Upgrading from 6.7.X to 6.8.0

There are no required changes to the database schema and no changes to the SDK or the configuration model in this version. As a result, it should be possible to upgrade without explicit action. Some changes were made that can be important to know about when upgrading, however. These are described below.

SDK Changes

Usage by plug-ins of the versions of JAXB and JAX-WS (part of Java EE) included with the Curity Identity Server is deprecated and planned for removal in 7.0. In version 6.4.0, the Java run-time that plug-ins execute in was upgraded from version 8 to 11. Java 11 removed various EE components like JAX-WS and JAXB. To avoid breaking changes, these were made available to plug-ins even when running in the new version of Java. These components will not be available in the next release, version 7.0. For this reason, plug-in developers should source these dependencies separately or be prepared to do so when 7.0 is released on March 28, 2022. Going forward, the Curity Identity Server will use the Jakarta versions of these (Jakarta EE 9) and no support effort will be made to ensure that the old versions of the Java EE components work with plug-ins.

Version 6.8.0 deprecates the getBaseUri() method in the SystemInformationProvider class, newly added getEnvironmentBaseUri() method should be used instead. Deprecation of getBaseUri() method in the SystemInformationProvider class has been removed.

Serialization

Java serialization is now prevented by default. If this technology is used in a plug-in or other component to convert a Java type to or from a byte steam, it is suggested that alternative methods be used. If this is not possible, refer to the manual on how to enable Java serialization.

Oracle JDBC Driver

The Oracle JDBC driver internally requires serializability of some of its classes. As the default permissions have changed regarding which classes are allowed to be serialized, this will break the Oracle driver. To fix this, Java must be told to allow serializability of the Oracle driver’s classes. This can be done by including the Java system property se.curity:identity-server:serialFilter=oracle.jdbc.** when starting the Curity Identity Server, which can be done by setting the JAVA_OPTS environment variable (e.g., JAVA_OPTS=-Dse.curity:identity-server:serialFilter=oracle.jdbc.** idsvr)

JMX

JMX browsers may require serialization to be enabled of certain classes. This will be blocked by default, but can be allowed by setting the Java system property se.curity:identity-server:serialFilter to include javax.management.** when starting the Curity Identity Server (e.g., by using the JAVA_OPTS environment variable as in the Oracle JDBC driver example above).

TLS

TLS 1.0 and 1.1 were disabled in version 6.3.0 of the Curity Identity Server. In this release, all versions of TLS older than 1.2 are no longer supported. Even if they can be enabled in the Java runtime, their functionality is not guaranteed and not supported. Upgrading to TLS 1.2 or 1.3, is, therefore, required. This was done to keep pace with the Oracle JRE and JDK Cryptographic Roadmap.

RESTCONF

The RESTCONF API has been updated to conform with RFC 8040 with regards to the depth parameter. The depth on a requested data node has a depth level of 1 instead of 0 as it was before.

Template Updates

The file $IDSVR_HOME/usr/share/templates/core/alarms/email/email.vm was updated to include a variable environmentName to represent Environment Name.

The file $IDSVR_HOME/usr/share/templates/core/authentication-action/opt-in-mfa/register-confirm.vm was updated to include a (boolean) variable _reRegisteringSameFactor used to identify when user attempts to update already registered device. The new keys view.detail.already-registered and view.detail.already-registered.template were added to ${IDSVR_HOME}/usr/share/messages/core/en/authentication-action/opt-in-mfa/register-confirm/messages to include messages used during OPT-IN MFA update.

Deprecation of the Net iD Authenticator

The Net iD Authenticator is now deprecated and will be removed in a future major version.

BankID authenticator

The BankID authenticator will now output authentication attributes with subject always equal to the personal number used on the BankID transaction, even if there is already an authenticated state with a different subject. Previously, and under some circumstances, the username in the authenticated state was used instead of the personal number.

This change may impact scenarios where BankID is used as a second factor for a conditional MFA action, because this MFA action will reject the authentication if the second factor subject doesn’t match the first factor subject.

The file $IDSVR_HOME/usr/share/templates/core/fragments/generic-poller.vm was updated to include a logic for handling the Animated QR Code images.

BankID Consentor

The template file $IDSVR_HOME/usr/share/templates/core/consentor/bankid-signing-consentor/bankid-poller.vm was updated to include a variable _qrCodeId to represent a value for the new ID parameter of the img element which is used for the Animated QR Code handling.

The template file $IDSVR_HOME/usr/share/templates/core/fragment/poller.vm was updated to include a logic for handling the Animated QR Code images.