 1500 now. You are not forced to choose between several options. [CRED-15854]
- When executing init-smartid.sh a message informs you about the current MTU value and when it is recommended to reduce it. [CRED-15854]
- The names of most of the docker containers start with "smartid-" by default. This prefix can be changed now via variable DOCKER_CONTAINER_BASE_NAME in file smartid.env. [CRED-15854]
- The hostname of the postgresql container now has the DOCKER_CONTAINER_BASE_NAME prefix as well.

## [Release 23.04.3-2023-06-23]

### Added

- Added AriadNext Connector Docker image. [CRED-14963] 
- Added file .gitattributes to make \*.sh and \*.env files always containing only LF instead of any CRLF. Fixed file datadog.env accordingly. [CRED-15795]

### Changed

- Escaped the ESC character (0x1B) in echo statements of shell scripts to avoid problems with Azure file preview and git diff output. [CRED-15795]


## [Release 23.04.2-2023-06-02]

### Added

### Changed

## [Release 23.04.1-2023-05-11]

### Added

- Added init-smartid.env to configure the docker network MTU. [CRED-14088 via CRED-15316]
- Added helperFunctions.sh and helperCreateLink.sh to be used by init-smartid.sh. [CRED-14088 via CRED-15316]

### Changed

- Replace deprecated docker network syntax in docker-compose.yml files. [CRED-14088 via CRED-15316]
- init-smartid.sh / stop-smartid.sh detect if docker needs sudo. [CRED-14088 via CRED-15316]
- init-smartid.sh now optionally removes files created by previous runs (postgres db, bootstrapped certs, etc). [CRED-14088 via CRED-15316]
- No explicit setting of env_file in docker-compose.yml files. [CRED-14088 via CRED-15316]
- Messaging database is now configured via MESSAGING_DB_URL var. [CRED-14088 via CRED-15316]
- stop-smartid.sh now uses the compose command "down" instead of "stop", which also removes the containers after shutting them down. [CRED-14088 via CRED-15316]

## [Release 23.04.0-2023-04-28]

### Added

- Added Workspace One Connector Docker image. [CRED-14215] 

### Changed

## [Release 22.10.8-2023-11-27]
 
### Added
  
### Changed
- Modified permissions of the 'certs' directory in init-smartid.sh to 755 (to allow Hermod to read the directory). [CRED-16526]

## [Release 22.10.0-2022-09-20]

### Added

- Added ContentProviderJWSSigner descriptor in signencrypt.xml. [CRED-12232]
- Added renewFromKeypairs.sh to renew end-entity certs.

  WARNING:

  - This only works if you (re-)bootstrap with the updated createca.sh, as the old version discarded data required for renewal.
  - Re-bootstrapping will invalidate any encrypted secrets and history signatures in IDM due to chaning the keys.
  - Re-bootstrapping will also overwrite the certificates and keys in the docker deployment folder, so make a backup first,
    so you can use the respective tools for re-signing and re-encrypting existing history/secrets.

### Changed

- automatically (re-)start mailhog
- fixed naming of traefik rules for mobile-iron
- Changed createca.sh to retain keypairs and CA metadata, so we can enable renewal (see above).
- Removed cRLSign attribute from ca.conf to avoid issues with failing CRL checks.
  NOTE: This only has an effect on newly bootstrapped CAs.

## [Release 22.04.0-2022-05-05]

### Added

- Added Mobile Iron Docker image. [CRED-11817]
- Added new properties for MI image in smartid.env. [CRED-11817]

### Changed

- Changed properties for Nexus GO Cards API V2. [CRED-12951]

## [Release 21.10.0-2021-11-09]

### Added

- Added Digicert Global Root CA certificate. [CRED-11688]
- Added some Let's Encrypt root certificates. [DEVOPS-971]
- Added documentation for maxProfiles option to hermod-conf.yml
- Added `.yamllint` file to set default YAML linting config. [DEVOPS-1085]
- Added volume mapping for logs folder in IDM and Self Service. [DEVOPS-403]
- Fixed cacerts folder permissions in init-smartid.sh script.
- Added support for docker compose v2 command in init-smartid.sh script.

### Changed

- New properties for CAAS credentials in smartid.env (placeholders must be replaced before using Nexus GO Cards). [CRED-11688]
- Fixed some copy issues in the init-smartid.sh script.
- Changed the default selfservice config to include auth methods params example.
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Fixed typo. [DEVOPS-1090]
- Replaced Self-Service `IDM_URL`, `INSTANCE_ID`, `IDM_TENANT` by `APPLICATION_YAML` json. [DEVOPS-1127]
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Fixed YAML format. [DEVOPS-1085]
- IDM and SelfService now support custom translations and do not require mapping the whole translation files again. See doc for more info. [DEVOPS-1118]
- Change Import Logger to correct class [DEVOPS-1143]
- Switched to new image naming for IDM
  - `nexus-prime/explorer` changed to `smartid/identitymanager/operator`
  - `nexus-prime/designer` changed to `smartid/identitymanager/admin`
  - `nexus-prime/tenant` changed to `smartid/identitymanager/tenant`
  - `nexus-prime/updatedb` changed to `smartid/identitymanager/updatedb`
  - `nexus-prime/ussp2` changed to `smartid/selfservice`
- Changed Smart ID version to 21.10.0

### Removed

- Removed Self-Service config.json file. [DEVOPS-945]
- Removed expired Let's Encrypt certificates. [DEVOPS-971]
- Removed translation files for IDM and SelfService. [DEVOPS-1118]

## [Release 21.04.0-2021-05-20]

### Added

- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/createca.sh`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `init-smartid.sh` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]

### Changed

- IDM DB will no longer be initialized through init-smartid.sh script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD*\* properties to MESSAGING*\*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04

### Fixed

- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]

### Removed

- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.

## [Release 20.11.2-2021-03-23]

### Added

- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]

### Changed

- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]

### Fixed

- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the copy_files.sh script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]

## [Release 20.11.1-2021-02-18]

### Added

- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+

### Changed

- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1

## [Release 20.11.0-2021-02-01]

### Added

- Added mailhog as tool in /tools/mailhog. The tool can be used to test to send emails in Digital Access and Identity Manager. [DEVOPS-482]

### Changed

- Set false on traefik network in the traefik, adminer and mailhog to be enabled in traefik by default. [DEVOPS-486]
- Changed file extension of generated certificates from `.crt` to `.base64`
- Changed so that identity manager Admin and Operator do not require signed configurations/modules for uploading and downloading them by default. [DEVOPS-515]

### Fixed

- Fix environment variable usage inside traefik config file. [DEVOPS-514]

## [Release 20.11.0-2020-12-22]

### Added

- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]

### Changed

- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `stop-smartid.sh` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `init-smartid.sh` script to work regardless of where the script is called from.
- Improved the `createca.sh` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.

### Fixed

- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.

## [Release 20.11.0-2020-12-07]

### Added

- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new system properties environment variable
  - Support for new DB properties environment variables
  - Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
  - Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
  - Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]

### Changed

- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
  - Added `identitymanager/admin/docker-compose.yml`
  - Added `identitymanager/tenant/docker-compose.yml`
  - Added `identitymanager/init-db/docker-compose.yml`
  - Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/stop-smartid.sh`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the ini-smartid.sh script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.

### Removed

- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.

## [Release 20.06.1-2020-10-27]

### Added

- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin.
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true

### Changed

- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `init-smartid.sh` script.
- Moved seflservice to a separate docker-compose file.

### Fixed

- Fixed the jdbc url for `config/da-admin-customize.conf`.

### Removed

- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.

## [Release 20.06.0-2020-09-28]

### Added

- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
  - identitymanager/docker-compose.yml
  - traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.

### Changed

- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated `init-smartid.sh`:
  - Now check if docker and docker-compose are installed, if not the script will exit.
  - Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
    - Ask if postgres and/or mssql shall be deployed and started.

### Fixed

- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `init-smartid.sh` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.

## Removed

- Removed `init-smartid-test.sh`, it is included in init-smartid.sh.

Contact

Contact Information

For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/.

Support

Nexus offers maintenance and support services for Smart ID components to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.