Emond Papegaaij 25/04/2022 8 min read

Topicus KeyHub 20.0

We're pleased to announce Topicus KeyHub 20.0. In this release we introduce our license model version 3, giving more flexibility to the way our customers can use our application. In addition to this, we are introducing the concept of nesting groups, which can greatly reduce the effort required to manage many similar groups.

Topicus KeyHub 20.0 will also benefit larger installations, this includes improved filtering and performance in many places. Furthermore, accounts in internal directories can now also be managed by non-KeyHub Administrators. And, as usual, a large number of smaller changes and bug fixes are included in this release.


Important notice: Java updated to address CVE-2022-21449

TKH-2109 We've swapped our Java virtual machine to the Amazon Corretto distribution of the OpenJDK. This version comes with the latest security updates, including a fix for CVE-2022-21449, also known as "psychic signatures". We recommend to upgrade your Topicus KeyHub installation as soon as possible.

License model version 3

TKH-1854 TKH-1857 License model version 3 introduces a clear distinction between Pro users and Business users. It also adds a number of feature toggles for more advanced functionality provided by Topicus KeyHub. All existing users will be converted to Pro when upgrading to 20.0. New users will, by default, be assigned a Business license. This can be changed in Settings.

For the following functionality, a Pro license is required, which can be assigned via Accounts:

  • Topicus KeyHub Administrators.
  • Dynamic and static provisioning of accounts in LDAP, Active Directory or Azure.
  • Managing of provisioned systems, SSO applications and OAuth2 clients.

Nested groups

TKH-1446 Sometimes it is convenient to use groups to organize data, such as passwords while giving the same users access to these groups. Previously, this would require managing group memberships for many different groups for the same accounts. In 20.0 it is now possible to nest groups under another group, automatically inheriting all accounts. This greatly streamlines the management of these groups.

Searching in overviews

TKH-1798 TKH-1799 The overview pages throughout Topicus KeyHub, to some extent, could get quite hard to use on larger installations. In 20.0 we added a quick search filter on all these pages, allowing a user to quickly filter down the list. Also, the auto grouping now works much better with a large number of groups.

Ownership for internal directories

TKH-1954 Accounts and directories have always been the domain of the KeyHub Administrator. Since 20.0 it is now possible to extend this responsibility to other groups by assigning co-ownership of an internal directory to a group. This allows the group to invite external users themselves. The KeyHub Administrators stay in the loop and can intervene if required.

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-946 We switched from RS256 to Ed25519 for signing of our tokens.
  • TKH-1604 Many components in our testing infrastructure were updated to the latest versions and contributions were made to the open source community with these upgrades.
  • TKH-2009 Our anti-robot protection now uses WASM for all major browsers, giving higher performance with better security.
  • TKH-2033 It is now possible to change the fallback group for recovery requests in case a user does not have enough managers.
  • TKH-2035 Users from an internal directory now get a e-mail notification when their e-mail address is changed.
  • TKH-2040 The positioning of the date picker was fixed in some places when the page was scrolled.
  • TKH-2041 A full provisioning sync now operates in smaller steps, reducing the memory footprint of the sync.
  • TKH-2042 Locking was added to refreshing access tokens to prevent concurrent modifications.
  • TKH-2043 The synchronizations page now refreshes correctly when starting a sync.
  • TKH-2045 A large increase in performance was realized for users with a very large number of groups.
  • TKH-2047 A small annoyance was fixed in places were an input field only was required under some conditions.
  • TKH-2048 The details for an account now shows all groups, not just the first 100.
  • TKH-2049 Some docker containers declared volumes which were not mounted. These were removed.
  • TKH-2050 The full sync for provisioned systems did not handle destroyed accounts correctly.
  • TKH-2058 An issue was fixed that could case background tasks to crash.
  • TKH-2061 The update process now checks the validity of the certificate chain before starting the update, which prevents the update from failing later in the process.
  • TKH-2062 The login page can now handle a much larger number of requests due to added caches.
  • TKH-2063 The duration and size of the server side session for the login page was reduced to prevent outages during a DoS.
  • TKH-2064 Many small changes were made to the operation system to harden its configuration.
  • TKH-2065 Most criteria from the default group classification are now applied automatically when a new group is created.
  • TKH-2067 A workaround was added to allow Safari 15.4 to load the stylesheet until the issue is fixed in Safari itself.
  • TKH-2069 Mail enabled security groups cannot be provisioned on Azure and are now filtered from the list.
  • TKH-2070 More information about group audits is shown to the user, including its current status and the usernames of the users who started, finished and reviewed the audit.
  • TKH-2072 Topicus KeyHub now implements RFC 9207, blocking possible mix-up attacks.
  • TKH-2073 Tests were added for detecting various errors in incorrect certificate chains.
  • TKH-2077 Error handling was improved when trying to add a user to a group that was already present.
  • TKH-2078 The SAML metadata resolver no longer keeps resolving old URLs.
  • TKH-2079 Showing the last 5 MB of a log file now actually gives the last 5 MB.
  • TKH-2081 The notification to users with a pending password reset incorrectly showed inactive users.
  • TKH-2082 Accounts are now correctly activated and deactivated when 2FA is enabled or disabled on an account and the synchronization requires 2FA.
  • TKH-2083 rssh was dropped from the appliance. The package was no longer maintained and no viable alternative exists.
  • TKH-2084 ntpd was replaced by its more modern successor chronyd.
  • TKH-2085 A client can now read its own permissions via the API.
  • TKH-2087 Some unneeded packages were removed from the appliance.