IAM 8.6 - Required upgrade actions

This section describes changes in Airlock IAM 8.6 that may require manual changes. Whether changes are necessary depends on the used features and/or custom extensions.

 
Notice

Upgrading an Airlock IAM version may require special actions. Consult the respective upgrade requirements:

Various

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

All modules

DB schema

AI-20891

The database schema includes a new table, schema_metadata, which can be used to retrieve the current schema version. See also Database schema version.

It is strongly recommended to apply the database schema upgrade: Relational databases for IAM.

8.6

All modules

Event outbox repository (new feature)

AI-21499

The new “Reliable event delivery” feature allows events to be serialized and stored in an event outbox repository (database table), and then forwarded to external message brokers. See also Reliable event delivery.

If using the new feature, the event_outbox database table must be created. IAM provides the scripts required to extend the database schema: Relational databases for IAM.

8.6

All modules

DB support

AI-21750

The minimum supported PostgreSQL version has been updated due to the end of vendor support. PostgreSQL 14 is now the minimum required version.
See System requirements.

8.6

Loginapp

OAuth 2.0 / OpenID Connect

AI-21557

IAM no longer supports OAuth 2.0 and OpenID Connect tokens with unlimited validity. Existing configurations using such tokens are migrated to a token validity period of 10 years.

8.6

Loginapp

Template-based String Provider plugin

AI-21749

A bug in the configuration migration upgrading from Airlock IAM 8.2 to 8.3 for plugin Template-based String Provider has been fixed. If you have already migrated your configuration from IAM version 8.2 or earlier to an IAM version later than 8.2, ensure that the property Value Map Provider is set correctly. Re-configure the plugins if necessary.

8.3.5, 8.4.3, 8.5.2, 8.6

Loginapp

Cronto

AI-21241

The native Cronto library from OneSpan needs to be updated manually to Authentication Suite Server 4.0.1.

8.6

Service Container

Swiss Post Tracking Service
plugin

AI-21862

The Swiss Post Tracking Service plugin has been removed because the corresponding web service has been discontinued. Before upgrading, ensure that this plugin is no longer configured or in use in your system.

8.6

Security recommendations

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

All modules

Java

AI-20797

Airlock IAM has been updated to Java 25. Custom code should be recompiled using Java 25.

Also, TLS_RSA cipher suites and SHA-1 signatures for TLS 1.2 / DTLS 1.2 are no longer considered cryptographically secure and have been disabled by default.

8.6

Custom Java Code

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

All modules

Custom Java Code

AI-21456

The method MapperConfiguration.getPluginConfigToLogic has been removed from Orika mappers. You can no longer use PluginConfigToLogic in Orika mappers.

8.6

Incubating Features

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

Loginapp

Self-sovereign identities (SSI) - incubating

AI-21230

  • When using a Procivis SSI service, update the database schema with the latest schema changes.
  • When configuring an SSI Issuance Step, also configure an SSI User Change Listener to keep the database consistent.

8.6

Config API Changes

With the config automation features introduced in IAM 8.4, a part of the configuration becomes an API with limited guarantees. For details, see Config automation.

The following table documents changes to the config API that may require manual adaptations in scripts manipulating the YAML configuration.

  • IAM config migration will automatically apply changes to config files and snippets.
  • Modifications in snippets may have to be adapted manually.
  • Note that the plugin type and the property names in the first two columns refer to the config API of the previous release, i.e., before migrating to this release.

Plugin type and properties (old)

Description of change

Plugin: OAuth2AuthorizationCodeGrant

Properties: authorizationCodeExpiresIn
accessTokenExpiresIn

The value 0 (= no expiration) is no longer allowed and leads to a validation error.

Use a large positive value instead.

Automatic config migration replaces 0 with 315360000 (10 years)

Plugin: OpenIdConnectAuthorizationCodeGrant

Properties: accessTokenExpiresIn
refreshTokenExpiresIn
hybridFlowAccessTokenExpiresIn

Plugin: OAuth2ClientCredentialsGrant

Property: accessTokenValidity

Plugin: ScriptExpectedOutputType

Property: outputValueType

The output type is no longer an enum value (String, Boolean, Number, Date-Time, or Date) but a plugin.

To migrate: refer to a newly created plugin of type “SimpleScriptOutputType” and put original outputTypeValue in property “type” of the new plugin.

To migrate

  • Use property outputType instead of outputValueType
  • Refer to a newly created plugin of type SimpleScriptOutputType and copy the original outputTypeValue to the property type of the new plugin.

 
Example
type: SimpleScriptOutputType
id: SimpleScriptOutputType-xxxxxx
properties:
  type: String

Plugin: SmtpServer

Properties: user
password

Username and password to authenticate at the SMTP server have been moved to a new sub-plugin:

  • Create a new subplugin of type SmtpAuthenticationUsernamePassword and copy the username and password there.
  • In the SmtpServer plugin, use the new property authentication to refer to the new sub-plugin.

Example sub-plugin:

 
Example
type: SmtpAuthenticationUsernamePassword
id: mySmtpAuth
properties:
  password: somePassword
  user: someUser

Plugin: SwissPostTrackingService

The Swiss Post Tracking service no longer exists. The plugin has been removed.

Remove the plugin from the configuration.

Plugins: Airlock2FASelfServiceDeviceEditInitiationStep
Airlock2FADeviceEditStep

Property: enforceUniqueDisplayNames

The new default behavior ensures that user-chosen Airlock 2FA device display names are unique.

To keep the old behaviour (not ensuring uniqueness), add the property and set it to false.

Plugin: UserIdentifyingFidoStep

Property: authenticationMethodId

The property is no longer considered (AI-21791). Remove it from the configuration.

Plugin: FidoSettings

Property: requireResidentKey

The property has been renamed to residentKey and has been changed from a boolean (true or false) to an enum accepting one of discouraged, preferred, orrequired.

Old values are mapped as follows:

  • true becomes required
  • false becomes discouraged

Further information and links