Release notes Topicus KeyHub 19.3

We're proud to announce Topicus KeyHub 19.3. This release brings syslog log streaming capabilities to the appliance. Also, our password recovery system has been enhanced to allow full self service password recovery. Two new provisioning schemes were added to the Azure Active Directory provisioning, introduced in 19.1. Lastly our group classifications, also introduced in 19.1, received several new options. And, as usual, a large number of smaller changes and bug fixes are included in this release.

Log streaming

TKH-1547 TKH-2046 The entire logging infrastructure of the Topicus KeyHub appliance has been renewed. Logging of the Topicus KeyHub application is now performed through a centralized syslog container and forwarded to the syslog daemon on the host. The daemon on the host can be configured to forward the logs to a log streaming service for secure, near real time storage.

Full self-service password recovery

TKH-1972 Our password recovery on AD has been extended to allow the newly chosen password to be written back to the directory. This gives the possibility to provide full self-service password recovery via Topicus KeyHub. This password recovery can be used together with social recovery and when using a helpdesk group. Verification of the authenticity of the recovery request can be configured to be done via 2FA or e-mail or both.

Azure source directory provisioning

TKH-1958 TKH-1959 New provisioning schemes are implemented that allow source directory provisioning on Azure Active Directory. This will allow Topicus KeyHub to dynamically assign existing users to groups in an Azure tenant. This option can also be combined with an on-premise Active Directory when using Azure Active Directory Connect.

Requirements via group classifications

TKH-1977 TKH-1986 TKH-2027 TKH-2028 TKH-2029 Many new options were added to group classifications, making it possible to put restrictions on most group settings. Managers of groups with these classifications will automatically receive a notification when their group does not meet the requirements.

Small improvements

The following smaller improvements and bug fixes were made:

• TKH-1576 It is now possible to specify a hint for new group names, for example a pattern.
• TKH-1739 New rules are enforced when handling cascading requests that prevent the same user to be involved in a single chain of requests more than once.
• TKH-1775 It is now possible to disable social recovery or all recovery on a specific vault.
• TKH-1839 Topicus KeyHub now sends notifications per e-mail when a user's authentication information changes in a significant way.
• TKH-1867 The settings for the firewall in the appliance manager are now grouped together.
• TKH-1906 The e-mails for social recovery now mention that a second approval is required.
• TKH-1921 It is now possible to search groups on their UUID.
• TKH-1923 TKH-1925 New options are available for generating the sAMAccountname attribute on Active Directory and changes are synced for existing users.
• TKH-1934 It is now possible to retrieve a generated password via the REST API.
• TKH-1936 Shared vault records no longer trigger a notification on the dashboard when they expire. Only the original vault record triggers such a notification.
• TKH-1937 A button was added to trigger a test mail from the appliance manager.
• TKH-1951 A different group than KeyHub administrators can now be configured to handle requests for creating new groups, enabling technical administration and/or removing groups.
• TKH-1955 A CSV export was added for group memberships via the auditor groups dashboard.
• TKH-1967 All groups now automatically get a default classification assigned.
• TKH-1974 For groups with high traffic, the audit records can now be hidden from the audit trail on users' dashboards to reduce noise.
• TKH-1978 A system-wide retention period can now be configured for the audit log.
• TKH-1994 Pgpool-II was upgraded to 4.3.1.
• TKH-1998 Secret shares used for password recovery are now synced more often, and are immediately invalidated when a user leaves the helpdesk or KeyHub administrators group.
• TKH-2002 The application server was upgraded to WildFly 26.0.1.
• TKH-2007 A client application can now be immediately granted access to vaults of groups it creates.
• TKH-2008 It is now possible to request static provisioning when requesting to add a group to a group on a linked system.
• TKH-2010 Names can now be 255 characters long throughout the entire application.
• TKH-2011 An attribute active was added that can be used for custom attribute scripts that indicates if that group is currently enabled for the account.
• TKH-2012 An issue was fixed when a vault containing a shared vault record became inaccessible, for example when the group was deleted.
• TKH-2014 It is now possible to setup authorization for groups using the group itself to do the authorization.
• TKH-2015 Logs are now rotated using the date of the contents, rather than the date of rotation.
• TKH-2016 The login flow was improved to prevent the user from having to enter the password twice under some circumstances.
• TKH-2020 An error was fixed that could occur when trying to logon to the appliance manager using SSO.
• TKH-2021 The tools dig and nslookup are now installed by default in the appliance to assist with debugging networking issues.
• TKH-2023 Acceptance releases are now made available in a separate folder in our downloads directory.
• TKH-2025 The SaltStack FQDNs grains were disabled to prevent SaltStack from making many reverse DNS lookup calls for internal IP addresses.
• TKH-2026 The initialization of the distributed device code registry was fixed to prevent possible issues when running in a cluster.
• TKH-2030 When starting an audit from the notification on the dashboard, an existing draft is opened, if present, instead of starting a new audit.
• TKH-2036 A CSV export for accounts was added to the auditor accounts dashboard.
• TKH-2037 Sorting of accounts on two factor authentication status was fixed.