We are proud to announce Topicus KeyHub 20.1. This release features a major OS upgrade, moving from CentOS 7 to AlmaLinux OS 8. As part of this upgrade, we worked hard on hardening our package management and providing signed software bundles. For group managers, we now provide dashboards to give insights in the managed groups. We've also made the first steps to more customizable communication in our notification centre. And, as usual, a large number of smaller changes and bug fixes are included in this release.
AlmaLinux OS 8.6
TKH-1468 CentOS 7 has served us well for all these years, but with the EOL nearing, it was time to move on. With the most obvious candidate, CentOS 8, scrapped, we looked at alternatives. AlmaLinux OS 8 provides a clean upgrade path from CentOS 7 and it is likely to stay supported for a long time to come.
The upgrade from CentOS 7 to AlmaLinux 8 needs to be done manually. First upgrade your Topicus KeyHub installation to 20.1 and install all pending operating system updates. Now upload the
alma8 upgrade image to upgrade the VM. This will take some time, during which the VM will reboot several times. At the end, your installation will be running Topicus KeyHub 20.1 on AlmaLinux OS 8.6. Be aware that 20.1 is the latest version to be supported on CentOS 7 and you will not be able to update to 20.2 before upgrading to AlmaLinux 8.
Topicus KeyHub 20.1 will run just fine on CentOS 7 and it will be just as secure as on AlmaLinux 8.
For complete instructions on the OS upgrade, please follow the instructions in our upgrade guide. We will contact all our customers in the weeks following the release of 20.1. We recommend all our customer to wait for our call, during this moment of contact you can ask for help/guidance.
TKH-2053 Topicus KeyHub now checks the signature of all software being installed onto the VM. In addition, the update bundles for offline updates are now signed (recognizable by the
.gpg extension). Not only does this protect the bundles against corruption due to a bad download, but it also protects them from being modified by an attacker with malicious intent.
Dashboard for group managers
TKH-2089 When you are a manager in one or more groups, or a member of a group performing additional authorization on other groups, it is now possible to get insights into these groups via a dashboard.
TKH-1852 In our communication centre, you can now configure a custom signature for all mails sent by Topicus KeyHub. Also, you can remove any links that would be added to these mails, if company policy forbids the use of mails with links. In the future, it is likely more options for customization of communication will be added here.
The following smaller improvements and bug fixes were made:
TKH-1970Several new colours were added to the vault records.
TKH-1996It is now possible to send complete context objects with webhook deliveries.
TKH-2032Topicus KeyHub can now be run on AWS. Expect a marketplace subscription soon.
TKH-2060More information is shown for every node in a cluster, including its version.
keyhubuser can now have a public key for ssh set.
TKH-2088Members of the auditor group can now disable accounts via the accounts dashboard to allow quick intervention in case of an emergency.
TKH-2091The feedback when uploading a license with missing features that are currently in used, now displays which features are missing.
TKH-2092The appliance manager now checks certain features of the license.
TKH-2093Topicus KeyHub is now able to generate licenses in the new format.
nginxproxy no longer advertises its version via headers.
TKH-2100A new option was added for setting up group nesting to connect overlapping accounts and keep the others.
TKH-2107When starting an upgrade, the browser no longer keeps scrolling down.
TKH-2111An RFC 7662 compliant OAuth 2.0 Token Introspection endpoint was added. The endpoint is advertised in the server metadata.
TKH-2113The error handling of the Topicus KeyHub Console was improved to keep on trying when it is unable to read the server metadata.
webhookcomponent used in a cluster was upgraded to 2.8.0.
TKH-2118The pop-up to request new groups now displays the full name of the new group to prevent confusion.
TKH-2119It is no longer possible to store empty files in the vault. These were causing trouble due to the missing content.
TKH-2123OAuth 2.0 tokens are now scoped as requested, rather than what the user gave consent to in the past.
TKH-2124Deployment in the Azure Marketplace was fixed.
TKH-2130It is now possible to mark nodes as unavailable to take them out of load balancer. This allows the operator to perform maintenance on nodes without causing service unavailability.
TKH-2131A race condition in the startup of Pgpool was reported and fixed upstream.
TKH-2133Salt calls are now performed async and with more realistic timeouts.
TKH-2134The subject of some e-mails was fixed.
TKH-2135Invalid or disabled accounts no longer count as valid targets for secret shares.
TKH-2137Validation of the short lived tokens for exports has been improved to prevent cross posting.
TKH-2141Pgpool was upgraded to 4.3.2.
TKH-2144Restoring a backup now also restores the secrets required to use the database.
TKH-2149Clients can now create private groups.
TKH-2150Clients now also get the permissions reflecting features from the license.