Emond Papegaaij 16/06/2022 7 min read

Topicus KeyHub 20.1

We are proud to announce Topicus KeyHub 20.1. This release features a major OS upgrade, moving from CentOS 7 to AlmaLinux OS 8. As part of this upgrade, we worked hard on hardening our package management and providing signed software bundles. For group managers, we now provide dashboards to give insights in the managed groups. We've also made the first steps to more customizable communication in our notification centre. And, as usual, a large number of smaller changes and bug fixes are included in this release.


AlmaLinux OS 8.6

TKH-1468 CentOS 7 has served us well for all these years, but with the EOL nearing, it was time to move on. With the most obvious candidate, CentOS 8, scrapped, we looked at alternatives. AlmaLinux OS 8 provides a clean upgrade path from CentOS 7 and it is likely to stay supported for a long time to come.

The upgrade from CentOS 7 to AlmaLinux 8 needs to be done manually. First upgrade your Topicus KeyHub installation to 20.1 and install all pending operating system updates. Now upload the alma8 upgrade image to upgrade the VM. This will take some time, during which the VM will reboot several times. At the end, your installation will be running Topicus KeyHub 20.1 on AlmaLinux OS 8.6. Be aware that 20.1 is the latest version to be supported on CentOS 7 and you will not be able to update to 20.2 before upgrading to AlmaLinux 8.

Topicus KeyHub 20.1 will run just fine on CentOS 7 and it will be just as secure as on AlmaLinux 8.

For complete instructions on the OS upgrade, please follow the instructions in our upgrade guide. We will contact all our customers in the weeks following the release of 20.1. We recommend all our customer to wait for our call, during this moment of contact you can ask for help/guidance.

Package signing

TKH-2052 TKH-2053 Topicus KeyHub now checks the signature of all software being installed onto the VM. In addition, the update bundles for offline updates are now signed (recognizable by the .gpg extension). Not only does this protect the bundles against corruption due to a bad download, but it also protects them from being modified by an attacker with malicious intent.

Dashboard for group managers

TKH-2071 TKH-2089 When you are a manager in one or more groups, or a member of a group performing additional authorization on other groups, it is now possible to get insights into these groups via a dashboard.

Notification centre

TKH-1841 TKH-1852 In our communication centre, you can now configure a custom signature for all mails sent by Topicus KeyHub. Also, you can remove any links that would be added to these mails, if company policy forbids the use of mails with links. In the future, it is likely more options for customization of communication will be added here.

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-1970 Several new colours were added to the vault records.
  • TKH-1996 It is now possible to send complete context objects with webhook deliveries.
  • TKH-2032 Topicus KeyHub can now be run on AWS. Expect a marketplace subscription soon.
  • TKH-2060 More information is shown for every node in a cluster, including its version.
  • TKH-2080 The keyhub user can now have a public key for ssh set.
  • TKH-2088 Members of the auditor group can now disable accounts via the accounts dashboard to allow quick intervention in case of an emergency.
  • TKH-2091 The feedback when uploading a license with missing features that are currently in used, now displays which features are missing.
  • TKH-2092 The appliance manager now checks certain features of the license.
  • TKH-2093 Topicus KeyHub is now able to generate licenses in the new format.
  • TKH-2094 The nginx proxy no longer advertises its version via headers.
  • TKH-2100 A new option was added for setting up group nesting to connect overlapping accounts and keep the others.
  • TKH-2107 When starting an upgrade, the browser no longer keeps scrolling down.
  • TKH-2111 An RFC 7662 compliant OAuth 2.0 Token Introspection endpoint was added. The endpoint is advertised in the server metadata.
  • TKH-2113 The error handling of the Topicus KeyHub Console was improved to keep on trying when it is unable to read the server metadata.
  • TKH-2115 The webhook component used in a cluster was upgraded to 2.8.0.
  • TKH-2118 The pop-up to request new groups now displays the full name of the new group to prevent confusion.
  • TKH-2119 It is no longer possible to store empty files in the vault. These were causing trouble due to the missing content.
  • TKH-2123 OAuth 2.0 tokens are now scoped as requested, rather than what the user gave consent to in the past.
  • TKH-2124 Deployment in the Azure Marketplace was fixed.
  • TKH-2130 It is now possible to mark nodes as unavailable to take them out of load balancer. This allows the operator to perform maintenance on nodes without causing service unavailability.
  • TKH-2131 A race condition in the startup of Pgpool was reported and fixed upstream.
  • TKH-2133 Salt calls are now performed async and with more realistic timeouts.
  • TKH-2134 The subject of some e-mails was fixed.
  • TKH-2135 Invalid or disabled accounts no longer count as valid targets for secret shares.
  • TKH-2137 Validation of the short lived tokens for exports has been improved to prevent cross posting.
  • TKH-2141 Pgpool was upgraded to 4.3.2.
  • TKH-2144 Restoring a backup now also restores the secrets required to use the database.
  • TKH-2149 Clients can now create private groups.
  • TKH-2150 Clients now also get the permissions reflecting features from the license.