We're pleased to announce Topicus KeyHub 20.0. In this release we introduce our license model version 3, giving more flexibility to the way our customers can use our application. In addition to this, we are introducing the concept of nesting groups, which can greatly reduce the effort required to manage many similar groups.
Topicus KeyHub 20.0 will also benefit larger installations, this includes improved filtering and performance in many places. Furthermore, accounts in internal directories can now also be managed by non-KeyHub Administrators. And, as usual, a large number of smaller changes and bug fixes are included in this release.
Important notice: Java updated to address CVE-2022-21449
TKH-2109 We've swapped our Java virtual machine to the Amazon Corretto distribution of the OpenJDK. This version comes with the latest security updates, including a fix for CVE-2022-21449, also known as "psychic signatures". We recommend to upgrade your Topicus KeyHub installation as soon as possible.
License model version 3
TKH-1857 License model version 3 introduces a clear distinction between Pro users and Business users. It also adds a number of feature toggles for more advanced functionality provided by Topicus KeyHub. All existing users will be converted to Pro when upgrading to 20.0. New users will, by default, be assigned a Business license. This can be changed in Settings.
For the following functionality, a Pro license is required, which can be assigned via Accounts:
- Topicus KeyHub Administrators.
- Dynamic and static provisioning of accounts in LDAP, Active Directory or Azure.
- Managing of provisioned systems, SSO applications and OAuth2 clients.
TKH-1446 Sometimes it is convenient to use groups to organize data, such as passwords while giving the same users access to these groups. Previously, this would require managing group memberships for many different groups for the same accounts. In 20.0 it is now possible to nest groups under another group, automatically inheriting all accounts. This greatly streamlines the management of these groups.
Searching in overviews
TKH-1799 The overview pages throughout Topicus KeyHub, to some extent, could get quite hard to use on larger installations. In 20.0 we added a quick search filter on all these pages, allowing a user to quickly filter down the list. Also, the auto grouping now works much better with a large number of groups.
Ownership for internal directories
TKH-1954 Accounts and directories have always been the domain of the KeyHub Administrator. Since 20.0 it is now possible to extend this responsibility to other groups by assigning co-ownership of an internal directory to a group. This allows the group to invite external users themselves. The KeyHub Administrators stay in the loop and can intervene if required.
The following smaller improvements and bug fixes were made:
TKH-946We switched from RS256 to Ed25519 for signing of our tokens.
TKH-1604Many components in our testing infrastructure were updated to the latest versions and contributions were made to the open source community with these upgrades.
TKH-2009Our anti-robot protection now uses WASM for all major browsers, giving higher performance with better security.
TKH-2033It is now possible to change the fallback group for recovery requests in case a user does not have enough managers.
TKH-2035Users from an internal directory now get a e-mail notification when their e-mail address is changed.
TKH-2040The positioning of the date picker was fixed in some places when the page was scrolled.
TKH-2041A full provisioning sync now operates in smaller steps, reducing the memory footprint of the sync.
TKH-2042Locking was added to refreshing access tokens to prevent concurrent modifications.
TKH-2043The synchronizations page now refreshes correctly when starting a sync.
TKH-2045A large increase in performance was realized for users with a very large number of groups.
TKH-2047A small annoyance was fixed in places were an input field only was required under some conditions.
TKH-2048The details for an account now shows all groups, not just the first 100.
TKH-2049Some docker containers declared volumes which were not mounted. These were removed.
TKH-2050The full sync for provisioned systems did not handle destroyed accounts correctly.
TKH-2058An issue was fixed that could case background tasks to crash.
TKH-2061The update process now checks the validity of the certificate chain before starting the update, which prevents the update from failing later in the process.
TKH-2062The login page can now handle a much larger number of requests due to added caches.
TKH-2063The duration and size of the server side session for the login page was reduced to prevent outages during a DoS.
TKH-2064Many small changes were made to the operation system to harden its configuration.
TKH-2065Most criteria from the default group classification are now applied automatically when a new group is created.
TKH-2067A workaround was added to allow Safari 15.4 to load the stylesheet until the issue is fixed in Safari itself.
TKH-2069Mail enabled security groups cannot be provisioned on Azure and are now filtered from the list.
TKH-2070More information about group audits is shown to the user, including its current status and the usernames of the users who started, finished and reviewed the audit.
TKH-2072Topicus KeyHub now implements RFC 9207, blocking possible mix-up attacks.
TKH-2073Tests were added for detecting various errors in incorrect certificate chains.
TKH-2077Error handling was improved when trying to add a user to a group that was already present.
TKH-2078The SAML metadata resolver no longer keeps resolving old URLs.
TKH-2079Showing the last 5 MB of a log file now actually gives the last 5 MB.
TKH-2081The notification to users with a pending password reset incorrectly showed inactive users.
TKH-2082Accounts are now correctly activated and deactivated when 2FA is enabled or disabled on an account and the synchronization requires 2FA.
TKH-2083rssh was dropped from the appliance. The package was no longer maintained and no viable alternative exists.
TKH-2084ntpd was replaced by its more modern successor chronyd.
TKH-2085A client can now read its own permissions via the API.
TKH-2087Some unneeded packages were removed from the appliance.