We're pleased to announce Topicus KeyHub 20.0. In this release we introduce our license model version 3, giving more flexibility to the way our customers can use our application. In addition to this, we are introducing the concept of nesting groups, which can greatly reduce the effort required to manage many similar groups.
Topicus KeyHub 20.0 will also benefit larger installations, this includes improved filtering and performance in many places. Furthermore, accounts in internal directories can now also be managed by non-KeyHub Administrators. And, as usual, a large number of smaller changes and bug fixes are included in this release.
TKH-2109
We've swapped our Java virtual machine to the Amazon Corretto distribution of the OpenJDK. This version comes with the latest security updates, including a fix for CVE-2022-21449, also known as "psychic signatures". We recommend to upgrade your Topicus KeyHub installation as soon as possible.
TKH-1854
TKH-1857
License model version 3 introduces a clear distinction between Pro users and Business users. It also adds a number of feature toggles for more advanced functionality provided by Topicus KeyHub. All existing users will be converted to Pro when upgrading to 20.0. New users will, by default, be assigned a Business license. This can be changed in Settings.
For the following functionality, a Pro license is required, which can be assigned via Accounts:
TKH-1446
Sometimes it is convenient to use groups to organize data, such as passwords while giving the same users access to these groups. Previously, this would require managing group memberships for many different groups for the same accounts. In 20.0 it is now possible to nest groups under another group, automatically inheriting all accounts. This greatly streamlines the management of these groups.
TKH-1798
TKH-1799
The overview pages throughout Topicus KeyHub, to some extent, could get quite hard to use on larger installations. In 20.0 we added a quick search filter on all these pages, allowing a user to quickly filter down the list. Also, the auto grouping now works much better with a large number of groups.
TKH-1954
Accounts and directories have always been the domain of the KeyHub Administrator. Since 20.0 it is now possible to extend this responsibility to other groups by assigning co-ownership of an internal directory to a group. This allows the group to invite external users themselves. The KeyHub Administrators stay in the loop and can intervene if required.
The following smaller improvements and bug fixes were made:
TKH-946
We switched from RS256 to Ed25519 for signing of our tokens.TKH-1604
Many components in our testing infrastructure were updated to the latest versions and contributions were made to the open source community with these upgrades.TKH-2009
Our anti-robot protection now uses WASM for all major browsers, giving higher performance with better security.TKH-2033
It is now possible to change the fallback group for recovery requests in case a user does not have enough managers.TKH-2035
Users from an internal directory now get a e-mail notification when their e-mail address is changed.TKH-2040
The positioning of the date picker was fixed in some places when the page was scrolled.TKH-2041
A full provisioning sync now operates in smaller steps, reducing the memory footprint of the sync.TKH-2042
Locking was added to refreshing access tokens to prevent concurrent modifications.TKH-2043
The synchronizations page now refreshes correctly when starting a sync.TKH-2045
A large increase in performance was realized for users with a very large number of groups.TKH-2047
A small annoyance was fixed in places were an input field only was required under some conditions.TKH-2048
The details for an account now shows all groups, not just the first 100.TKH-2049
Some docker containers declared volumes which were not mounted. These were removed.TKH-2050
The full sync for provisioned systems did not handle destroyed accounts correctly.TKH-2058
An issue was fixed that could case background tasks to crash.TKH-2061
The update process now checks the validity of the certificate chain before starting the update, which prevents the update from failing later in the process.TKH-2062
The login page can now handle a much larger number of requests due to added caches.TKH-2063
The duration and size of the server side session for the login page was reduced to prevent outages during a DoS.TKH-2064
Many small changes were made to the operation system to harden its configuration.TKH-2065
Most criteria from the default group classification are now applied automatically when a new group is created.TKH-2067
A workaround was added to allow Safari 15.4 to load the stylesheet until the issue is fixed in Safari itself.TKH-2069
Mail enabled security groups cannot be provisioned on Azure and are now filtered from the list.TKH-2070
More information about group audits is shown to the user, including its current status and the usernames of the users who started, finished and reviewed the audit.TKH-2072
Topicus KeyHub now implements RFC 9207, blocking possible mix-up attacks.TKH-2073
Tests were added for detecting various errors in incorrect certificate chains.TKH-2077
Error handling was improved when trying to add a user to a group that was already present.TKH-2078
The SAML metadata resolver no longer keeps resolving old URLs.TKH-2079
Showing the last 5 MB of a log file now actually gives the last 5 MB.TKH-2081
The notification to users with a pending password reset incorrectly showed inactive users.TKH-2082
Accounts are now correctly activated and deactivated when 2FA is enabled or disabled on an account and the synchronization requires 2FA.TKH-2083
rssh was dropped from the appliance. The package was no longer maintained and no viable alternative exists.TKH-2084
ntpd was replaced by its more modern successor chronyd.TKH-2085
A client can now read its own permissions via the API.TKH-2087
Some unneeded packages were removed from the appliance.