Version 6.0.0 contains a number of changes to the configuration model, Hypermedia API (HAAPI), REST APIs, and more. Details are provided below.
Support for the Axiomatics authorization manager has been completely removed. It has been deprecated since version 4.5. If any configuration for this obsolete authorization manager is still present, it will need to be removed prior to upgrading. Specifically, the following emphasized lines and any configuration referring to such an authorization manager should be deleted.
<config xmlns="http://tail-f.com/ns/config/1.0"> <processing xmlns="https://curity.se/ns/conf/base"> <authorization-managers> <authorization-manager> <id>axio1</id> <axiomatics xmlns="https://curity.se/ns/conf/authorization-manager/axiomatics"> <!-- ... --> </axiomatics> </authorization-manager> </authorization-managers> </processing> </config>
Customers still using this authorization manager should migrate to scopes authorization manager or other alternatives.
The default value of the max-age setting of the HTTP Strict Transport Security (HSTS) behaviour was changed from 0 to 15465601. In case previous configuration relied on the default setting of 0, this now needs to be explicitly set with the value 0. The upgrade XSLT can take care of this. It is also possible to manually set this value.
<environments> <environment> <services> <service-role> <id>my-service-role</id> ... <hsts> <max-age>0</max-age> <!-- explicitly configure max-age with the previous default value --> </hsts> </service-role> </services> </environment> </environments>
The configuration model for non-templatized DCR has been updated such that it now requires to configure how a client must authenticate to obtain the initial registration token, instead of implying client-secret when nothing is set. This change may render existing configuration (that relied on an implied client-secret value) as invalid.
An example of configuration that used to be valid:
<authorization-server> <dynamic-client-registration> <non-templatized> ... </non-templatized> </dynamic-client-registration>
This configuration must be changed, to include the following XML elements:
<authorization-server> <dynamic-client-registration> <non-templatized> <client-authentication-method> <!-- This tag must to be added --> <secret/> </client-authentication-method> </non-templatized> </dynamic-client-registration> </authorization-server>
This change can be made manually, or by the upgrade XSLT template.
When configuring a base-url, it can not no longer contain a path nor query component. If a previous configuration had this set, it must be removed, either manually, or by running the XSLT script as part of the upgrade to version 6.0.
The base-url can be configured for a service-role, as well as for the admin-ui service.
Previously, whenever rules for a particular group were defined, the admin UI would always make rules for the any-group, a group of access control rules that applied to all users in all groups. In some cases, these rules in the any-group caused issues. For this reason, the admin UI no longer adds them. Consequently, the previously-created rules should probably be removed. If things are working as expected, however, they can be left. To remove them, delete all rules in the rule-list named any-group that has a comment of Created by Web UI. An example of the rules that should be removed are highlighted in the following listing:
any-group
rule-list
comment
Created by Web UI
<config xmlns="http://tail-f.com/ns/config/1.0"> <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm"> <rule-list> <name>any-group</name> <group>*</group> <rule> <comment>Created by Web UI</comment> <!-- ... --> </rule> <rule> <comment>Created by Web UI</comment> <!-- ... --> </rule> <!-- Leave any rules that do not have a comment like the one above --> </rule-list> </nacm> </config>
The zone configuration setting on a data source has been removed. It has not been in use, no action for upgrade is required.
zone
The version of jQuery that the default templates use was upgraded from 3.4.1 to 3.5.1. According to the release notes of this third-party script, this change should not incur any breaking changes. If it becomes an issue, the file $IDSVR_HOME/usr/share/webroot/assets/js/lib/jquery-3.5.1.min.js can be replaced with the old version. Be aware, however, that this upgrade was done to avoid a security vulnerability in the old version, so downgrading is not recommended.
$IDSVR_HOME/usr/share/webroot/assets/js/lib/jquery-3.5.1.min.js
The umask is now explicitly set to 077 in the idsvr command. This ensures that any files or directories created by that process are not writable, readable or executable by any other user. If this change is undesirable, then it can be changed. The recommended way of doing so is to set the umask in $IDSVR_HOME/etc/startup.properties. This change was done for security reasons, however, and altering it unnecessarily is discouraged.
$IDSVR_HOME/etc/startup.properties
Browser-based OAuth clients don’t need to use CORS in order to access HAAPI. The configuration changes allowing CORS accesses for the client’s origin, which were previously required for a browser-based client to use HAAPI, can now be removed.
The following Web attestation policy properties were removed: allow-web-driver, allow-ios, allow-android, and allow-java. The Web attestation process will not try to detect these browser characteristics (e.g. if the browser is being automated via web driver or is a webview running on Android).
allow-web-driver
allow-ios
allow-android
allow-java
It is still possible to define a custom Web attestation policy and set disable-origin-verification to true, for development and testing purposes.
disable-origin-verification
true
Kind
ActionKind
FormActionFields#addTextField(String, Message, Message)
launch
client-operation
Actions#addLaunchAction
Actions#addClientOperationAction
qrcode
HaapiContract.Links.Relations.QR_CODE
type
activation-url
activation
HaapiContract.Links.Relations.ACTIVATION_URL
The customization of the HTTP client used internally by the HaapiTokenManager was changed. Instead of supporting an optional OkHttpClient.Builder configurer, it now supports an optional connectionProvider to create and customize the HttpURLConnection that is now used internally by the token manager. Due to this change, it is now possible to use the HAAPI Android SDK without any dependencies on the OkHttp library.
HaapiTokenManager
OkHttpClient.Builder
connectionProvider
HttpURLConnection
OkHttp
However, it is still possible to configure an application level OkHttpClient instance with an interceptor to automatically handle the token and session management. For this to be possible the OkHttp library dependency (com.squareup.okhttp3:okhttp:3.14.*) must now be explicitly added to the application dependencies.
OkHttpClient
com.squareup.okhttp3:okhttp:3.14.*
The Transaction Metadata API was deprecated in version 5.3.0 and has now been completely removed.
The deprecated REST API has been removed. Refer to the version 4.0.0 upgrade guide for details about migrating to the new RESTCONF API.