Skip to main content
Skip table of contents

Release note Smart ID 25.08

Release date: 2025-08-19

Smart ID 25.08 provides updates, improvements, and bug fixes to ensure high quality and security.

Important information: semantic versioning

From Smart ID 24.11 onwards, Smart ID Identity Manager and Smart ID Self-Service will have its own versioning starting with 5.0.0. The versioning will follow the semantic versioning scheme.

The containers will have the Smart ID version tag in the Smart ID package. When opening up the version information in Smart ID Identity Manager and on the Smart ID Self-Service login page, the new semantic versioning will be displayed, as with Smart ID Digital Access or Smart ID Messaging components.

Included in Smart ID 25.08

Smart ID Identity Manager 5.1.0

Main new features

FIDO support: enrollment on behalf of another user with MS Entra

FIDO2 security keys are a great improvement to provide a secure and phishing-resistant authentication method. On the downside, the registration of a FIDO2-credential requires manual intervention and the presence of the future holder of the credential. The standard workflow requires a user to first authenticate with the service that they want to register the token for and then enroll the token itself. This leaves the user with two authentication methods, one of which is potentially a username/password-authentication.

A more enterprise suitable approach is to allow operators to register the tokens on behalf of the user and then distribute the tokens to the user. Microsoft Entra offers an interface to allow FIDO enrollment on behalf of another user. This Smart ID release supports FIDO enrollment on behalf of another user with MS Entra.

Android keystore provisioning

Mobile phones offer a high level of security through their sandboxing approaches built into the operating system. This can also be an obstacle to the usability of security features. For instance, if you want to read your encrypted emails not only on your desktop but also on your mobile device, the same encryption certificate and key would have to be accessible for the email reading app on the mobile device.

The new feature allows to provision keys and certificates to the Android keystore to share it with other apps like MS Outlook. This allows to use certificate-based security features seamlessly on desktop and the mobile device without too much interference with the user.

DATA REST API

The Data REST API provides a standard API interface for reading entity data like users, cards, certificates etc. via REST. All the data that can be seen in Identity Manager Operator UI search, can be made available to other systems through this API. It is based on the search configurations created in Identity Manager Admin and can be further refined via additional filter, sorting and paging options. For more information, see Identity Manager Public Data REST API .

High availability for scheduled jobs 

Smart ID Identity Manager supports high availability setups especially to allow load balancing with multiple nodes. However, some functions like Scheduled Jobs must be restricted to one node. This could be a problem in failover setups if these functions need to be highly available as well. With the new version, Scheduled jobs can now be configured to run on several nodes giving full high availability also for the Scheduler functionality. As the underlying library has been changed, there are some effects on cron formats and system.properties. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information.

Config format versioning 

Identity Manager allows up- and download of configuration files containing workflows, data structure etc. With the new versioning of the configuration format and with each new version it is indicated which config format version is compatible with the Identity Manager version. This makes it possible to share configuration files with different Identity Manager versions if the config format version is the same. Also, checks are introduced on upload to ensure that only compatible versions are uploaded. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information.

Java 21

One building block of cyber security is keeping the system up to date. This is true for software versions as well as the underlying libraries. Smart ID Identity Manager is based on Java and as such many dependencies rely on the Java version used. With Java 21 we are on the latest version with long term support. This allows using modern versions of dependent libraries as well.

Java 21 itself comes with improvements and and new features that lead to overall performance improvement.

There are some impacts when upgrading from an older version. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information.

Stabilizing Flowable: removed Messaging

With Identity Manager 5.0 we already introduced Flowable as the new forward looking process engine. The integration has been stabilized in Identity Manager 5.1.0. The messaging between Identity Manager and the process engine has been removed as it introduced more complexity while advantages could not be proven.

Removed features and changes in delivery 

  • The undocumented module “cryptovision_integration” has been removed.

  • Some custom classes have been deprecated as there are Java replacements available.

  • Removal of Security Filter Chain filters:
    The filter chains have been reworked and filters have been removed and replaced by spring security standards. Some legacy projects might have introduced custom endpoints with custom filter chains. These need to be adjusted.

  • Referencing “SetProcessMessageExecutionListener” via class name in BPMN is deprecated.

For more information, see Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0.

Detailed description of features

Features

Jira ticket number

Description

CRED-17763

Access permission filters have been restructured and stricter for enhanced security.

CRED-18591

Versioning for the configuration files is added with this release. See Identity Manager 5.1.0 - Compatibility for more information.

CRED-18817

The scheduler library used in Identity Manager has been changed. The scheduler can now run on multiple nodes. There are some differences to the old scheduler. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information.

CRED-18862

Identity Manager is now based on Java 21. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information.

CRED-19037

Added support for JCO p60 cards with special profiles and Idopte middleware. See Encoding using Idopte middleware in Identity Manager and child pages for more information.

CRED-19100

Search configurations can be triggered and search results retrieved via REST using the Identity Manager Public Data REST API. See Identity Manager Public Data REST API for more information.

CRED-19130

Security fixes for the spring library.

CRED-19294

In Identity manager Admin, Predefined JavaDelegateClasses have been added to the drop-down list of available service tasks in the BPMN editor.

CRED-19475

All log entries within a single scheduled task now contain the same correlation ID.

CRED-19488

The messaging between Identity Manager and the BPMN engine has been removed.

CRED-19608

Two new service tasks added to provision a FIDO credential to a FIDO key: “Desktop App: Fido - Create Credential” and “Desktop App: Fido - Start Connection”.
See Smart ID Messaging - Standard service tasks in Identity Manager for details. Also see Fido passkey provisioning with Microsoft Entra.

CRED-19651

A new service task is added to get creation options for FIDO credential from Entra: “Entra: Fido - Get Creation Options“. See Miscellaneous standard service tasks in Identity Manager for details. Also see Fido passkey provisioning with Microsoft Entra.

CRED-19657

A new service task is added to register a FIDO credential with Entra: “Entra: Fido - Create Credential“. See Miscellaneous standard service tasks in Identity Manager for details. Also see Fido passkey provisioning with Microsoft Entra .

CRED-19658

Update of Captain Casa library.

CRED-20235

Security fixes for commons-io.

CRED-20516

Security fix for the jetty library.

CRED-20520

Security fixes (library upgrades) for Smart ID Self-Service and Identity Manager Operator.

CRED-20695

The ‘versionStamp’ of internal users will no longer be increased when the ‘lastLoginTimestamp’ is updated. This adjustment is made to prevent optimistic lock issues.

CRED-20970

Added support for TCOS middleware 1.20.0. See Encoding using T-Systems TCOS middleware in Identity Manager for more information.

Corrected bugs 

Jira ticket number

Description

CRED-17064

In Identity Manager Admin, when a service task was added via the BPMN editor, the pre-selection from the service task was not taken into account in the task list. This has been fixed.

CRED-17364

There was an issue in Identity Manager Admin where the Test Connection Button on LDAP connections in the authentication profile would overwrite connection data if there were two LDAP authentication profiles. This has been fixed.

CRED-18832

Non-configurable class-based JavaDelegate service tasks were editable in the task list even though nothing could be changed. This has been fixed.

CRED-19947

In Identity Manager Operator, there was a problem with data from timed out sessions not being removed properly, leading to out-of-memory situations in some cases. This has been fixed.

CRED-20103

Error boundary events on processes were not caught correctly. This has been fixed.

CRED-20156

There was an issue with Secure Key injection with ATOS middleware, where the encryption key could not be used in some cases. This has been fixed.

CRED-20169

Service Task Credentials: Create Minidriver Card Manager Key threw an exception on Oracle databases when the parameter ‘blockCountFieldName’ was empty. This has been fixed.

CRED-20203

There was an issue with setting connectionSecurity for the SMTP settings via the REST endpoint /deploy/property. This has been fixed.

CRED-20223

Sending requests to Certificate Manager could not be parallelized which limited throughput. This has been fixed.

CRED-20274

Connection data for Hermod, printers and SAML was exported with the config even when the option to exclude connection data was set. This has been fixed.

CRED-20286

Performance of login with basic auth has been improved for webservices, for example Hermod call backs.

CRED-20303

Pre-login processes can be removed from the Dashboard in Smart ID Self-Service. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0.

CRED-20311

There was an issue with logging multiple identical requests to Certificate Manager that came in the same second. This has been fixed.

CRED-20755

Reverted an optimization of precondition validators introduced with version 23.10.15 as it would lead to more ConcurrentModificationExceptions under load.

CRED-20789

When using Juel expressions in Identity Manager Admin which contained two variable names, these were not resolved correctly. This has been fixed.

Digital Access 6.10.1

Feature improvements

Jira ticket number

Description

DA-959

Core component communication has been improved making startup quicker for Access Point and Administration service primarily.

DA-1958

Administration service authentication password is now encrypted before post to server to target eavesdropping through compromised browsers and client systems.

DA-2310

Client IP addresses for access to XPI is now logged in Policy service http log.

DA-2331

It is now possible to configure amr (Authentication Method Reference) for upstreams SAML Identity providers. This means that the amr value is returned to the RP when the selected Identity Provider has been used for authentication. 

DA-2368

Freja client implementation now supports orgIdIssuer needed for multitenant Freja installations.

Corrected bugs

Jira ticket number

Description

DA-2252

Minor log message fixes.

DA-2259

Smart ID Mobile App same device flow has been corrected and improved.

DA-2260

Bouncy Castle library update.

DA-2269

SSO password security has been improved .

DA-2290

Minor improvements to new on-behalf-of OTP flow.

DA-2374

Content-type of the response document in the form_post OIDC flow was sometimes invalid which has now been corrected to reflect the true content type.

DA-2376

Apache Tomcat library update.

DA-2386

Integration with the Docker DNS functionality has been improved as sometimes DNS entries could be rendered stale and not properly updated despite new target IP.

Hermod 4.2.2

Features

Jira ticket number

Description

PMOB-4500

Fixed a problem that prevented new profiles from being generated when using a P12 certificate in the request.

PMOB-4537
PMOB-4517

Security updates.

Other components in Smart ID

Physical Access

This release does not contain any specific updates for the Physical Access component.

Upgrade Smart ID

See Upgrade Smart ID for general information regarding upgrading Smart ID. For specific details regarding this release, see Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0.

Smart ID compatibility

Compatibility table

Smart ID Identity Manager 5.1.0 is compatible with the following component versions: 

Identity Manager configuration version compatibility

Before Identity Manager version 5.1.0, it was not supported to transfer configuration files between versions. For Identity Manager version 5.1.0 and later versions, the configuration format will have a version which will be validated on import. The compatibility of configuration format version and Identity Manager is listed in the table below.

Identity Manager version

Configuration format version

5.0.0 and earlier versions

Only config files from the same version

5.1.0

2

Certificate Manager feature compatibility

Feature 

Introduced with Identity Manager version 

Requires Certificate Manager version 

Jira ticket 

Certificates with KRB field  

23.04.4 

8.7.1 

CRED-15500 

Key archival and recovery with ECC keys 

5.0.0 

8.10 

CRED-16776 

Smart ID Desktop App compatibility

Smart ID Desktop App version 

Requires Identity Manager version 

Other requirements

Not supported Identity Manager version

1.12.1 and later versions

  • All versions from 23.04

  • 22.10.5 or later version of 22.10

  • 21.10.6 or later version of 21.10

-

  • 20.11.x

  • 21.04.x

  • 22.04.x

2.0

Same versions as above

TLS 1.3 is required for 2.0

Smart ID deployment configuration

Smart ID deployment configuration release note
CODE
# RELEASE NOTES FOR SMARTID DEPLOYMENT CONFIG

All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.

## [Release 25.08.0-2025-08-19] 
### Added 
- Added OSIP Connector. [CRED-19378]

### Changed 
- increased Traefik version to 3.2.3 
- Move connectors to a dedicated connectors folder. [CRED-19378] 
- Postgres version is set as 16. It will automatically download latest minor version. [CRED-19718] 

## Removed 
- Removed below tools for security vulnerabilities. [CRED-19718] 
  - adminer 
  - datadog 
  - mailhog 

## [Release 23.10.14-2025-03-27]
 
### Changed
- Postgres version is set as 16. It will automatically download latest minor version. [CRED-19718]
 
### Removed
- Removed below tools for security vulnerabilities. [CRED-19718]
  - adminer
  - datadog
  - mailhog
  
## [Release 24.11.1-2025-03-14]

### Changed
- Increased Traefik version to 3.2.3

## [Release 23.10.12-2025-02-04]
 
### Added
- Added OSIP Connector. [CRED-19378]
 
### Changed
- Move connectors to a dedicated connectors folder. [CRED-19378]

## [Release 23.10.11-2025-01-09]

### Changed
- Changed Traefik version to 3.2.3

## [Release 23.04.27-2025-01-08]

### Changed
- Increased Traefik version to 3.2.3

## [Release 24.11.0-2024-11-29]

### Added
- Added a Tomcat web.xml setting a Rate Limit Filter to prevent DoS Attacks. [CRED-16798]
- Added the Nexus SVG logo in the selfservice app. [CRED-17286]

- New files generated by bootstrap scripts:
    - idm-encryptdb-bootstrap.p12 (replaces idm-encryption-bootstrap.p12)
    - idm-encryptconfig-bootstrap.p12
    - idm-signhistory-bootstrap.12
    - idm-signjwt-bootstrap.12
    - idm-signjws-bootstrap.12
  [CRED-16809]

### Changed
- upgrade to Postgres 16 [CRED-17704]
- restart-all.sh detects whether sudo is needed for docker commands [CRED-18249]
- Enable TLS 1.3 for Traefik (was TLS 1.2 only) [CRED-18049]
- Updated prime-connectors to 2311.1.0 (based on Ubuntu 22.04) [CRED-13886]
- Corrected Hermod and Selfservice setup in WSL dev readme and the configuration. [CRED-17952]
- Descriptors in signencrypt.xml now reference P12 keystores created by bootstrapping
  instead of dummy files from the respective IDM containers. [CRED-14971]
- DNs of bootstrapped certificates cleaned up. [CRED-16809]
- Bootstrapping creates separate P12 per use-case. [CRED-16809]
- Bootstrapping bash scripts replaced with docker container. [CRED-16808]
- Postgresql and cert bootstrap questions in init-smartid.sh default to "no". [CRED-16808]
- Updated the selfservice theme file. [CRED-17286]
- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]

## Removed
- "ObjectHistorySigner" descriptor version 1 for expired dummy cert removed from signencrypt.xml. [CRED-14971]
- Removed redundant size declaration from jws/jwt signer descriptors. [CRED-16808]
- Bootstrapping of user certs for users removed. [CRED-16808]
- DNs of bootstrapped certificates cleaned up. [CRED-16809]
- The process tracker moved from package de.nexus.projectutils.processtracker 
  to package de.nexus.flowable.processtracker in the file log4j2.xml and has to be enabled via the 
  SYSTEM_PROPERTIES environment variable in the file identitymanager/operator/docker-compose.yml. [CRED-17203]
  
## [Release 23.10.6-2024-07-15]

### Added

### Changed
- upgrade to Postgres 16 [CRED-17704]
- restart-all.sh detects whether sudo is needed for docker commands [CRED-18249]
- Updated prime-connectors to 2311.1.0 (based on Ubuntu 22.04) [CRED-13886]
- Corrected Hermod and Selfservice setup in WSL dev readme and the configuration. [CRED-17952]
- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]

## [Release 23.04.19-2024-07-2]

### Added

### Changed

- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]


## [Release 23.10.2-2023-10-30]

### Added

### Changed
- Modified permissions of the 'certs' directory in init-smartid.sh to 755 (to allow Hermod to read the directory). [CRED-16526]
- Updated Prime Connectors version. [CRED-16153]


## [Release 23.04.7-2023-08-28]

### Added
- Added missing attestation key config to signencrypt.xml (fixes VSC). [CRED-16128]

### Changed

## [Release 23.04.5-2023-07-17]

### Added
- Added a readme-wsl-dev.txt how to setup SmartID Docker containers in a WSL environment. [CRED-15948]
- Added environment variable to docker-compose.yml of authentication service.

### Changed
- Restored environment references for Digital Access and Physical Access containers [CRED-15915]

## [Release 23.04.4-2023-06-30]

### Added
- Added restart-all.sh for easy stopping and starting of all containers or a subset of them. [CRED-15854]

### Changed
- The variable DOCKER_NETWORK_MTU has the default value 1500 now. You are not forced to choose between several options. [CRED-15854]
- When executing init-smartid.sh a message informs you about the current MTU value and when it is recommended to reduce it. [CRED-15854]
- The names of most of the docker containers start with "smartid-" by default. This prefix can be changed now via variable DOCKER_CONTAINER_BASE_NAME in file smartid.env. [CRED-15854]
- The hostname of the postgresql container now has the DOCKER_CONTAINER_BASE_NAME prefix as well.

## [Release 23.04.3-2023-06-23]

### Added

- Added AriadNext Connector Docker image. [CRED-14963] 
- Added file .gitattributes to make \*.sh and \*.env files always containing only LF instead of any CRLF. Fixed file datadog.env accordingly. [CRED-15795]

### Changed

- Escaped the ESC character (0x1B) in echo statements of shell scripts to avoid problems with Azure file preview and git diff output. [CRED-15795]


## [Release 23.04.2-2023-06-02]

### Added

### Changed

## [Release 23.04.1-2023-05-11]

### Added

- Added init-smartid.env to configure the docker network MTU. [CRED-14088 via CRED-15316]
- Added helperFunctions.sh and helperCreateLink.sh to be used by init-smartid.sh. [CRED-14088 via CRED-15316]

### Changed

- Replace deprecated docker network syntax in docker-compose.yml files. [CRED-14088 via CRED-15316]
- init-smartid.sh / stop-smartid.sh detect if docker needs sudo. [CRED-14088 via CRED-15316]
- init-smartid.sh now optionally removes files created by previous runs (postgres db, bootstrapped certs, etc). [CRED-14088 via CRED-15316]
- No explicit setting of env_file in docker-compose.yml files. [CRED-14088 via CRED-15316]
- Messaging database is now configured via MESSAGING_DB_URL var. [CRED-14088 via CRED-15316]
- stop-smartid.sh now uses the compose command "down" instead of "stop", which also removes the containers after shutting them down. [CRED-14088 via CRED-15316]

## [Release 23.04.0-2023-04-28]

### Added

- Added Workspace One Connector Docker image. [CRED-14215] 

### Changed

## [Release 22.10.0-2022-09-20]

### Added

- Added ContentProviderJWSSigner descriptor in signencrypt.xml. [CRED-12232]
- Added renewFromKeypairs.sh to renew end-entity certs.

  WARNING:

  - This only works if you (re-)bootstrap with the updated createca.sh, as the old version discarded data required for renewal.
  - Re-bootstrapping will invalidate any encrypted secrets and history signatures in IDM due to chaning the keys.
  - Re-bootstrapping will also overwrite the certificates and keys in the docker deployment folder, so make a backup first,
    so you can use the respective tools for re-signing and re-encrypting existing history/secrets.

### Changed

- automatically (re-)start mailhog
- fixed naming of traefik rules for mobile-iron
- Changed createca.sh to retain keypairs and CA metadata, so we can enable renewal (see above).
- Removed cRLSign attribute from ca.conf to avoid issues with failing CRL checks.
  NOTE: This only has an effect on newly bootstrapped CAs.

## [Release 22.04.0-2022-05-05]

### Added

- Added Mobile Iron Docker image. [CRED-11817]
- Added new properties for MI image in smartid.env. [CRED-11817]

### Changed

- Changed properties for Nexus GO Cards API V2. [CRED-12951]

## [Release 21.10.0-2021-11-09]

### Added

- Added Digicert Global Root CA certificate. [CRED-11688]
- Added some Let's Encrypt root certificates. [DEVOPS-971]
- Added documentation for maxProfiles option to hermod-conf.yml
- Added `.yamllint` file to set default YAML linting config. [DEVOPS-1085]
- Added volume mapping for logs folder in IDM and Self Service. [DEVOPS-403]
- Fixed cacerts folder permissions in init-smartid.sh script.
- Added support for docker compose v2 command in init-smartid.sh script.

### Changed

- New properties for CAAS credentials in smartid.env (placeholders must be replaced before using Nexus GO Cards). [CRED-11688]
- Fixed some copy issues in the init-smartid.sh script.
- Changed the default selfservice config to include auth methods params example.
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Fixed typo. [DEVOPS-1090]
- Replaced Self-Service `IDM_URL`, `INSTANCE_ID`, `IDM_TENANT` by `APPLICATION_YAML` json. [DEVOPS-1127]
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Fixed YAML format. [DEVOPS-1085]
- IDM and SelfService now support custom translations and do not require mapping the whole translation files again. See doc for more info. [DEVOPS-1118]
- Change Import Logger to correct class [DEVOPS-1143]
- Switched to new image naming for IDM
  - `nexus-prime/explorer` changed to `smartid/identitymanager/operator`
  - `nexus-prime/designer` changed to `smartid/identitymanager/admin`
  - `nexus-prime/tenant` changed to `smartid/identitymanager/tenant`
  - `nexus-prime/updatedb` changed to `smartid/identitymanager/updatedb`
  - `nexus-prime/ussp2` changed to `smartid/selfservice`
- Changed Smart ID version to 21.10.0

### Removed

- Removed Self-Service config.json file. [DEVOPS-945]
- Removed expired Let's Encrypt certificates. [DEVOPS-971]
- Removed translation files for IDM and SelfService. [DEVOPS-1118]

## [Release 21.04.0-2021-05-20]

### Added

- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/createca.sh`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `init-smartid.sh` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]

### Changed

- IDM DB will no longer be initialized through init-smartid.sh script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD*\* properties to MESSAGING*\*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04

### Fixed

- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]

### Removed

- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.

## [Release 20.11.2-2021-03-23]

### Added

- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]

### Changed

- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]

### Fixed

- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the copy_files.sh script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]

## [Release 20.11.1-2021-02-18]

### Added

- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+

### Changed

- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1

## [Release 20.11.0-2021-02-01]

### Added

- Added mailhog as tool in /tools/mailhog. The tool can be used to test to send emails in Digital Access and Identity Manager. [DEVOPS-482]

### Changed

- Set false on traefik network in the traefik, adminer and mailhog to be enabled in traefik by default. [DEVOPS-486]
- Changed file extension of generated certificates from `.crt` to `.base64`
- Changed so that identity manager Admin and Operator do not require signed configurations/modules for uploading and downloading them by default. [DEVOPS-515]

### Fixed

- Fix environment variable usage inside traefik config file. [DEVOPS-514]

## [Release 20.11.0-2020-12-22]

### Added

- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]

### Changed

- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `stop-smartid.sh` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `init-smartid.sh` script to work regardless of where the script is called from.
- Improved the `createca.sh` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.

### Fixed

- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.

## [Release 20.11.0-2020-12-07]

### Added

- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new system properties environment variable
  - Support for new DB properties environment variables
  - Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
  - Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
  - Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]

### Changed

- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
  - Added `identitymanager/admin/docker-compose.yml`
  - Added `identitymanager/tenant/docker-compose.yml`
  - Added `identitymanager/init-db/docker-compose.yml`
  - Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/stop-smartid.sh`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the ini-smartid.sh script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.

### Removed

- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.

## [Release 20.06.1-2020-10-27]

### Added

- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin.
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true

### Changed

- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `init-smartid.sh` script.
- Moved seflservice to a separate docker-compose file.

### Fixed

- Fixed the jdbc url for `config/da-admin-customize.conf`.

### Removed

- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.

## [Release 20.06.0-2020-09-28]

### Added

- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
  - identitymanager/docker-compose.yml
  - traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.

### Changed

- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated `init-smartid.sh`:
  - Now check if docker and docker-compose are installed, if not the script will exit.
  - Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
    - Ask if postgres and/or mssql shall be deployed and started.

### Fixed

- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `init-smartid.sh` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.

## Removed

- Removed `init-smartid-test.sh`, it is included in init-smartid.sh.

Contact and support

For information regarding support, training, and other services in your area, visit www.nexusgroup.com/. Nexus offers maintenance and support services for Smart ID components to customers and partners.

For more information, go to Nexus Technical Support or contact your local sales representative.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.