We are pleased to announce Topicus KeyHub 13.1. This release brings an entirely new provisioning scheme, which allows dynamic provisioning of groups on existing accounts. The work on compliance management, started in 13.0, has been continued. It is now possible to review previously performed audits. Also we greatly streamlined the installation experience, removing many of the bottlenecks we identified in 13.0. As usual, a number of smaller improvements have been made and many issues have been fixed.

Account provisioning

TKH-1054 A new type of provisioning was added with which users can dynamically enable and disable groups in their source directory. This allows for very easy transition from an existing static situation to a situation where Topicus KeyHub manages access. For example, when VPN access is allowed to members of a group in your Active Directory, Topicus KeyHub can now dynamically add and remove members to/from this group.


TKH-1070 UIDs (POSIX user ids) are now assigned from reusable number sequences. This makes it possible to use the same UID across multiple LDAP instances and servers. Using the same UIDs prevents problems with permissions when transferring files or when replacing LDAP instances.

Furthermore, the following smaller improvements where made to account provisioning:

  • TKH-1096 Fetch certificate from server now also works for Active Directory.
  • TKH-1098 A bug was fixed that would make it impossible to choose some groups on a provisioned system.
  • TKH-1102 The user's e-mail address is now added to the accounts on LDAP and Active Directory. On OpenLDAP this requires het inetOrgPerson schema, otherwise provisioning will fail.
  • TKH-1114 A textual change was made to the group selection popout to differentiate between groups in Topicus KeyHub and groups on the provisioned system.
  • TKH-1115 Saving a provisioned system with configuration errors no longer results in a system error.

Auditing groups

TKH-1072 TKH-1075 Audits performed on a group can now be reviewed by other managers of the group. A concise view is given with the number of confirmations, modifications and removals per audit. The audit can also be opened for a more detailed view. When performing an audit, disabled or invalid accounts are crossed out.


Topicus KeyHub virtual appliance

UX testing of the installation wizard of the virtual appliance has given us great insight into the bottlenecks experienced by our users. Careful reordering and optimization has reduced the number of configuration steps from 5 to 3. Common errors with certificates are now much easier to recognize and fix and e-mail configuration has been removed from the initial configuration entirely. The result is a much smoother installation experience in which users are much less likely to get stuck.


The following improvements and bug fixes were made to the appliance:

  • TKH-1081 OS updates are now installed during packaging of the ova.
  • TKH-1083 E-mail configuration now supports SMTPS and TLS.
  • TKH-1084 E-mail configuration is now deferred until after the installation.
  • TKH-1085 The transfer of the session to the new URL can now be performed manually, giving more insight in possible problems.
  • TKH-1086 Certificates signed with SHA1 are now rejected immediately.
  • TKH-1087 A range of basic validity checks is now performed directly when uploading certificates rather than at configuration time.
  • TKH-1088 The user interface now clearly shows the contents of the certificates used.
  • TKH-1089 It is now possible to skip creation of a backup before applying new configuration settings.
  • TKH-1091 A script for manual upgrades has been added.
  • TKH-1092 The installation wizard now correctly tracks progress after creating the initial user.
  • TKH-1093 The vault recovery keys are now generated and downloaded when starting Topicus KeyHub for the first time.
  • TKH-1103 The user is forced to the right pages during installation, making it impossible to break out of the installer.
  • TKH-1105 Restoring a backup directly at install no longer gives an error on some backups.
  • TKH-1108 A file leak that would cause the appliance manager to crash after 3 weeks was fixed.
  • TKH-1117 The fail-safe recovery could cause the system to get into an invalid state when a new kernel was installed.

Browser extension

TKH-930 TKH-994 TKH-1099 TKH-1116 A new version of the browser extension (3.3.0) was released together with Topicus KeyHub 13.1. This new version adds keyboard shortcuts and the possibility to navigate the records using the keyboard. Press Ctrl-Shift-F to trigger the 'Fill with Topicus KeyHub' option on a username or password field. Use the Up and Down arrows to navigate the items and press Enter to select. When on a username or password field you can also use Ctrl-Shift-X to immediately fill your username and rotating password.

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-1079 A bug was fixed that could cause KeyHub to incorrectly report that a request was already processed.
  • TKH-1080 The application server has been upgraded to WildFly 15
  • TKH-1094 Requests for new groups made by a KeyHub Administrator are now automatically accepted.
  • TKH-1097 The options for selecting a certificate have been improved.
  • TKH-1110 It is no longer possible to guess usernames by interpreting hints shown on the login page.
  • TKH-1118 The Java runtime has been upgraded to OpenJDK 11.