Version: 5.13.1

Release Date: 2019-02-01

Introduction

Nexus is proud to announce the availability of Nexus Hybrid Access Gateway 5.13.1.

Main new features

Login to Swedish BankID using a QR Code

With the new version of Hybrid Access Gateway, it is now possible to login to Swedish BankID using a QR code. This featured function is optional. 

Ubuntu Base Image updated

The Ubuntu base image of the virtual appliance was updated from version 14.04 to version 18.04. This update includes many fixes of vulnerabilities related to the previous operating system version.

Since the virtualization tools are no longer included in the Ubuntu base image then the appliance now requires internet access to install them.

Detailed feature list

Features

JIRA ticket no

Description

HAG-697

Specific Error Message returned in XPI 

When initiating Nexus Personal Mobile signing over Hybrid Access Gateway's XPI, the sender will retrieve a specific error message if the user cancels the process.

HAG-1049

Default NTP server configured

The Network Time Protocol (NTP) server of new Hybrid Access Gateway installations will now contain a default value. 

If a certain value was already configured before, the value will not be changed.

HAG-1072

SAML attributes forwarded from Nexus GO Authentication method

With the new version of Hybrid Access Gateway, the Nexus GO authentication method offers an extended attribute to store data from the authentication process to the user's session. This extended attribute is enabled by default. 

In cases where the Hybrid Access Gateway is used as a SAML proxy the values from the user session can be included in the SAML ticket. All possible values that are stored to the user session can be found in the help file of the extended attribute.

HAG-1331

Login to Swedish BankID using a QR Code

With the new version of Hybrid Access Gateway, it is now possible to login to Swedish BankID using a QR code. This featured function is optional. 

When the user tries to authenticate to Swedish BankID using a desktop browser, a QR code is displayed. The personal number can still be used as an alternative. 

Where the user tries to authenticate using a mobile device, there is an option to authenticate with the current device or another device. When selecting Other Device, a QR code is displayed.

HAG-1346

OATH Software Token possible to issue on User Linking

It is now possible to issue a software token once the user is linked in Hybrid Access Gateway. For this featured function, the authentication method OATH was enabled for user linking.

The option is available for manual and automatic user linking, as well as for updating of previously linked users. When updating a previously linked user, an OATH token can only be issued if that user does not already have one.

HAG-1387

Ubuntu Base Image updated

The Ubuntu base image of the virtual appliance was updated from version 14.04 to version 18.04. This update includes many fixes of vulnerabilities related to the previous operating system version.

HAG-1393

Bounce page for OATH Provisioning SMS added

The SMS that is sent out during provisioning of an OATH profile shall contain a link to a bounce page.

When the user clicks the link, the bounce page will open in a browser, showing a QR code for the user to scan. The user also has the option to open the QR code directly in the app installed on the same device by clicking a separate button. 

The protocol that is used for the URL is configurable. The value personal is used by default to work with the Nexus Personal Mobile app.

Corrected bugs

JIRA ticket no

Description

HAG-148

Inaccurate user linking with Novell eDirectory

With Novell eDirectory user storage it was possible to link two users to the same user storage account if the user ID contained a trailing space. This issue has been fixed.

A check was added if the resulting unique name from the user storage is the same as the searched user ID. If both are not the same it will display a corresponding message and cancel the user linking.

This behaviour will be applicable for all user storage types and all types of linking, that is manual linking, auto linking and the re-link tool.

HAG-1027

Link to QR Code opens a Personal client

The Nexus Personal Mobile bounce page was trying to open the URL from the displayed QR code even if the corresponding app was not installed on the device. With this version of Hybrid Access Gateway a step is added to verify if the device is a mobile phone. Only in this case will the URL be opened.

HAG-1070

Display name of Certificate authentication method not used

In previous versions of Hybrid Access Gateway the display name of the certificate authentication method was not used. Instead the fixed text Certificate was used. Furthermore, if more than one certificate authentication method was configured, all were previously merged into a single authentication button. This behavior has been changed. Every certificate authentication method now gets its own button for authentication, labelled with the configured display name. 

HAG-1241

Broken online help

The online help was broken on several pages. This has been fixed together with adding support for Mozilla Firefox browsers.

HAG-1307

Personal Mobile provisioning failed on Port 443

An issue has been fixed where the provisioning of a new Nexus Personal Mobile profile has failed if the Nexus GO messaging service was configured to run on port 443.

HAG-1318

Not possible to have two authentication methods of type Nexus GO

An issue has been fixed where it was not previously possible to have two authentication methods from type Nexus GO at the same time.

HAG-1319

SSH client library update needed

The SSH library that is used to create connections to tunnel resources has been updated. 

This was required to support SSH single sign-on (SSO) connections to operating systems that are using state-of-the-art ciphers only.

HAG-1392

Session Failure during Session Transfer

An issue has been fixed where a fatal Session Failure was regularly logged. 

HAG-1394

Lacking support in some databases for some export functions for Personal Mobile profiles

The database query used for exporting Nexus Personal Mobile profiles contained functions that were not supported by every database. This query was changed to support all databases in the future.

HAG-1400

Wrong URL to Bounce Page

The URL to the Nexus Personal Mobile bounce page was wrong in the latest version. This issue has been fixed.

Known issues and deprecated features

JIRA ticket no

Description

HAG-1440Since SSLv2 is not supported anymore, the UI controls are deprecated from this version. The controls will be removed with one of the next versions.
HAG-1420The algorithm SHA1 is deprecated to be used as default value in SAML settings. In future releases this value will be changed to SHA256.
HAG-1448

The App Push feature of Hybrid Access Gateway will be set to deprecated together with this release. This feature is used to send push notifications to Personal Mobile profiles for authentication and signing. Customers may use the Nexus Push Service (NPS) instead. Find further information in Nexus Push Service.

The feature is likely to be removed with Hybrid Access Gateway version 6.1.0.

HAG-1442If, before upgrading, the original Hybrid Access Gateway appliance has VMWare Tools or Hyper-V Tools installed, then after upgrading to version 5.13.1, first time boot tries to install those packages using the dpkg command. This command tries to start other services what causes output to be shown when login screen is already shown. This only happens once after the upgrade.

End of Sales statement

Refer to Supported versions of Hybrid Access Gateway.

End of Life statement

Refer to Supported versions of Hybrid Access Gateway.

Contact

Contact Information

For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/

Support

Nexus offers maintenance and support services for Nexus Hybrid Access Gateway to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.