Release date: 2026-04-10
Smart ID 26.04 provides updates, improvements, and bug fixes to ensure high quality and security.
Included in Smart ID 26.04
Identity Manager 6.0
Release date: 2026-04-10
Main new features
Remote ID Verification
Remote ID Verification provides a quick and secure way to confirm user identities online by using trusted identity providers through the newly added OIDC authentication flow. This modern method minimizes manual verification, strengthens security, and creates a smoother user experience, which are all widely recognized benefits in today’s digital identity landscape.
With Identity Manager now supporting the full OIDC flow, it can easily integrate with IN Groupe’s Remote ID verification service, E-Ident.
E-Ident functions as a flexible identity broker that enables secure identification using national eIDs or verified identity documents through IN Groupe’s ID Verifier app.
See Remote ID verification for details.
Rootles docker container
All root‑level execution from inside the docker containers is removed, ensuring that they now run fully without root privileges. This greatly enhances security by reducing privilege‑escalation risks and minimizing the attack surface through stronger isolation between the container and the host system.
See Deploy Smart ID for more information.
Larger RSA key sizes with NextVSC
Identity Manager now integrates with NextVSC, enabling the use of RSA keys larger than 2048 bits, including RSA 3072 and RSA 4096, through NextVSC’s TPM‑backed key‑wrapping solution. This integration provides stronger cryptographic protection than Microsoft’s native Virtual Smart Card implementation, which is limited to RSA keys up to 2048 bits.
Support for larger RSA key sizes is the first NextVSC capability available in Identity Manager. Additional features will be introduced in future releases.
See Smart ID Messaging - Standard service tasks in Identity Manager and Set up certificate template in Identity Manager for more information.
Deprecated features
Trustserver functionality
"trustserver" was used in early PRIME projects to store sensitive data (like PIN and PUK) in Nexus Certificate Manager. Since PRIME version 3.12, sensitive data could be encrypted in PRIME but the trustserver functionality for reading secrets was kept for compatibility reasons. This functionality is deprecated and will be removed in the future.
MobileIron MDM connector
MobileIron is a Mobile Device Management (MDM) solution. The connector was delivered with Identity Manager to provision certificates to a mobile device via the MDM. This connector is deprecated and will be removed from delivery in the future.
Scripting Engines
Currently Identity Manager supports different Scripting Engines to be used with script tasks in the processes. In the future, Identity Manager will only support the Groovy Scripting engine. All others are deprecated and will be removed in the future.
Detailed description of features
Features
|
Jira ticket number |
Description |
|---|---|
|
CRED-18356 |
Identity Manager can now trigger ECC key generation via Hermod and Smart ID Desktop App where this is supported, for example Yubikey, Windows Certificate Store etc. For more information, see Smart ID Messaging - Standard service tasks in Identity Manager and Set up certificate template in Identity Manager. |
|
CRED-20663 |
When executing card operations with Smart ID Desktop App, it is now possible to select a default card reader. See Reader/card selection and information in Identity Manager for more information. |
|
CRED-20846 |
In Smart ID Self-Service tables and Open Task lists, the date was sometimes not shown in local formatting. This has been fixed. |
|
CRED-20870 |
Error handling of the service task "Import CSV" has been improved. See Smart ID Blueprints overview for more information. |
|
CRED-21066 |
Processes within the Smart ID Identity Manager docker containers are not executed by root anymore. This requires permissions for mounted volumes to be set accordingly. See Memory limit configuration for Smart ID services and Upgrade Smart ID Identity Manager from 5.3.1 to 6.0.0 for more information. |
|
CRED-21404 |
Updated the CM SDK to 8.12. This means that CM 8.12 or later versions are required. See Upgrade Smart ID Identity Manager from 5.3.1 to 6.0.0 for more information. |
|
CRED-21505 |
For creation of OIDC workflows it is now possible to send the start link via email. See Miscellaneous standard service tasks in Identity Manager and Remote ID verification for details. |
|
CRED-21677 |
Extended support for JCOP 4.5 cards with Personal Middleware for special profiles. See IDM 6.0.0 - Requirements and interoperability for details. |
|
CRED-22287 |
Security fixes for Nexus Process Modeler and the internal BPMN editor in Identity Manager Admin. |
|
CRED-22328 |
Two new service tasks, OIDC: Authorization request service task and OIDC: Verify JWT claims service task, are added to create an OIDC workflow. See Miscellaneous standard service tasks in Identity Manager and Remote ID verification for details. |
|
CRED-22506 |
Library upgrades with security fixes. |
|
CRED-22716 |
It is now possible to generate a "token", that is, a very long password, for internal users. This is recommended when web services connect to Identity Manager with basic authentication as the login is faster. |
|
CRED-22721 |
It is now possible to change the admin key via IDM encoding descriptions for COSMO X cards with ID Plug middleware. Other functionality is still under test and ID Plug/COSMO X is not officially supported by Smart ID Identity Manager. |
|
CRED-22733 |
Security upgrade for third-party libraries. |
|
CRED-22734 |
Security upgrades for third-party libraries. |
|
CRED-22873 |
Security upgrades for third-party libraries. |
Corrected bugs
|
Jira ticket number |
Description |
|---|---|
|
CRED-21740 |
There were some issues and configuration mismatches around pre- and post-login processes. This has been fixed. See Configure a pre-login process for Identity Manager Operator, Configure pre-login processes for Smart ID Self-Service and Set up authentication profile in Identity Manager for more information. Also see Upgrade Smart ID Identity Manager from 5.3.1 to 6.0.0 . |
|
CRED-21827 |
Fixed the Flowable executor retry mechanism. |
|
CRED-21866 |
Added "NextVSC" to the dropdown-list of storage priorities in the Smart ID Desktop App service tasks. |
|
CRED-22303 |
There was an issue with revoking certificates when several certificates with the same serial number, but from different issuers, were present in Identity Manager. In this case, the issuer was ignored and all certificates were revoked. This has been fixed. If no issuer is present, the revocation will fail. |
|
CRED-22327 |
The service task "Mobile App: Install Certificates Into Android OS" is now more resilient towards communication errors. |
|
CRED-22488 |
There was a problem where JUEL expressions were not resolved in the task "Modify roles automatically". This has been fixed. |
|
CRED-22592 |
When system properties are parsed, they are no longer printed out to the log. |
|
CRED-22706 |
There was an issue where the authentication method selection in Identity Manager Operator system properties settings would also affect Identity Manager Admin. This has been fixed. |
|
CRED-22810 |
There was an issue where the SAML AuthnRequest was rejected as being from an unknown ISSUER when the Identity Manager alias was different from the ENTITYID in the service-provider-metadata xml file. This has been fixed. |
|
CRED-22819 |
When using Visual Mobile ID, there was an issue with calling the content provider URL from Hermod. This has been fixed. |
Smart ID Blueprints 1.1
Release date: 2026-04-10
Overview
This is a minor release of Smart ID Blueprints, including small improvements and fixes to enhance stability and usability.
Download Smart ID Blueprints from Nexus Support portal.
Compatibility and versioning
Compatible with Identity Manager 6.0.
New features
|
Component/Ticket |
Description |
|---|---|
|
Email template |
|
|
Process name |
|
|
Search configuration |
|
Physical Access 26.04
Release date: 2026-04-10
Features
|
Jira ticket number |
Description |
|---|---|
|
IDC-2742 |
Bitnami has moved rabbitmq images from standard distribution to legacy distribution on docker hub registry. This has been updated accordingly in Physical Access. |
|
IDC-2726 |
Added support for rootless docker. |
|
IDC-2648 |
Added support for new PACS connector ‘Autec XMP-Babylon’ in Physical Access. See Set up integration with Autec XMP-Babylon for more information. |
Digital Access 6.12.1
Release date: 2026-03-27
Improvements
|
Jira ticket number |
Description |
|---|---|
|
DA-2598 |
New branding manual for tailwind which replaced jquery mobile in Digital Access version 6.12.0. |
|
DA-2652 |
Upgraded the bundled Apache Guacamole integration version. |
Corrected bugs
|
Jira ticket number |
Description |
|---|---|
|
DA-2271 |
User link repair Janitor
|
|
DA-2471 |
Removed the legacy Apple push notification library and its deprecated APNs API, reducing the dependency footprint. |
|
DA-2594 |
Improved fatal error logging
|
|
DA-2582 |
Reduced log noise
|
|
DA-2681 |
Resolved confusing OATH log warning
|
|
DA-2505 |
Corrected LCP file sync message
|
|
DA-2607 |
Fixed several visual issues in the authentication flows, including incorrect QR code sizing and misaligned buttons. |
|
DA-2639 |
Applied patches for vulnerabilities identified by security scans. |
|
DA-2589 |
Fixed broken MS-CHAP authentication
|
|
DA-2658 |
Fixed Entra External Authentication Method (EAM)
|
|
DA-2667 |
Fixed secure OATH setup failure
|
|
DA-2641 |
Fixed certificate persistence failure
|
|
DA-2628 |
Fixed false "Display Name is Mandatory" error
|
|
DA-2621 |
Resolved an issue where OATH token provisioning failed after an upgrade until the service was restarted. |
|
DA-2617 |
Fixed secure profile for Port 443 behind AP
|
|
DA-2600 |
Fixed AP Entry-Point state binding
|
|
DA-2599 |
Fixed upgrade failure from 6.11.1 to 6.12.0
|
|
DA-2592 |
Fixed unexpected error in Admin
|
|
DA-2575 |
Resolved an issue where the Copy Users functionality failed with Microsoft SQL Server. |
|
DA-2474 |
Fixed reserved DNS name link translation
|
|
DA-2094 |
Fixed Admin field Auto-Clear bug
|
|
DA-2189 |
Fixed initial setup connectivity with Swarm
|
|
DA-1466 |
Fixed Access Point license validation
|
|
DA-1336 |
Fixed LocalConfiguration.xml corruption
|
|
DA-472 |
Fixed Distribution service context and license issues
|
Smart ID Messaging (Hermod) 4.6.0
Release Date: 2026-03-16
Features
|
Jira ticket number |
Description |
|---|---|
|
PMOB-4785 |
Java spring boot upgraded to version 4 and Framework to version 7. |
|
PMOB- 4791 |
The trailing slash has been removed and is not supported anymore in Hermod REST APIs. |
Other components in Smart ID
-
Upgrade Smart ID
See Upgrade Smart ID for general information regarding upgrading Smart ID. Also see Upgrade Smart ID Identity Manager from 5.3.1 to 6.0.0 for specific upgrade instructions related to this release.
Smart ID compatibility
Compatibility table
Smart ID Identity Manager 6.0 is compatible with the following component versions:
|
Components |
Version |
|
1.1 |
|
|
6.12 |
|
|
4.6 and later versions. |
|
|
6.6.0.15 or later 6.6.x versions. |
|
|
8.12 and later versions. |
|
|
2.7 and later versions. |
|
|
The latest released versions. |
|
|
The latest released versions. |
|
|
5.17 |
Identity Manager configuration version compatibility
Before Identity Manager version 5.1.0, it was not supported to transfer configuration files between versions. For Identity Manager version 5.1.0 and later versions, the configuration format will have a version which will be validated on import. The compatibility of configuration format version and Identity Manager is listed in the table below.
|
Identity Manager version |
Configuration format version |
|---|---|
|
5.0.0 and earlier versions |
Only config files from the same version |
|
5.1.0 |
2 |
|
5.2.0 |
2 |
|
5.3.0 |
2 |
|
6.0.0 |
2 |
Certificate Manager feature compatibility
|
Feature |
Introduced with Identity Manager version |
Requires Certificate Manager version |
Jira ticket |
|
Certificates with KRB field |
23.04.4 |
8.7.1 |
CRED-15500 |
|
Key archival and recovery with ECC keys |
5.0.0 |
8.10 |
CRED-16776 |
Smart ID Desktop App compatibility
|
Smart ID Desktop App version |
Requires Identity Manager version |
Other requirements |
Not supported Identity Manager version |
|
1.12.1 and later versions |
|
- |
|
|
2.0 |
Same versions as above |
TLS 1.3 is required for 2.0 |
|
Smart ID deployment configuration
Smart ID deployment configuration release note
# RELEASE NOTES FOR SMARTID DEPLOYMENT CONFIG
All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.
## [Release 26.04.0-2026-04-10]
### Added
- Added rootless container support for IdentityManager containers. See docker/compose/set-rootless-volume-ownership.sh. [CRED-21066]
- Added memory limitation settings into env files. Users can define desired memory limits per docker instances. [CRED-22875]
## [Release 26.01.2-2026-03-09]
### Removed
- Removed support for the old "docker-compose" notation. Use a recent docker engine version with "docker compose" available [CRED-22502]
## [Release 26.01.0-2026-01-30]
### Changed
- added correlation-id pattern to log4j2.xml [CRED-21684]
## [Release 25.11.0-2025-11-17]
### Changed
- increased Traefik version to 3.5 (latest patch version is used automatically) [CRED-20868]
- Process tracker is now enabled/disabled via log4j2.xml
(via DEBUG level on the respective loggers, which now default to INFO).
System properties are no longer used for this. [CRED-20176]
## [Release 25.08.0-2025-08-19]
### Added
- Added OSIP Connector. [CRED-19378]
### Changed
- increased Traefik version to 3.2.3
- Move connectors to a dedicated connectors folder. [CRED-19378]
- Postgres version is set as 16. It will automatically download latest minor version. [CRED-19718]
## Removed
- Removed below tools for security vulnerabilities. [CRED-19718]
- adminer
- datadog
- mailhog
## [Release 23.10.14-2025-03-27]
### Changed
- Postgres version is set as 16. It will automatically download latest minor version. [CRED-19718]
### Removed
- Removed below tools for security vulnerabilities. [CRED-19718]
- adminer
- datadog
- mailhog
## [Release 24.11.1-2025-03-14]
### Changed
- Increased Traefik version to 3.2.3
## [Release 23.10.12-2025-02-04]
### Added
- Added OSIP Connector. [CRED-19378]
### Changed
- Move connectors to a dedicated connectors folder. [CRED-19378]
## [Release 23.10.11-2025-01-09]
### Changed
- Changed Traefik version to 3.2.3
## [Release 23.04.27-2025-01-08]
### Changed
- Increased Traefik version to 3.2.3
## [Release 24.11.0-2024-11-29]
### Added
- Added a Tomcat web.xml setting a Rate Limit Filter to prevent DoS Attacks. [CRED-16798]
- Added the Nexus SVG logo in the selfservice app. [CRED-17286]
- New files generated by bootstrap scripts:
- idm-encryptdb-bootstrap.p12 (replaces idm-encryption-bootstrap.p12)
- idm-encryptconfig-bootstrap.p12
- idm-signhistory-bootstrap.12
- idm-signjwt-bootstrap.12
- idm-signjws-bootstrap.12
[CRED-16809]
### Changed
- upgrade to Postgres 16 [CRED-17704]
- restart-all.sh detects whether sudo is needed for docker commands [CRED-18249]
- Enable TLS 1.3 for Traefik (was TLS 1.2 only) [CRED-18049]
- Updated prime-connectors to 2311.1.0 (based on Ubuntu 22.04) [CRED-13886]
- Corrected Hermod and Selfservice setup in WSL dev readme and the configuration. [CRED-17952]
- Descriptors in signencrypt.xml now reference P12 keystores created by bootstrapping
instead of dummy files from the respective IDM containers. [CRED-14971]
- DNs of bootstrapped certificates cleaned up. [CRED-16809]
- Bootstrapping creates separate P12 per use-case. [CRED-16809]
- Bootstrapping bash scripts replaced with docker container. [CRED-16808]
- Postgresql and cert bootstrap questions in init-smartid.sh default to "no". [CRED-16808]
- Updated the selfservice theme file. [CRED-17286]
- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]
## Removed
- "ObjectHistorySigner" descriptor version 1 for expired dummy cert removed from signencrypt.xml. [CRED-14971]
- Removed redundant size declaration from jws/jwt signer descriptors. [CRED-16808]
- Bootstrapping of user certs for users removed. [CRED-16808]
- DNs of bootstrapped certificates cleaned up. [CRED-16809]
- The process tracker moved from package de.nexus.projectutils.processtracker
to package de.nexus.flowable.processtracker in the file log4j2.xml and has to be enabled via the
SYSTEM_PROPERTIES environment variable in the file identitymanager/operator/docker-compose.yml. [CRED-17203]
## [Release 23.10.6-2024-07-15]
### Added
### Changed
- upgrade to Postgres 16 [CRED-17704]
- restart-all.sh detects whether sudo is needed for docker commands [CRED-18249]
- Updated prime-connectors to 2311.1.0 (based on Ubuntu 22.04) [CRED-13886]
- Corrected Hermod and Selfservice setup in WSL dev readme and the configuration. [CRED-17952]
- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]
## [Release 23.04.19-2024-07-2]
### Added
### Changed
- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]
## [Release 23.10.2-2023-10-30]
### Added
### Changed
- Modified permissions of the 'certs' directory in init-smartid.sh to 755 (to allow Hermod to read the directory). [CRED-16526]
- Updated Prime Connectors version. [CRED-16153]
## [Release 23.04.7-2023-08-28]
### Added
- Added missing attestation key config to signencrypt.xml (fixes VSC). [CRED-16128]
### Changed
## [Release 23.04.5-2023-07-17]
### Added
- Added a readme-wsl-dev.txt how to setup SmartID Docker containers in a WSL environment. [CRED-15948]
- Added environment variable to docker-compose.yml of authentication service.
### Changed
- Restored environment references for Digital Access and Physical Access containers [CRED-15915]
## [Release 23.04.4-2023-06-30]
### Added
- Added restart-all.sh for easy stopping and starting of all containers or a subset of them. [CRED-15854]
### Changed
- The variable DOCKER_NETWORK_MTU has the default value 1500 now. You are not forced to choose between several options. [CRED-15854]
- When executing init-smartid.sh a message informs you about the current MTU value and when it is recommended to reduce it. [CRED-15854]
- The names of most of the docker containers start with "smartid-" by default. This prefix can be changed now via variable DOCKER_CONTAINER_BASE_NAME in file smartid.env. [CRED-15854]
- The hostname of the postgresql container now has the DOCKER_CONTAINER_BASE_NAME prefix as well.
## [Release 23.04.3-2023-06-23]
### Added
- Added AriadNext Connector Docker image. [CRED-14963]
- Added file .gitattributes to make \*.sh and \*.env files always containing only LF instead of any CRLF. Fixed file datadog.env accordingly. [CRED-15795]
### Changed
- Escaped the ESC character (0x1B) in echo statements of shell scripts to avoid problems with Azure file preview and git diff output. [CRED-15795]
## [Release 23.04.2-2023-06-02]
### Added
### Changed
## [Release 23.04.1-2023-05-11]
### Added
- Added init-smartid.env to configure the docker network MTU. [CRED-14088 via CRED-15316]
- Added helperFunctions.sh and helperCreateLink.sh to be used by init-smartid.sh. [CRED-14088 via CRED-15316]
### Changed
- Replace deprecated docker network syntax in docker-compose.yml files. [CRED-14088 via CRED-15316]
- init-smartid.sh / stop-smartid.sh detect if docker needs sudo. [CRED-14088 via CRED-15316]
- init-smartid.sh now optionally removes files created by previous runs (postgres db, bootstrapped certs, etc). [CRED-14088 via CRED-15316]
- No explicit setting of env_file in docker-compose.yml files. [CRED-14088 via CRED-15316]
- Messaging database is now configured via MESSAGING_DB_URL var. [CRED-14088 via CRED-15316]
- stop-smartid.sh now uses the compose command "down" instead of "stop", which also removes the containers after shutting them down. [CRED-14088 via CRED-15316]
## [Release 23.04.0-2023-04-28]
### Added
- Added Workspace One Connector Docker image. [CRED-14215]
### Changed
## [Release 22.10.0-2022-09-20]
### Added
- Added ContentProviderJWSSigner descriptor in signencrypt.xml. [CRED-12232]
- Added renewFromKeypairs.sh to renew end-entity certs.
WARNING:
- This only works if you (re-)bootstrap with the updated createca.sh, as the old version discarded data required for renewal.
- Re-bootstrapping will invalidate any encrypted secrets and history signatures in IDM due to chaning the keys.
- Re-bootstrapping will also overwrite the certificates and keys in the docker deployment folder, so make a backup first,
so you can use the respective tools for re-signing and re-encrypting existing history/secrets.
### Changed
- automatically (re-)start mailhog
- fixed naming of traefik rules for mobile-iron
- Changed createca.sh to retain keypairs and CA metadata, so we can enable renewal (see above).
- Removed cRLSign attribute from ca.conf to avoid issues with failing CRL checks.
NOTE: This only has an effect on newly bootstrapped CAs.
## [Release 22.04.0-2022-05-05]
### Added
- Added Mobile Iron Docker image. [CRED-11817]
- Added new properties for MI image in smartid.env. [CRED-11817]
### Changed
- Changed properties for Nexus GO Cards API V2. [CRED-12951]
## [Release 21.10.0-2021-11-09]
### Added
- Added Digicert Global Root CA certificate. [CRED-11688]
- Added some Let's Encrypt root certificates. [DEVOPS-971]
- Added documentation for maxProfiles option to hermod-conf.yml
- Added `.yamllint` file to set default YAML linting config. [DEVOPS-1085]
- Added volume mapping for logs folder in IDM and Self Service. [DEVOPS-403]
- Fixed cacerts folder permissions in init-smartid.sh script.
- Added support for docker compose v2 command in init-smartid.sh script.
### Changed
- New properties for CAAS credentials in smartid.env (placeholders must be replaced before using Nexus GO Cards). [CRED-11688]
- Fixed some copy issues in the init-smartid.sh script.
- Changed the default selfservice config to include auth methods params example.
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Fixed typo. [DEVOPS-1090]
- Replaced Self-Service `IDM_URL`, `INSTANCE_ID`, `IDM_TENANT` by `APPLICATION_YAML` json. [DEVOPS-1127]
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Fixed YAML format. [DEVOPS-1085]
- IDM and SelfService now support custom translations and do not require mapping the whole translation files again. See doc for more info. [DEVOPS-1118]
- Change Import Logger to correct class [DEVOPS-1143]
- Switched to new image naming for IDM
- `nexus-prime/explorer` changed to `smartid/identitymanager/operator`
- `nexus-prime/designer` changed to `smartid/identitymanager/admin`
- `nexus-prime/tenant` changed to `smartid/identitymanager/tenant`
- `nexus-prime/updatedb` changed to `smartid/identitymanager/updatedb`
- `nexus-prime/ussp2` changed to `smartid/selfservice`
- Changed Smart ID version to 21.10.0
### Removed
- Removed Self-Service config.json file. [DEVOPS-945]
- Removed expired Let's Encrypt certificates. [DEVOPS-971]
- Removed translation files for IDM and SelfService. [DEVOPS-1118]
## [Release 21.04.0-2021-05-20]
### Added
- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/createca.sh`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `init-smartid.sh` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]
### Changed
- IDM DB will no longer be initialized through init-smartid.sh script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD*\* properties to MESSAGING*\*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04
### Fixed
- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]
### Removed
- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.
## [Release 20.11.2-2021-03-23]
### Added
- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]
### Changed
- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]
### Fixed
- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the copy_files.sh script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]
## [Release 20.11.1-2021-02-18]
### Added
- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+
### Changed
- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1
## [Release 20.11.0-2021-02-01]
### Added
- Added mailhog as tool in /tools/mailhog. The tool can be used to test to send emails in Digital Access and Identity Manager. [DEVOPS-482]
### Changed
- Set false on traefik network in the traefik, adminer and mailhog to be enabled in traefik by default. [DEVOPS-486]
- Changed file extension of generated certificates from `.crt` to `.base64`
- Changed so that identity manager Admin and Operator do not require signed configurations/modules for uploading and downloading them by default. [DEVOPS-515]
### Fixed
- Fix environment variable usage inside traefik config file. [DEVOPS-514]
## [Release 20.11.0-2020-12-22]
### Added
- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]
### Changed
- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `stop-smartid.sh` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `init-smartid.sh` script to work regardless of where the script is called from.
- Improved the `createca.sh` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.
### Fixed
- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.
## [Release 20.11.0-2020-12-07]
### Added
- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
- Support for new CA store volume mapping
- Support for new system properties environment variable
- Support for new DB properties environment variables
- Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
- Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
- Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
- Support for new CA store volume mapping
- Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]
### Changed
- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
- Added `identitymanager/admin/docker-compose.yml`
- Added `identitymanager/tenant/docker-compose.yml`
- Added `identitymanager/init-db/docker-compose.yml`
- Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/stop-smartid.sh`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the ini-smartid.sh script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.
### Removed
- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.
## [Release 20.06.1-2020-10-27]
### Added
- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin.
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true
### Changed
- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `init-smartid.sh` script.
- Moved seflservice to a separate docker-compose file.
### Fixed
- Fixed the jdbc url for `config/da-admin-customize.conf`.
### Removed
- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.
## [Release 20.06.0-2020-09-28]
### Added
- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
- identitymanager/docker-compose.yml
- traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.
### Changed
- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated `init-smartid.sh`:
- Now check if docker and docker-compose are installed, if not the script will exit.
- Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
- Ask if postgres and/or mssql shall be deployed and started.
### Fixed
- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `init-smartid.sh` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.
## Removed
- Removed `init-smartid-test.sh`, it is included in init-smartid.sh.
Contact and support
For information regarding support, training, and other services in your area, visit https://nexus.ingroupe.com/. Nexus offers maintenance and support services for Smart ID components to customers and partners.
For more information, go to Nexus Technical Support or contact your local sales representative.