IAM 8.3 - Required upgrade actions

Various

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

All

Postgres DB

AI-18776

IAM now requires Postgres version >= 12. Upgrade Postgres installation to a version >= 12.

8.3

All

Tomcat access log format

AI-18514

Because of the update to Tomcat 10, there have been changes to the access log format, defined by the instance property iam.web-server.access-log.format.simple.pattern.

The following two patterns now behave differently:

  • %D - The time taken to process the request is now logged in microseconds, instead of milliseconds.
  • %T - The time taken to process the request was previously written with millisecond precision. Now, it logs only whole seconds, and the millisecond resolution is no longer written to the log. Please check if these patterns were used by your deployment, and adjust your logging parameters accordingly if necessary. The new pattern %{xxx}T can be used to specify other precisions, see https://tomcat.apache.org/tomcat-10.1-doc/config/valve.html#Access_Log_Valve for possible values.

8.3

All

Correlation ID in logs

AI-19466

To preserve backward compatibility, the correlation ID (new feature) is not present in the main log files by default.

If the correlation ID should appear in the main log as well, then the following value needs to be added to the property iam.log.main.pattern:

%e{mdc\:CORRELATION_ID}

Example:

iam.log.main.pattern = %d{DEFAULT} %-5p [IAM - ${sys\:iam.instance.name} - ${applicationName} - SID\: %18e{mdc\:GSID\:0} - RID\: %18e{mdc\:REQUEST_ID\:0} - CORR_ID\: %e{mdc\:CORRELATION_ID}] | %e{header\:3}%c{1}\: %m%n

The Correlation ID is currently not supported for the Parsable Log Files (Adminapp Log Viewer).

Adminapp, Loginapp

CORS settings

AI-10223

The default CORS Settings have become slightly stricter.

The strict behavior can be activated in the CORS Settings by activating the flag Strict CORS Validation. Note that this may lead to connection issues in some setups.

8.3

Adminapp

Gateway and Microgateway mapping templates

AI-19281

The new mapping templates for the Adminapp for Airlock Gateway and Microgateway use security level STRICT (and no longer STANDARD).

If this causes false positives when accessing the Adminapp, then resetting the Security Level on the Adminapp Deny Rule Groups to STANDARD may help reduce false positives.

8.3

Adminapp

Translations

AI-17300

The translation text of user.failed-logins.one-shot-radius in the Adminapp has been changed to “Non-flow logins” (and analogous translations for French and German). It used to be “One-Shot/Radius”.

If you wish to retain 'One-Shot/Radius', the translation needs to be overridden.

8.3

Loginapp

OIDC PAR

AI-18085

A database schema upgrade is required if using the new ​PAR - Pushed Authorization Request on the AS/OP feature for OAuth 2.0/OIDC.

8.3

Loginapp

Private Key JTWs

AI-18773

A database schema upgrade is required if using the private key JWt feature.

8.3

Loginapp

OAuth/OIDC custom claims in DB

AI-19069
AI-19071
AI-19066

OAuth/OIDC access and ID token claims can now be persisted in the database so they are available for later identity propagation and during token refresh.

If using this feature, a database schema upgrade is required.

8.3

Loginapp

OAuth/OIDC and Airlock 2FA Approval and Mobile Only Steps

AI-19209

In Airlock IAM 8.2.0, generated URLs could be wrong if there is no path part after the host: an unnecessary slash was added in some cases.

This only affects OAuth 2.0/OIDC redirect URIs and 2FA Scheme Overrides in the Airlock 2FA Mobile Only Authentication Step and the 2FA Approval Steps in the self-services, and transaction approval.

If relying on the wrong URIs that have been produced since 8.2.0, the consuming side might need to be adapted to expect the now fixed URIs without a trailing slash before the query or fragment part.

8.3

Loginapp

Airlock 2FA event processing

AI-18462

Note that the Airlock 2FA Delete Old Devices Step step now also produces the Airlock 2FA Device Deleted event.

If already subscribing to this event when introducing the new step into flows, the (existing) event subscriber(s) may have to be adapted to either filter on the event source (step or flow) or make event handling more general.

8.3

Loginapp

Cronto

AI-18624

The plugin Cronto Push Notification Sender no longer supports property Android API Key since Google removed support for this method in June 2024.

Remove the property Android API Key and configure Firebase Service Account JSON instead.

8.3

Loginapp

Log message change

AI-18963

The log entry

“User identification failed, not checking password: USER_INVALID.”

was changed to

“User validation failed, not checking password: USER_INVALID.”.

If the log is evaluated by tools, their configuration may need to be changed.

8.3

Loginapp

Risk Assessment Step

AI-19189

Airlock Gateway 8.3 and newer no longer issue anomaly state “redeemed”. Anomaly Shield State Risk Extractor configurations expecting this state should be reconfigured.

8.3

Custom code

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

All

Custom code

AI-18513

Java EE was migrated to Jakarta EE.

Custom code must update their imports of Javax classes to Jakarta equivalents.

Namely, the following import paths were changed:

  • javax.activation.* to jakarta.activation.*
  • javax.inject.* to jakarta.inject.*
  • javax.mail.* to jakarta.mail.*
  • javax.servlet.* to jakarta.servlet.*
  • javax.validation.* to jakarta.validation.*
  • javax.ws.* to jakarta.ws.*
  • javax.xml.bind.* to jakarta.xml.bind.*
  • javax.xml.soap.* to jakarta.xml.soap.*
  • javax.xml.ws.* to jakarta.xml.ws.*
  • javax.annotation.Nonnull to jakarta.annotation.Nonnull
  • javax.annotation.Priority to jakarta.annotation.Priority

8.3

Loginapp

Custom claim config plugins

AI-19483

Custom claim plugins that extend CustomClaimConfig must now extend GenericCustomClaimConfig instead. Otherwise, they are no longer configurable.

8.3

Further information and links