Do you want an overview of our solutions, customer cases and contact details?


Skip to end of metadata
Go to start of metadata

These are the news for Nexus Hybrid Access Gateway.

2020-04-28

Important information for partners and customers that are using Nexus GO.

In Safari, on the latest version of iOS (13.4.1), Apple released an update regarding privacy. The browser will now block all third-party cookies, independent from the SameSite configuration. More information about this change can be found in news articles on the web, for example here: The Verge.

Due to this change, authentication with Nexus GO can not be used within an iFrame anymore. A workaround for this is to use a different browser than Safari on the latest version of iOS. But as stated in our latest information about the SameSite directive change (SameSite cookie directive change) more and more browser vendors are going in the same direction. Instead of using iFrames, Nexus recommends to redirect to Nexus GO for authentication. You will find further information on how to setup a redirect in Nexus GO here: Nexus GO authentication setup.

For questions on any technical problems you may run into or implications of the actions required, contact support@nexusgroup.com

2020-03-04

A Nexus Hybrid Access Gateway hotfix is available, now also for older browser versions, to avoid downtime and solve the full spectrum of problems due to the SameSite cookie directive change

For more information, see Important note on Hybrid Access Gateway and the SameSite cookie directive change.


2020-02-10

Microsoft recommends administrators to do hardening on Active Directory Domain Controllers

Microsoft has released an article where they recommend administrators to enable LDAP channel binding and LDAP signing on Active Directory Domain Controllers because of a vulnerability found in the default configuration for Lightweight Directory Access Protocol (LDAP).

Microsoft will release a security update in March 2020 to change the default configuration of LDAP channel binding and LDAP signing. This article describes steps that can be done in the meantime: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

After the configuration is changed (manually or by the update), you must enable to use SSL and upload the SSL certificate of the AD in Hybrid Access Gateway's CA certificate section. For instructions, see Add user storage and Add certificates ("Add certificate authority"). The SSL certificate must have the DNS name used as subject or SAN attribute in order to be valid. For more information, see Adapt Hybrid Access Gateway for endpoint identification.

2020-01-08

TruID for Android

TruID has been updated to support Android 10. If the OS was already upgraded to Android 10 before the latest update of Nexus TruID was installed, the user will be asked to provide the device’s IMEI number to migrate the existing profiles. This will only happen if the number could not be read programmatically due to device limitations. How to request the IMEI number is shown in the app. TruID for Android is available on Google Play.

Users that are running an OS below Android 10 will not be asked to provide the IMEI number. Existing profiles will be migrated automatically so that Android can be upgraded later without any issues.

Please contact Nexus Support if you are using a branded version of TruID.

TruID for MacOS Catalina

TruID has been updated to support MacOS Catalina. This change was required since the latest version of MacOS only supports 64bit architectures.

The installer is part of Hybrid Access Gateway 5.13.4 appliances and above. If you are running a Hybrid Access Gateway version below 5.13.4, please contact Nexus Support to receive the file another way.

2019-12-13

Nexus Hybrid Access Gateway 5.13.5 has been released today. Read more in the release note.

2019-11-14

Nexus Hybrid Access Gateway 5.13.4 has been released today. Read more in the release note.

Main new feature in this release:

  • Swedish BankID Interface was updated
    Hybrid Access Gateway now uses the newest version of the Swedish BankID service interface.

    The SOAP interface to Swedish BankID will be turned off in the end of February, 2020. To be able to continue to use BankID as authentication method after that date, you must update Hybrid Access Gateway to 5.13.4. 

2019-09-05

Nexus Hybrid Access Gateway 5.13.3 has been released today. Read more in the release note.

Main new feature in this release:

  • Configure Hybrid Access Gateway via Administration Web Service

Hybrid Access Gateway now offers REST-based web services that allow the configuration of certain object types without using the administration interface.

2019-04-23

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.13.2. Click here for release note.

Main new features in this release:

  • Support for signing during SAML authentication

If the SAML request contains a SignMessage element, Hybrid Access Gateway forwards the contained message to the signing interface of Swedish BankID as well as Nexus Personal Mobile and Nexus Personal Desktop. The same message can also be shown in the browser by changing the authentication method template.

Hybrid Access Gateway displays all authentication methods that are configured for the corresponding AuthContext.

  • Prevent username change during step-up authentication

When a user authenticates with an additional method, username change can be prevented. This property is set to 'true' by default. During authentication, the user id of the linked user is compared to the one in the existing session. If they are not the same, the authentication is declined.

2019-02-01

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.13.1. Click here for release note.

Main new features in this release:

  • It is now possible to login to Swedish BankID using a QR code. This featured function is optional. 
  • The Ubuntu base image of the virtual appliance was updated from version 14.04 to version 18.04. This update includes many fixes of vulnerabilities related to the previous operating system version. See also Hardening of the Hybrid Access Gateway appliance. Since the virtualization tools are no longer included in the Ubuntu base image then the appliance now requires internet access to install them.


For customers who use Personal Mobile

Customers who use Nexus Personal Mobile need to do the following before upgrading to Hybrid Access Gateway 5.13 from a version before 5.12, to continue with Personal Mobile registration, authentication, and signing:

  • Deploy Hermod in their own environment and migrate existing Personal Mobile profiles from Hybrid Access Gateway to Hermod Messaging Server.

OR

  • Use the cloud service of Nexus, Nexus GO Messaging. In this case it is also possible to migrate existing Personal Mobile profiles from Hybrid Access Gateway.

For instructions, see Migrate Personal Mobile Profiles from Hybrid Access Gateway to Personal Messaging.pdf

Contact Nexus for support.

2018-11-16

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.13. Click here for release note.

Main new features in this release:

  • OpenID Connect is now supported by Hybrid Access Gateway
    The federation technology OpenID Connect can now be used as an authentication method in Nexus Hybrid Access Gateway. This means that Hybrid Access Gateway can be connected to external Identity Providers (IdPs) that support OpenID Connect, for example Google, Norwegian BankID and Verimi.
  • Added support for Oracle database
    The new version of Hybrid Access Gateway has support for Oracle database to be used as external database.

    Due to required changes on a database level a dialect must be added if using an external report database before upgrading to the new version. Without the dialect entry, the connection to the reporting database will fail unless the entry was entered and the administration service was restarted. For further information, see Change report database for Hybrid Access Gateway.

  • Direct integration of Nexus Personal Desktop
    Secure login is now even more convenient in Hybrid Access Gateway, with added smart card support via Nexus Personal Desktop, which is useful, for example, to make digital signatures in Nexus GO Signing.

  • Improved hardening of appliance
    With Hybrid Access Gateway 5.13 the hardening index of the appliance was improved to be even more secure. The overall hardening score (based on Lynis) was increased to 74.

    To improve the hardening index of Hybrid Access Gateway, an SSH configuration parameter (MaxAuthTries) was introduced with Hybrid Access Gateway version 5.13.0. This configuration parameter limits the maximal authentication attempts to the amount of two. This change can affect the SSH authentication, if the client has more than one private key configured that is not configured for the corresponding user in Hybrid Access Gateway. In this case, an authentication with username and password will fail. If this setting affects you, you can increase the amount of authentication attempts.

    To increase the amount of authentication attempts:

    1. Change the parameter 
      MaxAuthTries within the file /etc/ssh/sshd_config to a suitable number.

    In case of Hybrid Access Gateway upgrades, this change has to be done after the appliance has been upgraded successfully.

2018-05-07

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.12. Click here for release note.

Main new features in this release:

  • OATH authentication with Google Authenticator et al
    The OATH authentication method in Hybrid Access Gateway now supports software token like Google Authenticator or Microsoft Authenticator. With Personal Mobile 3.7 or higher Nexus provides its own implementation of OATH as a software token.
  • Authentication with Freja eID
    With the introduction of Freja eID, Hybrid Access Gateway now supports three different Swedish eIDs. It supports (Mobilt) BankID and Freja eID over a native interface and AB Svenska Pass over SAML.
  • Authentication with Personal Mobile certificate
    Besides raw keys Personal Mobile also supports profiles with certificates. In this case the certificates were issued by a CA such as Nexus Certificate Manager. Hybrid Access Gateway now supports authentication with these certificates without the need to know about the user and its user name.

For customers who use Personal Mobile

Customers who use Nexus Personal Mobile need to do the following before upgrading to Hybrid Access Gateway 5.12, to continue with Personal Mobile registration, authentication, and signing:

  1. Deploy Hermod in their own environment.
  2. Migrate existing Personal Mobile profiles from Hybrid Access Gateway to Hermod Messaging Server.

For instructions, see Migrate Personal Mobile Profiles from Hybrid Access Gateway to Personal Messaging.pdf.

Contact Nexus for support.

Configure TLS-enabled notification server

2018-05-03

For customers who use Hybrid Access Gateway together with Nexus Personal Mobile, it is recommended to start preparing for Hybrid Access Gateway 5.12, that is soon to be released.

For customers who use Personal Mobile

Customers who use Nexus Personal Mobile need to do the following before upgrading to Hybrid Access Gateway 5.12, to continue with Personal Mobile registration, authentication, and signing:

  1. Deploy Hermod in their own environment.
  2. Migrate existing Personal Mobile profiles from Hybrid Access Gateway to Hermod Messaging Server.

For instructions, see Migrate Personal Mobile Profiles from Hybrid Access Gateway to Personal Messaging.pdf.

Contact Nexus for support.

2018-03-21

When performing an online upgrade of Nexus Hybrid Access Gateway, certificates and signatures are used to establish a trust between Hybrid Access Gateway and the online upgrade servers. The communication is secured using https and downloaded versions are also signed and verified before the upgrade starts.

The previously used certificates expired the 7th of March 2018. If you run Hybrid Access Gateway version 5.10.x or older you must first update the certificates for trusting the upgrade server before you can perform an online upgrade of Hybrid Access Gateway. More information is found on Nexus Support Portal.

  1. Go to https://support.nexusgroup.com.
  2. Select Nexus Downloads, Nexus Hybrid Access Gateway and Updates.
  3. Instructions are found in the pdf.

2018-01-25

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.11.4. Click here for release notes.

Customers who are running Hybrid Access Gateway 5.11.2 need to run the following command from appliance bash and then restart administration service in order to download newer releases:
sudo chmod 755 /trust

2018-01-08

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.11.3. Click here for release notes.

Due to an issue, the upgrade server could not be reached with Nexus Hybrid Access Gateway 5.11.2. This has been fixed with Nexus Hybrid Access Gateway 5.11.3.

2017-12-21

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.11.2. Click here for release notes.

Important issues fixed in this release:

  • Nexus GO Authentication with Swedish BankID
    With the first version of the NexusGO authentication method it was not possible to map the login credential of BankID (personnel number) to an attribute of the Hybrid Access Gateway user. The user id was used by default. Therefore, the user in Hybrid Access Gateway needed to have the BankID as user id. 
    A new Extended Property "User Attribute" has been added to allow mapping to, for example, an AD attribute.

2017-10-10

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.11. Click here for release notes.

Main new features in this release:

  • Access Client for Mac OS
    If the portal contains a resource that requires the Access Client, a link will be displayed that leads the user to the Apple AppStore, where the Access Client for Mac OS can be downloaded.
  • Nexus GO Authentication with Swedish BankID
    With this method customers can use their Nexus GO service as a SAML Identity Provider to authenticate using Swedish (Mobile) BankID, without having to set up a contract with BankID.

Other new features are described in these articles:

2017-09-13

Nexus announce End-of-Life for legacy product PortWise Access Manager and Authentication Server (AMAS).