Emond Papegaaij 18/03/2024 8 min read

Topicus KeyHub 32

We are proud to announce Topicus KeyHub 32. This release brings improved performance, a new version of the browser extension, mutability of organisational units and many smaller and larger improvements throughout the entire suite.


Browser extension

Many improvements were made to the browser extension. These improvements range from minor user interface tweaks to technical improvements. Some are noticeable to users, others are not. The new version of the browser extension is 7.0.0, which will be released through your browser's store. The following improvements were made to the browser extension:

  • TKH-2472 The browser extension no longer uses local storage as a fallback when session storage is not supported by the browser. All browsers now correctly implement session storage so this fallback was no longer necessary.

  • TKH-2548 Small tweaks were made to the styling of the extension.

  • TKH-2574 The arrow keys now also work when the popup opens with a search value prefilled.

  • TKH-2590 When connecting the extension to the Topicus KeyHub application, it now checks if the installation has a valid license for that domain.

  • TKH-2660 The extension clears its cache when it detects a logout from Topicus KeyHub.

  • TKH-2688 Vault records that have a mismatch in the FQDN are no longer displayed as matches.

  • TKH-2736 When the extension detects that certain browser permissions are missing, it requests them from the user. This should help in getting the extensions to work in such cases, for example with many Firefox users.

  • TKH-2737 The code base for the extension now includes versions 6 and 7, version 5 was dropped since the KeyHub version it supports is itself no longer supported.

  • TKH-2781 The extension now correctly fills in the username, not the TOTP code, when the type of the field is 'email'.


Over the years, our customer implementations of Topicus KeyHub have grown organically. Some of these implementations have grown beyond our original expectations and as a result, some customers have begun to reach performance limits we had never previously considered. To address this, we've done extensive performance testing and are proud to say that the performance of Topicus KeyHub 32 has increased substantially compared to its predecessors. In some extreme cases, the increase in performance can range up to a factor 100. The following improvements were made:

  • TKH-2744 TKH-2785 The transaction that performed periodic signature validation in the background was split into multiple tasks to prevent it from loading too many objects in memory.

  • TKH-2746 Login performance was improved massively by offloading expensive parts to the background and optimising the parts that are on the critical path.

  • TKH-2750 It is now possible to increase the safeguard limits built into the application, to allow Topicus KeyHub to work with larger datasets. Note that this does require more memory and CPU cores be made available to the application.

  • TKH-2763 The transaction to rotate the passwords at night was also split into multiple tasks to prevent a possible timeout.

  • TKH-2764 A setup was made to reliably measure performance and test improvements. Many improvements were made based on this setup, especially regarding adding users to large groups, handling users with many groups and managing large numbers of groups on systems linked to a single group in Topicus KeyHub.

Organisational units

Until now, organisational units were a static setup. It wasn't possible to move elements from one organisational unit to another. This changes in Topicus KeyHub 32. You can now move groups between organisational units. This also moves any groups on linked systems owned by these groups. These changes allow migrating a Topicus KeyHub setup created with only one organisational unit, to a setup with multiple units.

  • TKH-2716 Allow moving groups between organisational units.

  • TKH-2721 Exports for groups now contain columns for the organisation unit

Screenshot of a page where a user can select groups to move to another organisational unit


Command line interface

TKH-2767 A new output format detail was added, which returns many properties in a formatted and readable way. This output option is available for all query and read commands.


Assorted improvements

The following larger and smaller improvements and bug fixes were made:

  • TKH-2317 A first step was made to allow unlocking your vault with a WebAuthn security key.

  • TKH-2648 We added an audit record for when an activation code is used to verify a password recovery request.

  • TKH-2697 The content administrators of a linked system can now view and remove the system's service accounts.

  • TKH-2704 It is now possible to directly choose a group with ownership when creating a new group on a linked system.

  • TKH-2708 Notifications about pending audits are no longer shown when an audit for that group is currently under review.

  • TKH-2712 The error reporting has been improved for when activating a group encounters problems.

  • TKH-2714 Automated tests were added to the Terraform provider.

  • TKH-2719 Actions that destroy a secret for an application now give a warning to the user.

  • TKH-2720 The API for creating OAuth2 applications was improved.

  • TKH-2726 The copy password icon now also works correctly for newly created vault records.

  • TKH-2727 Some integrity checks were added to access token validation.

  • TKH-2731 Removing a group with delegated management no longer results in errors when trying to open the other group afterwards.

  • TKH-2732 The friendly-captcha library, used to prevent automation from accessing the loginpage, was updated to the latest version.

  • TKH-2733 If a group has given permissions to OAuth2 clients, the group will now also be shown under Manage Access, even if it would not be shown otherwise.

  • TKH-2738 Our internal tooling to generate licenses has been updated.

  • TKH-2739 It is now possible to reliably get the secret for a client application via the Terraform provider when the secret is shared in the vault.

  • TKH-2741 The group with technical administration for a client application now defaults to the group with ownership if left empty.

  • TKH-2742 It is no longer possible to create groups without managers via the API.

  • TKH-2743 An error was fixed related to updating the cryptography for a vault that did not yet have a key shared with the auditor group.

  • TKH-2745 Some more integrity checks were added to the parameters given to the OAuth2 token exchange.

  • TKH-2747 Resilience to outages of the Topicus KeyHub console has been improved, allowing the application to recover when it was unable to contact the authenticator.

  • TKH-2749 The sort parameter was added to the OpenAPI specification.

  • TKH-2752 TKH-2786 The WildFly application server was updated to version 31.

  • TKH-2753 Support for a privacy passphrase was added to the SNMPv3 configuration

  • TKH-2761 Forcing rotating passwords via the directory now in all cases gives a notification to users when they do not yet have rotating password enabled.

  • TKH-2762 The empty TOTP-column in vault exports is now better explained in the manual.