We are proud to announce Topicus KeyHub 20.1. This release features a major OS upgrade, moving from CentOS 7 to AlmaLinux OS 8. As part of this upgrade, we worked hard on hardening our package management and providing signed software bundles. For group managers, we now provide dashboards to give insights in the managed groups. We've also made the first steps to more customizable communication in our notification centre. And, as usual, a large number of smaller changes and bug fixes are included in this release.
TKH-1468
CentOS 7 has served us well for all these years, but with the EOL nearing, it was time to move on. With the most obvious candidate, CentOS 8, scrapped, we looked at alternatives. AlmaLinux OS 8 provides a clean upgrade path from CentOS 7 and it is likely to stay supported for a long time to come.
The upgrade from CentOS 7 to AlmaLinux 8 needs to be done manually. First upgrade your Topicus KeyHub installation to 20.1 and install all pending operating system updates. Now upload the alma8
upgrade image to upgrade the VM. This will take some time, during which the VM will reboot several times. At the end, your installation will be running Topicus KeyHub 20.1 on AlmaLinux OS 8.6. Be aware that 20.1 is the latest version to be supported on CentOS 7 and you will not be able to update to 20.2 before upgrading to AlmaLinux 8.
Topicus KeyHub 20.1 will run just fine on CentOS 7 and it will be just as secure as on AlmaLinux 8.
For complete instructions on the OS upgrade, please follow the instructions in our upgrade guide. We will contact all our customers in the weeks following the release of 20.1. We recommend all our customer to wait for our call, during this moment of contact you can ask for help/guidance.
TKH-2052
TKH-2053
Topicus KeyHub now checks the signature of all software being installed onto the VM. In addition, the update bundles for offline updates are now signed (recognizable by the .gpg
extension). Not only does this protect the bundles against corruption due to a bad download, but it also protects them from being modified by an attacker with malicious intent.
TKH-2071
TKH-2089
When you are a manager in one or more groups, or a member of a group performing additional authorization on other groups, it is now possible to get insights into these groups via a dashboard.
TKH-1841
TKH-1852
In our communication centre, you can now configure a custom signature for all mails sent by Topicus KeyHub. Also, you can remove any links that would be added to these mails, if company policy forbids the use of mails with links. In the future, it is likely more options for customization of communication will be added here.
The following smaller improvements and bug fixes were made:
TKH-1970
Several new colours were added to the vault records.TKH-1996
It is now possible to send complete context objects with webhook deliveries.TKH-2032
Topicus KeyHub can now be run on AWS. Expect a marketplace subscription soon.TKH-2060
More information is shown for every node in a cluster, including its version.TKH-2080
The keyhub
user can now have a public key for ssh set.TKH-2088
Members of the auditor group can now disable accounts via the accounts dashboard to allow quick intervention in case of an emergency.TKH-2091
The feedback when uploading a license with missing features that are currently in used, now displays which features are missing.TKH-2092
The appliance manager now checks certain features of the license.TKH-2093
Topicus KeyHub is now able to generate licenses in the new format.TKH-2094
The nginx
proxy no longer advertises its version via headers.TKH-2100
A new option was added for setting up group nesting to connect overlapping accounts and keep the others.TKH-2107
When starting an upgrade, the browser no longer keeps scrolling down.TKH-2111
An RFC 7662 compliant OAuth 2.0 Token Introspection endpoint was added. The endpoint is advertised in the server metadata.TKH-2113
The error handling of the Topicus KeyHub Console was improved to keep on trying when it is unable to read the server metadata.TKH-2115
The webhook
component used in a cluster was upgraded to 2.8.0.TKH-2118
The pop-up to request new groups now displays the full name of the new group to prevent confusion.TKH-2119
It is no longer possible to store empty files in the vault. These were causing trouble due to the missing content.TKH-2123
OAuth 2.0 tokens are now scoped as requested, rather than what the user gave consent to in the past.TKH-2124
Deployment in the Azure Marketplace was fixed.TKH-2130
It is now possible to mark nodes as unavailable to take them out of load balancer. This allows the operator to perform maintenance on nodes without causing service unavailability.TKH-2131
A race condition in the startup of Pgpool was reported and fixed upstream.TKH-2133
Salt calls are now performed async and with more realistic timeouts.TKH-2134
The subject of some e-mails was fixed.TKH-2135
Invalid or disabled accounts no longer count as valid targets for secret shares.TKH-2137
Validation of the short lived tokens for exports has been improved to prevent cross posting.TKH-2141
Pgpool was upgraded to 4.3.2.TKH-2144
Restoring a backup now also restores the secrets required to use the database.TKH-2149
Clients can now create private groups.TKH-2150
Clients now also get the permissions reflecting features from the license.