We are proud to announce the 17.1 release of Topicus KeyHub. This release brings private groups and restricted accounts, the ability to increase the disk space available to KeyHub, several improvements in the upgrade process and we upgraded python to version 3. In addition, a number of smaller improvements have been made and several issues have been fixed.
Note: Due to some major upgrades behind the scenes, the update process can take longer than usual, up to 15 mins after creating the backup.
Improved update process
We've worked hard to stabilize and improve the upgrade processes, both "online" and "offline". Among other things we fixed problems in for "offline" upgrades, problems when upgrading the database from an older KeyHub version and we stabilized applying system updates for salt so this process should be less finicky. We thank our customers for their patience and assistance with troubleshooting and resolving the issues we ran into.
Private groups and restricted accounts
TKH-1505 We added the ability to mark a group as private. Private groups are not visible to users unless they are a member of the group. Normal users can not request to join a private group and have to be added by one of the group's managers.
We also reworked the "restricted accounts" feature. An account that is marked as restricted ("Can request group access" is set to "No") can not see any groups they are not already a member of. In essence, every group is marked private from their point of view.
Users who can't see a particular group (whether because the group is private or their account is restricted) are also unable to do things like move vault records to such a group.
KeyHub administrators and auditors will always be able to see all groups, but only on their role-specific pages (such as the auditor dashboard).
Increase and allocate available disk space
TKH-1571 If your KeyHub installation is nearing the end of available disk space you can now give it a larger disk.
After increasing the size of the disk available to the VM, you can then allocate the newly-available space from the appliance manager.
The following smaller improvements and bug fixes were made:
TKH-1393It is now possible to import PKCS#12 certificate containers (.p12) as an alternative to PEM files.
TKH-1431We upgraded Python to major version 3.
TKH-1509We improved the feedback on invalid combinations of certificate/networking options during installation or configuration.
TKH-1534The initial certificate generated during first boot will no longer have a not-before value in the future in case of timezone difficulties.
TKH-1536You will no longer be logged out during installation if the initial and eventual url for the appliance manager are the same.
TKH-1542We added support for U2F/CTAP1 security keys.
TKH-1543KeyHub should no longer send an unusable 2FA notification to the KeyHub app on your phone if you're using security keys.
TKH-1544We improved the styling of the 2FA pages during login and registration.
TKH-1548A self-signed certificate generated during install will now use the correct hostname.
TKH-1549KeyHub will now give more meaningful feedback if the uploaded certificate fails to validate due to certificate chain errors.
TKH-1550Vault records containing only a comment can once again be opened.
TKH-1552We renewed the install license that comes with the KeyHub installer.
TKH-1554To assist with restrictions on the devices used, it is now possible to disable manual configuration of 2FA. Users can then only set up one 2FA method, and can only configure a new one after a reset request has been accepted by the helpdesk group.
TKH-1555KeyHub now generates some extra characters at the end of the rotating password to improve compliancy with password complexity restrictions.
TKH-1556Webhooks can now be given a name to better characterize their function.
TKH-1561We limited the memory usage of the login page.
TKH-1564KeyHub now forces a password sync as soon as it detects a mismatch between the password used for KeyHub and the password in the source directory.
TKH-1567We fixed the permissions for a configuration file that lead to errors while applying a change in the KeyHub configuration.
TKH-1573We fixed a bug where editing a vault record could result in an error.
TKH-1574The TOTP code field should no longer suggest it is optional.
TKH-1575The Topicus KeyHub MTA container should restart less often after configuration updates.
TKH-1583A race condition was fixed that could cause a user session to become unusable.