Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

1Release date: 2024-11-29

Smart ID 24.11 provides updates, improvements, and bug fixes to ensure high quality and security. 

Important information: semantic versioning

From Smart ID 24.11 onwards, Smart ID Identity Manager and Smart ID Self-Service will have its own versioning starting with 5.0.0. The versioning will follow the semantic versioning scheme.

The containers will have the Smart ID version tag in the Smart ID package. When opening up the version information in Smart ID Identity Manager and on the Smart ID Self-Service login page, the new semantic versioning will be displayed, as with Smart ID Digital Access or Smart ID Messaging components.

Included in Smart ID 24.11

UPDATE LINK WHEN PUBLISHING!

 Smart ID Identity Manager 5.0.1

Main new features

End-to-end ECC support 

In Germany, the Federal office of Information Security (BSI) advises to use a minimum of 3000 bits key length for RSA keys from the beginning of 2023. However, the longer keys have some drawbacks, for example, it will take longer time to generate and use more space on the cards. An alternative is to use Elliptic Curve (ECC) keys instead. 

Previous versions of Identity Manager supported elliptic curve cryptography for some middleware programs and some Certificate Authorities (CAs).  

Identity Manager 5.0.0 supports key archival of ECC keys with Certificate Manager and support of ECC keys with Nexus Personal Desktop Client. This feature will help existing customers benefit from ECC keys without changing their general setup. 

Entra connector 

Microsoft Entra is widely used to hold employee master data. Identity Manager needs to synchronize with employee master data so that it always has the latest information on the employees data set and send the latest information about corresponding cards and certificates. 

Identity Manager currently supports various HR systems and LDAP directories to synchronize. With the new connector, an Identity Manager setup will be possible in an environment where Microsoft Entra holds employee master data. The connection is established via SCIM datapools and the new Entra connector.

Searching and sorting is limited to the functionality provided by the Microsoft Graph API, see https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=http#user-properties. The performance is limited by the throttling that Entra applies, see https://learn.microsoft.com/en-us/graph/throttling

For more information, see Set up Microsoft Entra connector.

Responsive self-service portal

Smart ID Self-Service (Smart ID Self-Service) is the interface of Identity Manager that end-users interact with. It is a web portal used by all the persons whose identity is managed and has a large number and range of users.

Here are example use cases that can benefit from the improved responsiveness in the Self-Service portal:

  • Access Smart ID Self-Service on mobile phone whenever that is more convenient

  • Organizations where users have Chromebooks as their primary device

  • A truly responsive design also helps visually impaired people that use large zoom factors.

  • The responsive design enables mobile use cases around Physical ID where action is needed on site.

New BPMN engine 

Identity Manager includes a workflow engine where the processes around card and credential’s management are custom built. This makes Identity Manager more flexible. 

As Activiti 5 is no longer supported, the BPMN engine has been switched to Flowable. The new engine improves performance and parallelization and provides new possibilities to be explored, for example, forms editing and process monitoring. Editing processes will be simplified with the new Nexus Process Modeler that can be used as a separate application as well as from inside Identity Manager Admin. 

Flowable is available as an open source version and as a commercial version called “Flowable work”. There is a community ensuring further development of the product. 

Configurations made for Activiti can be run with the new Flowable engine to ensure upgrading. The migration is done automatically, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

Flowable is a fork of Activiti and it is BPMN 2.0 compliant.  

Bootstrapping validation 

Smart ID Identity Manager is a security application based on public key infrastructure. It uses keys and certificates to encrypt secrets managed within the application, to sign the object history to make it audit proof, and other key related use cases. All these keys and certificates need to be created and moved to the right places - a procedure known as bootstrapping. As it is crucial for the security of the application that secure keys are used, a validation of the bootstrapping has been introduced. Demo-keys are no longer delivered with the software. This increases the effort in setting up demo and test systems but protects productive systems from accidently using publicly known keys.

To help first-time bootstrapping and get instructions for changing compromised keys and certificates later, see Bootstrapping the sign and encrypt engine.

Removed features and changes in delivery  

Support for encodings of USB tokens via Card SDK is discontinued 

The support for encodings of USB tokens via Card SDK is discontinued.

A workaround for the Java bug https://bugs.openjdk.org/browse/JDK-8026326 (implemented in CRED-13615) was removed, as it is incompatible with Java 17 and above and thus prevents moving forward with support for newer Java versions. This bug causes errors in the reader detection once the last remaining reader has been removed or disabled and it, or another reader, is added or connected again during the lifetime of the Java process. In this case the smartcard service is restarted, which Java fails to handle gracefully.

USB tokens integrate the PKI chip and the reader in one device, so they tend to be affected by this issue, unlike PKI encoding on smart cards, where the reader remains connected. PKI encoding of USB tokens can be handled by Smart ID Desktop App instead.

For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

Support for some CardOS related encodings has been removed 

Support for OsVersionField and PackageInformationField has been removed from encoding descriptions. This feature was specific to CardOS smart cards. APDU commands can be used to get the same result.

For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1

Deprecation of Service Task "Cert: Update Certificate State from CRL"

The service task "Cert: Update Certificate State from CRL" (delegate expression) ${updateCertificateStateFromCRLTask}is no longer recommended to be used as severe performance problems are likely to happen. Instead, it is recommended to push CRLs from the CA.

For Certificate Manager and Identity Manager the procedure is described here: Push CRL from Certificate Manager to Identity Manager

Configuration files excluded from the Smart ID package 

The configuration files SmartID-xxx-configuration.zip are no longer delivered with the Smart ID package. These configuration files were the basis of the Smart ID Workforce module. They are replaced by the Smart ID Workforce use cases, available as separate package from the Nexus download portal.

Smart ID Workforce use cases for Identity Manager 5.0.1 are not yet available. 

Open source libraries delivered with Smart ID package

A list of open source libraries used with Smart ID Identity Manager is delivered with Identity Manager on the Nexus support portal as the file SmartID-xxx-open-source.zip.

SmartAct-Migration tool

The SmartAct-Migration tool is not delivered with the Smart ID package anymore. Contact Nexus support if you need this.

Nexus Activiti Designer replaced by Nexus Process Modeler

Nexus Activiti Designer will not be delivered with Smart ID from this release onwards. It can still be used with Smart ID Identity Manager, but recent features are not supported. It is recommended to try Nexus Process Modeler instead.

Replacement of the quick search feature in Smart ID Self-Service

In Smart ID Self-Service, lists of Persons, Cards, Mobile IDs or other objects can be displayed by corresponding top level menu entries. The basis of these lists were search configurations that are set up in Smart ID Identity Manager Admin. There used to be a quick search and filter bar on top of each list. This has been replaced by a filter panel reflecting the underlying search configuration. The filter panel allows a more explicit filtering and understanding of the displayed results.

Detailed description of features

Features

Jira ticket number

Description

CRED-12528

The bootstrapping procedure, that is, the creation and placement of keys needed in Smart ID Identity Manager for different purposes, has been made more secure.

For more information, see Sign and encrypt engine in Identity Manager and Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

CRED-13624

The business process engine included in Smart ID Identity Manager has been switched from Activiti to Flowable.

For more information, see Cleanup Flowable process history in Identity Manager and Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

CRED-13706

The support for encodings of USB Tokens via Card SDK is discontinued. PKI encoding of USB tokens can now be handled by Smart ID Desktop App.

For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1. Read more in the Removed features and changes in delivery section above.

CRED-15871

A connector is now available to allow user synchronization between Smart ID Identity Manager and Microsoft Entra. Read more in the Main new features section above.

For more information, see Set up Microsoft Entra connector.

CRED-15873

Improved responsiveness in Smart ID Self-Service. The Self-Service is now usable on small screens like mobile phones or with large zoom.

Read more in the Main new features section above.

CRED-15893

A validation of the expression will be done in Identity Manager Admin when adding a Kerberos 5 Principal Name value in a certificate configuration.

CRED-16320

When showing a list of objects in a form, it is now possible to add checkboxes for selection to the list and to work with the selected entries.

CRED-16749

The performance of the cleaning of the ObjectHistory has been improved.

CRED-16776

Support for key archival and recovery of ECC keys with Certificate Manager has been added.

This requires Certificate Manager version 8.10 or later.

CRED-16798

Added a rate limit filter to the Tomcat configuration in docker to prevent DoS attacks. Individual adjustments are possible.

For more information, see Harden Tomcat.

CRED-16972

In Self-Service, interactive elements are now labeled with their role so that screen readers can recognize them.

CRED-17366

Support for OsVersionField and PackageInformationField has been removed from encoding descriptions. Read more in the Removed features and changes in delivery section above.

For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

CRED-18099

If there are many buttons on a form in a process, a primary button can now be defined. See Configure display of buttons in Identity Manager for more information.

CRED-18951

When configuring SAML in Smart ID Identity Manager, request signing and verification settings now default to true if not specified in the metadata file. See Enable two-factor authentication to Identity Manager clients via SAML federation for more information.

CRED-19161

In order to avoid ZIP bomb attacks, the compression ratio is checked when uploading zip files. The allowed compression ratio can now be configured. See List of Identity Manager system properties for more information.

Corrected bugs 

Jira ticket number

Description

CRED-16398

Previously in Identity Manager Admin, when editing a process with the BPMN editor, there was no reminder to save when leaving the tab. This has been fixed.

CRED-17721

On card encodings for card selection, an additional check of the ICCSN has been introduced to improve security. See Reader/card selection and information in Identity Manager for more information.

CRED-18101

Updating certificate state from CRLs would sometimes not find certain certificates due to upper lower case differences in the serial number. This has been fixed.

 Digital Access 6.8.0

Feature improvements

Jira ticket number

Description

DA-1914

Added new authentication method based on FIDO2 security key. See Set up FIDO2 authentication for more information.

DA-651

Support for adding multiple CAs for Smart ID Mobile App, Smart ID Desktop App and User Certificate methods.

DA-1384

Improvements in the Digital Access Admin UI for certificate management that present separate views for Server Certificates and SAML Signing Certificates.

DA-1945

Added capability for delegated admin to send OTP on behalf of not registered with DA using Mobile Text authentication.

Corrected bugs

Jira ticket number

Description

DA-2061

Fix for SAML SSO, preventing incorrect re-authentication.

DA-2044

Fixed logout issues in Digital Access Admin UI.

DA-2043

Removed unnecessary calls to Reporting database.

DA-1927

Scope validation for refresh_token grant type corrected as per specification.

DA-1910

Fixed issue with SAML SLO.

DA-1577

Fixed issue with Group membership in OAuth2 attribute.

DA-538

Fixed user login issue with disabled user storage accounts.

DA-2068

Fix for vulnerabilities.

 Other components in Smart ID

Physical Access

This release does not contain any specific updates for the Physical Access component.

Smart ID Messaging (Hermod)

This release does not contain any specific updates for the Smart ID Messaging (Hermod) component.

Upgrade Smart ID

See Upgrade Smart ID with general information regarding upgrading Smart ID. For detailed information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

Smart ID compatibility

 Compatibility table

Smart ID deployment configuration

 Smart ID deployment configuration release note

# RELEASE NOTES FOR SMARTID DEPLOYMENT CONFIG

All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.

## [Release 23.10.11-2025-01-09]

### Changed
- Changed Traefik version to 3.2.3

## [Release 23.04.27-2025-01-08]

### Changed
- Increased Traefik version to 3.2.3

## [Release 24.11.0-2024-11-29]

### Added
- Added a Tomcat web.xml setting a Rate Limit Filter to prevent DoS Attacks. [CRED-16798]
- Added the Nexus SVG logo in the selfservice app. [CRED-17286]

- New files generated by bootstrap scripts:
    - idm-encryptdb-bootstrap.p12 (replaces idm-encryption-bootstrap.p12)
    - idm-encryptconfig-bootstrap.p12
    - idm-signhistory-bootstrap.12
    - idm-signjwt-bootstrap.12
    - idm-signjws-bootstrap.12
  [CRED-16809]

### Changed
- upgrade to Postgres 16 [CRED-17704]
- restart-all.sh detects whether sudo is needed for docker commands [CRED-18249]
- Enable TLS 1.3 for Traefik (was TLS 1.2 only) [CRED-18049]
- Updated prime-connectors to 2311.1.0 (based on Ubuntu 22.04) [CRED-13886]
- Corrected Hermod and Selfservice setup in WSL dev readme and the configuration. [CRED-17952]
- Descriptors in signencrypt.xml now reference P12 keystores created by bootstrapping
  instead of dummy files from the respective IDM containers. [CRED-14971]
- DNs of bootstrapped certificates cleaned up. [CRED-16809]
- Bootstrapping creates separate P12 per use-case. [CRED-16809]
- Bootstrapping bash scripts replaced with docker container. [CRED-16808]
- Postgresql and cert bootstrap questions in init-smartid.sh default to "no". [CRED-16808]
- Updated the selfservice theme file. [CRED-17286]
- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]

## Removed
- "ObjectHistorySigner" descriptor version 1 for expired dummy cert removed from signencrypt.xml. [CRED-14971]
- Removed redundant size declaration from jws/jwt signer descriptors. [CRED-16808]
- Bootstrapping of user certs for users removed. [CRED-16808]
- DNs of bootstrapped certificates cleaned up. [CRED-16809]
- The process tracker moved from package de.nexus.projectutils.processtracker 
  to package de.nexus.flowable.processtracker in the file log4j2.xml and has to be enabled via the 
  SYSTEM_PROPERTIES environment variable in the file identitymanager/operator/docker-compose.yml. [CRED-17203]
  
## [Release 23.10.6-2024-07-15]

### Added

### Changed
- upgrade to Postgres 16 [CRED-17704]
- restart-all.sh detects whether sudo is needed for docker commands [CRED-18249]
- Updated prime-connectors to 2311.1.0 (based on Ubuntu 22.04) [CRED-13886]
- Corrected Hermod and Selfservice setup in WSL dev readme and the configuration. [CRED-17952]
- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]

## [Release 23.04.19-2024-07-2]

### Added

### Changed

- Changed Postgresql version to 14.12. [CRED-17538]
- Changed traefik version to 3.0.2. [CRED-17538]


## [Release 23.10.2-2023-10-30]

### Added

### Changed
- Modified permissions of the 'certs' directory in init-smartid.sh to 755 (to allow Hermod to read the directory). [CRED-16526]
- Updated Prime Connectors version. [CRED-16153]


## [Release 23.04.7-2023-08-28]

### Added
- Added missing attestation key config to signencrypt.xml (fixes VSC). [CRED-16128]

### Changed

## [Release 23.04.5-2023-07-17]

### Added
- Added a readme-wsl-dev.txt how to setup SmartID Docker containers in a WSL environment. [CRED-15948]
- Added environment variable to docker-compose.yml of authentication service.

### Changed
- Restored environment references for Digital Access and Physical Access containers [CRED-15915]

## [Release 23.04.4-2023-06-30]

### Added
- Added restart-all.sh for easy stopping and starting of all containers or a subset of them. [CRED-15854]

### Changed
- The variable DOCKER_NETWORK_MTU has the default value 1500 now. You are not forced to choose between several options. [CRED-15854]
- When executing init-smartid.sh a message informs you about the current MTU value and when it is recommended to reduce it. [CRED-15854]
- The names of most of the docker containers start with "smartid-" by default. This prefix can be changed now via variable DOCKER_CONTAINER_BASE_NAME in file smartid.env. [CRED-15854]
- The hostname of the postgresql container now has the DOCKER_CONTAINER_BASE_NAME prefix as well.

## [Release 23.04.3-2023-06-23]

### Added

- Added AriadNext Connector Docker image. [CRED-14963] 
- Added file .gitattributes to make \*.sh and \*.env files always containing only LF instead of any CRLF. Fixed file datadog.env accordingly. [CRED-15795]

### Changed

- Escaped the ESC character (0x1B) in echo statements of shell scripts to avoid problems with Azure file preview and git diff output. [CRED-15795]


## [Release 23.04.2-2023-06-02]

### Added

### Changed

## [Release 23.04.1-2023-05-11]

### Added

- Added init-smartid.env to configure the docker network MTU. [CRED-14088 via CRED-15316]
- Added helperFunctions.sh and helperCreateLink.sh to be used by init-smartid.sh. [CRED-14088 via CRED-15316]

### Changed

- Replace deprecated docker network syntax in docker-compose.yml files. [CRED-14088 via CRED-15316]
- init-smartid.sh / stop-smartid.sh detect if docker needs sudo. [CRED-14088 via CRED-15316]
- init-smartid.sh now optionally removes files created by previous runs (postgres db, bootstrapped certs, etc). [CRED-14088 via CRED-15316]
- No explicit setting of env_file in docker-compose.yml files. [CRED-14088 via CRED-15316]
- Messaging database is now configured via MESSAGING_DB_URL var. [CRED-14088 via CRED-15316]
- stop-smartid.sh now uses the compose command "down" instead of "stop", which also removes the containers after shutting them down. [CRED-14088 via CRED-15316]

## [Release 23.04.0-2023-04-28]

### Added

- Added Workspace One Connector Docker image. [CRED-14215] 

### Changed

## [Release 22.10.0-2022-09-20]

### Added

- Added ContentProviderJWSSigner descriptor in signencrypt.xml. [CRED-12232]
- Added renewFromKeypairs.sh to renew end-entity certs.

  WARNING:

  - This only works if you (re-)bootstrap with the updated createca.sh, as the old version discarded data required for renewal.
  - Re-bootstrapping will invalidate any encrypted secrets and history signatures in IDM due to chaning the keys.
  - Re-bootstrapping will also overwrite the certificates and keys in the docker deployment folder, so make a backup first,
    so you can use the respective tools for re-signing and re-encrypting existing history/secrets.

### Changed

- automatically (re-)start mailhog
- fixed naming of traefik rules for mobile-iron
- Changed createca.sh to retain keypairs and CA metadata, so we can enable renewal (see above).
- Removed cRLSign attribute from ca.conf to avoid issues with failing CRL checks.
  NOTE: This only has an effect on newly bootstrapped CAs.

## [Release 22.04.0-2022-05-05]

### Added

- Added Mobile Iron Docker image. [CRED-11817]
- Added new properties for MI image in smartid.env. [CRED-11817]

### Changed

- Changed properties for Nexus GO Cards API V2. [CRED-12951]

## [Release 21.10.0-2021-11-09]

### Added

- Added Digicert Global Root CA certificate. [CRED-11688]
- Added some Let's Encrypt root certificates. [DEVOPS-971]
- Added documentation for maxProfiles option to hermod-conf.yml
- Added `.yamllint` file to set default YAML linting config. [DEVOPS-1085]
- Added volume mapping for logs folder in IDM and Self Service. [DEVOPS-403]
- Fixed cacerts folder permissions in init-smartid.sh script.
- Added support for docker compose v2 command in init-smartid.sh script.

### Changed

- New properties for CAAS credentials in smartid.env (placeholders must be replaced before using Nexus GO Cards). [CRED-11688]
- Fixed some copy issues in the init-smartid.sh script.
- Changed the default selfservice config to include auth methods params example.
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Fixed typo. [DEVOPS-1090]
- Replaced Self-Service `IDM_URL`, `INSTANCE_ID`, `IDM_TENANT` by `APPLICATION_YAML` json. [DEVOPS-1127]
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Fixed YAML format. [DEVOPS-1085]
- IDM and SelfService now support custom translations and do not require mapping the whole translation files again. See doc for more info. [DEVOPS-1118]
- Change Import Logger to correct class [DEVOPS-1143]
- Switched to new image naming for IDM
  - `nexus-prime/explorer` changed to `smartid/identitymanager/operator`
  - `nexus-prime/designer` changed to `smartid/identitymanager/admin`
  - `nexus-prime/tenant` changed to `smartid/identitymanager/tenant`
  - `nexus-prime/updatedb` changed to `smartid/identitymanager/updatedb`
  - `nexus-prime/ussp2` changed to `smartid/selfservice`
- Changed Smart ID version to 21.10.0

### Removed

- Removed Self-Service config.json file. [DEVOPS-945]
- Removed expired Let's Encrypt certificates. [DEVOPS-971]
- Removed translation files for IDM and SelfService. [DEVOPS-1118]

## [Release 21.04.0-2021-05-20]

### Added

- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/createca.sh`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `init-smartid.sh` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]

### Changed

- IDM DB will no longer be initialized through init-smartid.sh script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD*\* properties to MESSAGING*\*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04

### Fixed

- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]

### Removed

- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.

## [Release 20.11.2-2021-03-23]

### Added

- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]

### Changed

- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]

### Fixed

- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the copy_files.sh script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]

## [Release 20.11.1-2021-02-18]

### Added

- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+

### Changed

- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1

## [Release 20.11.0-2021-02-01]

### Added

- Added mailhog as tool in /tools/mailhog. The tool can be used to test to send emails in Digital Access and Identity Manager. [DEVOPS-482]

### Changed

- Set false on traefik network in the traefik, adminer and mailhog to be enabled in traefik by default. [DEVOPS-486]
- Changed file extension of generated certificates from `.crt` to `.base64`
- Changed so that identity manager Admin and Operator do not require signed configurations/modules for uploading and downloading them by default. [DEVOPS-515]

### Fixed

- Fix environment variable usage inside traefik config file. [DEVOPS-514]

## [Release 20.11.0-2020-12-22]

### Added

- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]

### Changed

- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `stop-smartid.sh` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `init-smartid.sh` script to work regardless of where the script is called from.
- Improved the `createca.sh` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.

### Fixed

- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.

## [Release 20.11.0-2020-12-07]

### Added

- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new system properties environment variable
  - Support for new DB properties environment variables
  - Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
  - Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
  - Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]

### Changed

- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
  - Added `identitymanager/admin/docker-compose.yml`
  - Added `identitymanager/tenant/docker-compose.yml`
  - Added `identitymanager/init-db/docker-compose.yml`
  - Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/stop-smartid.sh`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the ini-smartid.sh script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.

### Removed

- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.

## [Release 20.06.1-2020-10-27]

### Added

- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin.
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true

### Changed

- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `init-smartid.sh` script.
- Moved seflservice to a separate docker-compose file.

### Fixed

- Fixed the jdbc url for `config/da-admin-customize.conf`.

### Removed

- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.

## [Release 20.06.0-2020-09-28]

### Added

- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
  - identitymanager/docker-compose.yml
  - traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.

### Changed

- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated `init-smartid.sh`:
  - Now check if docker and docker-compose are installed, if not the script will exit.
  - Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
    - Ask if postgres and/or mssql shall be deployed and started.

### Fixed

- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `init-smartid.sh` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.

## Removed

- Removed `init-smartid-test.sh`, it is included in init-smartid.sh.

Contact and support

For information regarding support, training, and other services in your area, visit www.nexusgroup.com/. Nexus offers maintenance and support services for Smart ID components to customers and partners.

For more information, go to Nexus Technical Support or contact your local sales representative.

  • No labels