IAM 8.5 - Required upgrade actions

This section describes changes in Airlock IAM 8.5 that may require manual changes. Whether changes are necessary depends on the used features and/or custom extensions.

Notice

Upgrading an Airlock IAM version may require special actions. Consult the respective upgrade requirements:

Various

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
All modules	All features	AI-21129	The new usage and license analytics feature requires manual actions when upgrading. See License and usage analytics for more information. The following CLI commands are affected (in case they are used in scripts or automation pipelines): `iam reset` (reset to rescue config) `iam upgrade` (upgrade configs or snippets to IAM 8.5) `iam init` (create new instances) In both CLIs, the `--analytics` (or `-a`) option is now mandatory. Alternatively, the environment variable `IAM_ANALYTICS_MODE` can be used when using the CLIs.	8.5
All modules	YAML config	AI-20768, AI-20652	IAM 8.5 changes the way plugin types are referred to in YAML configurations. The new short type names replace the fully qualified Java class names used in IAM 8.4. Example: IAM 8.4 - fully qualified class name: `com.airlock.iam.core.misc.impl.sso.AccessCookieIdentityPropagator` as of IAM 8.5 - short type name: `AccessCookieIdentityPropagator` This change has the following consequences for customers working with YAML configuration files: All configuration files and code snippets migrated with the IAM migration CLI (`iam upgrade`) are updated automatically. No further action is required for these files. If you refer to plugin types inside scripts or other files that cannot be migrated by the IAM migration CLI, you must change these names manually. You can find the new short type names here: In the mapping file found in `<iam-release>/res/config-shortname-mappings/` In the plugin documentation: IAM Plugin Docs. Look for the following fields in the plugin descriptions: The `Class` field contains the fully qualified class name. The `Type name` field contains the short type name. The YAML template also contains the short type name	8.5
All modules	Cronto	AI-20501	The OneSpan native library (Authentication Server Framework) should be updated to version 3.22. The library can be obtained from the OneSpan customer portal. We highly recommend that you update the library to ensure future compatibility.	8.5
All modules	Logging	AI-20801	The custom `LoggerFilter` Log4j plugin, which was deprecated since IAM 7.1, has been removed. The functionality can be replaced with standard Log4j mechanisms. The deprecated configuration (in `instances/instance-name/log4j/`) <LoggerFilter onMatch="DENY" onMismatch="ACCEPT"> <FilteredLogger name="com.airlock.iam.log.reporting"/> </LoggerFilter> for example, can be replaced with the following configuration: <Logger name="com.airlock.iam.log.reporting" additivity="false"> <AppenderRef ref="MAIN" level="off"/> </Logger> This will also disable the named logger for that appender.	8.5
All modules	DB support	AI-20658	The minimum requirements for databases have been updated due to expired support by the manufacturers. See System requirements.	8.5
Loginapp	Events	AI-17547	The Password Changed event in the Loginapp is now also published by the Password Reset Step. If currently configured event subscribers should not handle events from password reset, use the Filtered Flow Event plugin to only subscribe to the events from specified steps or flows.	8.5
Loginapp	Events	AI-20909	The User Locked event generated by the User Lock Step now contains the configured lock reason instead of a generic one (`LockReason.InitiatedByUser`). If the configured lock reason is not the generic one, event consumers relying on the generic lock reason may have to be adapted.	8.5
Transaction Approval	Transaction Approval flows with Cronto	AI-21076	The Transaction Approval Cronto Message Provider no longer supports separate string resource files. If this feature is used, the translations have to be moved to the standard resource file.	8.5
IAM CLI	iam init	AI-19778	The IAM CLI command `iam init` now creates instances with YAML configs. To create an XML-based instance, provide the `--xml` option.	8.5

Security recommendations

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
All modules	Scrypt Password Hash	AI-19434	We recommend that you review the security parameters used in the Scrypt Password Hash plugin. In accordance with OWASP recommendations, the default for the Iteration Exponent has been increased from 14 to 17. Already configured plugins are not affected. It is recommended increasing the value in existing configurations. This affects the IAM performance as computing hash values during password checks becomes computationally more complex (yielding better security). Performance tests have not shown negative impacts.	8.5
Loginapp	Loginapp Security settings	AI-17669	In the Loginapp >> Security Settings plugin, a HMAC key is configured. Although it recommends using at least 512-bit keys, existing IAM configurations with 256-bit keys still work. For optimal security, we highly recommend using a key with at least 512 bits. The key is only used by IAM. Changing the key at runtime may affect single requests or ongoing user sessions.	8.5
Loginapp, Service Container	RADIUS Server, RADIUS Client	AI-20688, AI-20689	The Blast-RADIUS vulnerability has been fixed both for the RADIUS client and server in Airlock IAM. To mitigate the vulnerability, a message authenticator attribute is included in all communication and verified by Airlock IAM. To guarantee compatibility with RADIUS peers not supporting the message authenticator attribute, the new feature is not automatically activated. In existing RADIUS client and server configurations, consider activating the new property: RADIUS client plugin (e.g., OTP Check via RADIUS Step) >> Radius Connection Settings >> Enforce Message-Authenticator RADIUS server plugin Radius Authentication Service >> Enforce Message-Authenticator	8.5

Incubating features

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
Loginapp	Self-sovereign identities (SSI) - incubating	AI-20638	The former incubating SSI features have been replaced. The config migration removes all previous SSI-related config properties. SSI functionality must be reconfigured using the new SSI solution.	8.5

Further information and links

Upgrade Airlock IAM
Upgrading database schemas: Relational databases for IAM