Release notes Topicus KeyHub 36

We are proud to announce Topicus KeyHub 36. This release brings a variety of smaller and larger improvements throughout the entire application, taking Topicus KeyHub closer to a full IGA suite. Under the hood, the application is now powered by the latest release of PostgreSQL. Many improvements were made to the provisioning engine.

PostgreSQL 16

TKH-1997 In this release we upgrade our database from PostgreSQL 12, which will go end of life in November, to version 16. Normally, such a major version upgrade will impose significant downtime, as the database needs to be migrated and all indexes and statistics rebuilt. However, for our customers running a HA-cluster, we've developed a fully automated migration that requires less than a single second of outage. The database will be migrated on one of the nodes, while the application keeps running on the old database. When fully migrated, the new database will then be brought back up to date via logical replication, after which a fast switch over is performed.

TKH-2823 The new PostgreSQL 16 database also includes some tuning to database parameters to better use the resources available.

New licensing model and IGA suite

TKH-2965 In this release we've made several important steps in transforming Topicus KeyHub into being a full IGA (Identity Governance & Administration) suite. One of the most significant changes is our new licensing model 5. This brings large 3 changes:

• Activating groups on the dashboard no longer requires a Pro license, but is now a global feature available to Pro and Business users.

• A Pro license is now only needed for static or dynamic provisioning via groups. Users with a Business license can be KeyHub Administrators or manage access.

• A new type of user license, called IGA, was introduced. IGA users cannot be members of groups nor can they have a personal vault. An IGA user can only be a member of access profiles.

In addition to the changes to the license model, the following changes were also made:

• TKH-2809 The information about the identity of a person was separated from the account. Although this is not yet visible in the user interface, it allows us to extend and manage these properties in future versions.

• TKH-2960 Provisioning is also now available to access profiles.

• TKH-2997 A warning message was added to the Manage Access page when a group uses static or dynamic provisioning and also contains members with a Business license, for which this feature is not available.

Improvements to provisioning

TKH-3035 TKH-3068 It's now possible to exclude groups on a linked system from being managed by Topicus KeyHub. This can help greatly when migrating an existing setup to a setup managed by Topicus KeyHub. Also, it allows parts of a linked system to be outside the control of Topicus KeyHub, while still managing other parts.

In addition to this new feature, several smaller improvements were made and bugs fixed in the provisioning engine:

• TKH-2958 Usernames must be globally unique on a linked system, including on namespaces. This is now also correctly verified for service accounts.

• TKH-3014 An error was fixed in the SCIM provisioning when the target system supports PATCH on users.

• TKH-3041 When using SCIM provisioning on AWS, Topicus KeyHub no longer uses query parameters that AWS does not understand.

• TKH-3042 Removing a group on system with static provisioning enabled now correctly removes all memberships for that group on system.

• TKH-3054 When using SCIM provisioning on AWS, creating a new group could result in an error.

• TKH-3055 An open circuit breaker for a broken linked system would result in incorrect error messages.

Assorted improvements

The following larger and smaller improvements and bug fixes were made:

• TKH-2701 We've improved our tooling to generate licenses for different versions of Topicus KeyHub.

• TKH-2822 Constraints were added to many columns in the database that are conditionally not null.

• TKH-2920 Values inherited from a parent organisational unit are now displayed when editing the settings for a nested organisational unit.

• TKH-2948 The account export now contains an additional column indicating if rotating password is enabled or not.

• TKH-2954 E-mails sent from the appliance manager now include the node identifier.

• TKH-2962 TKH-3048 Substantial improvements were made to the tests to make them more reliable and easier to build.

• TKH-2964 The Add button for namespaces on a linked system is no longer visible for KeyHub Administrators in the admin overview.

• TKH-2975 The indirect permissions for groups on systems and service accounts were simplified and cleaned up.

• TKH-2976 The permissions for launchpad items were simplified and cleaned up.

• TKH-2981 The notification for a request to create a new internal account now mentions the directory it will be created in.

• TKH-2998 The user interface of the appliance manager now shows the correct controls and indicators when using offline updates.

• TKH-2999 Some minor improvements were made to prevent other password managers from overwriting passwords in the Topicus KeyHub vault when editing a record.

• TKH-3003 The appliance manager now enforces a proxied setup when using a cluster.

• TKH-3007 TKH-3016 The OTLP container no longer spams the logs with errors when using the metrics endpoint.

• TKH-3015 Salt updates now clean up properly to prevent package collisions after an update.

• TKH-3018 A permission denied error was fixed when using a private group as password recovery fallback group.

• TKH-3020 Trying to render an error when unauthenticated no longer leads to another error.

• TKH-3022 The TCP implementation for the JGroups communication layer was switched to NIO2, which is more reliable.

• TKH-3024 Some minor fixes were applied to the log rotate configuration.

• TKH-3025 The effect of the log rotation is now also logged.

• TKH-3027 Backups in a cluster are now always created from the primary node, unless explicitly requested to be created from a specific node.

• TKH-3028 Some inter-file dependencies were corrected in the configuration management.

• TKH-3029 The appliance manager now also records statistics and reports these via the metrics.

• TKH-3032 Obsolete states in the Salt configuration management could lead to stale information being displayed in the appliance manager.

• TKH-3033 Error handling in the appliance manager was improved in case a time-out occurs while reading the status of a running job.

• TKH-3038 The application server was upgraded to WildFly 33.0.1.

• TKH-3039 Disabling sharing a client secret in the vault of the administrating group now correctly results in that vault record to be removed.

• TKH-3043 Logging in on the appliance manager via SSO no longer leads to a not found page.

• TKH-3044 Manage access now shows which elements are currently disabled.

• TKH-3045 A backup restore could fail due to a race condition in reading the output of the restore operation.

• TKH-3046 Reliability in the emergency snapshot recovery in a cluster was improved.

• TKH-3047 A textual omission was fixed in the description for the technical administration property of a group.

• TKH-3052 Characters that are not permitted in XML could end up in the audit log and cause problems in the Topicus KeyHub console.

• TKH-3053 A minor textual change was applied to the audit record representing the removal of an account from a group.

• TKH-3057 The actor on the audit records for accepting a new group on system was recorded incorrectly.

• TKH-3060 Support for newer VMWare hardware platforms was added to the OVA.

• TKH-3061 KeyHub Administrators are no longer hidden on the account bulk edit page.

• TKH-3066 Logs from the appliance manager now contain the correct value for the hostname label.