We are proud to announce the 17.1 release of Topicus KeyHub. This release brings private groups and restricted accounts, the ability to increase the disk space available to KeyHub, several improvements in the upgrade process and we upgraded python to version 3. In addition, a number of smaller improvements have been made and several issues have been fixed.

Note: Due to some major upgrades behind the scenes, the update process can take longer than usual, up to 15 mins after creating the backup.

Improved update process

TKH-1553 TKH-1557 TKH-1558 TKH-1559 TKH-1562 TKH-1565 TKH-1569 TKH-1572 TKH-1581
We've worked hard to stabilize and improve the upgrade processes, both "online" and "offline". Among other things we fixed problems in for "offline" upgrades, problems when upgrading the database from an older KeyHub version and we stabilized applying system updates for salt so this process should be less finicky. We thank our customers for their patience and assistance with troubleshooting and resolving the issues we ran into.

Private groups and restricted accounts

TKH-1505 We added the ability to mark a group as private. Private groups are not visible to users unless they are a member of the group. Normal users can not request to join a private group and have to be added by one of the group's managers.

Groupmanagers can mark their group as private
Groupmanagers can mark their group as private via the edit screen

We also reworked the "restricted accounts" feature. An account that is marked as restricted ("Can request group access" is set to "No") can not see any groups they are not already a member of. In essence, every group is marked private from their point of view.

Users who can't see a particular group (whether because the group is private or their account is restricted) are also unable to do things like move vault records to such a group.
KeyHub administrators and auditors will always be able to see all groups, but only on their role-specific pages (such as the auditor dashboard).

Increase and allocate available disk space

TKH-1410 TKH-1571 If your KeyHub installation is nearing the end of available disk space you can now give it a larger disk.
After increasing the size of the disk available to the VM, you can then allocate the newly-available space from the appliance manager.

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-1393 It is now possible to import PKCS#12 certificate containers (.p12) as an alternative to PEM files.
  • TKH-1431 We upgraded Python to major version 3.
  • TKH-1509 We improved the feedback on invalid combinations of certificate/networking options during installation or configuration.
  • TKH-1534 The initial certificate generated during first boot will no longer have a not-before value in the future in case of timezone difficulties.
  • TKH-1536 You will no longer be logged out during installation if the initial and eventual url for the appliance manager are the same.
  • TKH-1542 We added support for U2F/CTAP1 security keys.
  • TKH-1543 KeyHub should no longer send an unusable 2FA notification to the KeyHub app on your phone if you're using security keys.
  • TKH-1544 We improved the styling of the 2FA pages during login and registration.
  • TKH-1548 A self-signed certificate generated during install will now use the correct hostname.
  • TKH-1549 KeyHub will now give more meaningful feedback if the uploaded certificate fails to validate due to certificate chain errors.
  • TKH-1550 Vault records containing only a comment can once again be opened.
  • TKH-1552 We renewed the install license that comes with the KeyHub installer.
  • TKH-1554 To assist with restrictions on the devices used, it is now possible to disable manual configuration of 2FA. Users can then only set up one 2FA method, and can only configure a new one after a reset request has been accepted by the helpdesk group.
  • TKH-1555 KeyHub now generates some extra characters at the end of the rotating password to improve compliancy with password complexity restrictions.
  • TKH-1556 Webhooks can now be given a name to better characterize their function.
  • TKH-1561 We limited the memory usage of the login page.
  • TKH-1564 KeyHub now forces a password sync as soon as it detects a mismatch between the password used for KeyHub and the password in the source directory.
  • TKH-1567 We fixed the permissions for a configuration file that lead to errors while applying a change in the KeyHub configuration.
  • TKH-1573 We fixed a bug where editing a vault record could result in an error.
  • TKH-1574 The TOTP code field should no longer suggest it is optional.
  • TKH-1575 The Topicus KeyHub MTA container should restart less often after configuration updates.
  • TKH-1583 A race condition was fixed that could cause a user session to become unusable.