Airlock IAM 8.0 - Actions required when upgrading

Various features

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

All

Database schema (all features)

-

The database schema has to be migrated.

See DB Schema Migration IAM 8.0.

8.0

All

Database minimum versions

-

The minimum database versions have been increased for several databases (compared to IAM 7.7): MariaDB (10.4), MSSQL (2016).

See also Hardware and system requirements.

8.0

All

Logging (all features)

AI-16854

The logging configuration may need to be updated manually. See Upgrading the Log4j™2 logging configuration for IAM 8.0.

8.0

All

User trail logging

AI-16505
AI-10013

User trail log is written to the database in IAM 8.0 and later. Manual steps are required for the migration.

See Upgrade and data migration of user trail logging.

8.0

All

Logging (all features)

AI-15385

The IAM web server log no longer uses the instance configuration property iam.log.level to determine the web server log level. To control the level at which the web server produces log messages, please use iam.web-server.log.file.level and iam.web-server.log.console.level instead.

In rare cases, you may receive an error about invalid boolean values in the instance.properties file on IAM startup. This indicates that a misconfiguration in your instance.properties file was detected, which needs to be corrected.

8.0

All

Logging (all features)

AI-17040

  • The following log-related instance properties (instance.properties file) have been renamed to reduce confusion with new properties:
  • iam.web-server.log.enabled >> iam.web-server.log.file.enabled
  • iam.web-server.access-log.enabled >> iam.web-server.access-log.file.enabled
  • iam.web-server.log.pattern >> iam.web-server.log.format.simple.pattern
  • iam.web-server.access-log.pattern >> iam.web-server.access-log.format.simple.pattern

During configuration migration, these keys are automatically changed in the instance.properties file.

However, if environment variables are used to overwrite the properties, the corresponding environment variables need to be changed.

8.0

All

Audit log

AI-16993

Due to a bug in the Log4j library, audit log statements could be overwritten after log file rollover.

In the fixed implementation, log statements are directly written to log files containing the date in the file name (e.g. medusa-audit.log.2023-03-24).

The file medusa-audit.log (without date) is no longer written.

External processes depending on the file must be adapted. Alternatively, a custom log configuration may be used to re-enable the file.

8.0

All

Configuration changes

DOC-1108

8.0

All

Custom text elements

AI-8907

Custom text element files (strings_xx.properties) must be converted to UTF-8 encoding.

See Conversion of properties files to UTF-8 encoding.

8.0

All

Health check end-points

AI-14061

The health check JSON response field state has been removed. As of the micro profile health 3.0 specification the JSON response field state was replaced by the field status. Since IAM 7.5, both JSON response fields have been returned for backward compatibility. Now only the JSON field status is returned.

Components still relying on the state field need to be adapted or reconfigured.

8.0

All

Legacy class names

AI-10227

With IAM 7.1, package names of IAM Java classes have been renamed from ch.ergon.* to com.airlock.*. The old package names could still be used up to IAM 7.7 but are no longer supported in IAM 8.0

Such class names may be referenced in some configuration files (e.g. Log4j configuration, shared secret configuration, or custom web.xml). The main IAM configuration (medusa-configuration.xml) is not affected.

If still referring to IAM classes using ch.ergon.* package names, these references must be adapted.

8.0

All

Airlock 2FA text elements

AI-16675

Up to IAM 7.7 the Airlock 2FA Settings allowed specifying a separate string resource file to look up translations (e.g. for push messages). This is no longer supported.

If a separate string resources file (e.g. not strings_xx.properties) has been used in this way, the text elements need to be copied to the string resource files of the corresponding IAM modules.

  • The following configuration properties define the string resource files per module (in 8.0)
  • Loginapp >> Language Settings
  • Adminapp >> Language Settings
  • Transaction Approval >> Language Settings

If using Airlock 2FA in the RADIUS server: the string resource file is now part of the Airlock 2FA Authenticator plugin.

8.0

All

Airlock Gateway mapping templates

-

New Airlock Gateway mapping templates have been published for IAM 8.0. The new templates must be used to account for the removed JSP-Loginapp, new features, and stricter deny rules.

Please refer to Configuration of IAM mappings for further information.

8.0

Loginapp features

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

Loginapp

Client-centric OAuth Authorization Server

AI-14166

The client-centric OAuth 2.0 authorization server must be replaced with the AS-centric implementation. See Seamless migration to AS-centric AS in IAM 7.7 documentation.

8.0

Loginapp

One-shot authentication with user-specific role timeouts

AI-16268

If user-specific role timeouts are used in combination with one-shot authentication, the configuration needs to be adapted: the user-specific role timeouts need to be reconfigured in the one-shot settings (Loginapp >> One-Shot Authentication).

8.0

Loginapp

MS-OFBA with custom location parameter name

AI-16268

If a custom location parameter name is used for MS-OFBA, it must be reconfigured in the MS-OFBA One-Shot Target Application plugin (Loginapp >> One-Shot Authentication).

8.0

Loginapp

OAuth 2.0 legacy token format

AI-16027

The legacy OAuth 2.0 token format support (where the tokens started with the username) has been removed. Such tokens are no longer accepted. This results in the implicit invalidation of such tokens.

The legacy tokens have only been issued up to IAM 7.1. If such tokens were still valid and in use, a new OAuth 2.0 Authorization is required.

8.0

Loginapp

Custom look and feel (CSS)

AI-1653

IAM 8.0 uses a newer version of Bootstrap (5 instead of 4). The prefixed CSS classes (i.e. iam-*) remain the same. Depending on the implementation, changes to the HTML code of modal components might be necessary. In the provided Loginapp UI the size of the close Button "x" is increased.

Due to the update to Bootstrap 5, jQuery is no longer bundled with the Loginapp.

8.0

Loginapp

Configurable UI elements (in self-services)

AI-17123

The property HTML ID of Plugin Radio Buttons UI Element is now correctly used in the Loginapp UI. For this bugfix, it was necessary to add a new HTML element surrounding <iam-radio> tags.

Loginapp UI customizations that rely on structural CSS selectors on these elements might need to be adjusted.

Although we aim for a stable HTML structure, it is strongly discouraged to use CSS selectors that rely on this structure. It is recommended to create stylings based on CSS classes.

8.0

Adminapp features

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

Adminapp

Adminapp CSP

AI-16826
AI-16792
AI-10294

A content security policy (CSP) for the Adminapp has been introduced. The CSP is enabled by default and disables the rich-text editor for maintenance messages.

See Adminapp Content Security Policy (CSP) for further information.

Inline-style in maintenance messages will be ignored in the Loginapp and an error will be displayed in the browser console.

8.0

Adminapp

Coloring rules in the log viewer.

AI-16482

If coloring rules are configured in the Adminapp log viewer (Adminapp >> Log Viewer >> Color Scheme), the configuration needs to be adapted.

Only predefined colors are allowed in IAM 8.0 and later because of restrictions arising from the newly introduced Adminapp CSP (see Adminapp Content Security Policy (CSP)).

The properties Foreground Color, Background Color, and Foreground Color for Meta Data may use the following colors: black, white, red, blue, green, yellow, orange, and purple.

If the configuration to be migrated contains other color values or color codes, the affected coloring rules are migrated without the colors, i.e., the patterns remain but the colors have to be set manually after migration.

A message is printed to stdout during configuration migration in this case.

8.0

Adminapp

Generic Token Controller UI

AI-14849

The Generic Token Controller UI has been simplified and offers less flexibility compared to previous IAM versions.

The Generic Token Controller UI has to be re-configured manually. If the offered features are not sufficient to meet the requirements, use the new User Management Extension feature.

8.0

Adminapp

Legacy Adminapp URLs

AI-14143

Legacy Adminapp URIs starting with /ui/... instead /ui/app/... are no longer supported.

External components relying on the legacy URIs must use the new URIs.

8.0

Loginapp Design Kit

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

Loginapp UI

Confirmation dialogs display larger close element

AI-16523

With the upgrade of the underlying bootstrap library to version 5.0, the default styling of the close element in the upper right corner of modals has been made larger.

Customers should check that their UI customizations of confirmation dialogs still meet their expectations.

8.0

Loginapp UI

Custom static HTML pages using SCSS

-

In the JSP-Loginapp static HTML files (e.g. static error pages) could be styled using SCSS and the CLI tool iam build-ui.

With the removal of the JSP-Loginapp the build-ui command has been deleted. SCSS files of static HTML pages must be translated to CSS files.

8.0