2.3.14 (February 21 2024)
- Changed the cacert certificate verify internals not to require the CA
root certificates to be provided when only an intermediate CA trust is
required (for all WebADM connectors).
- Upgraded embedded OpenSSL to version 3.2.1 (including security fixes).
- Added a tenant object configuration to adjust the SQL log retention time.
- Added a tenant self-configuration option to customize log retention time.
- Added an 'ignored_proxies' undocumented settting to allow internal Web
access via load-balancers / reverse-proxies.
- Fixed a SQL query memory issue with MariaDB introduced in v2.3.12.
- Fixed WebADM complaining because no_badgein_message and no_badgein_subject
are unrecognized settings.
2.3.13 (February 5 2024)
- Fixed user badging dashboard not displaying remote statistics.
- Fixed issue with badged LDAP groups not being purged correctly.
- Fixed alerts not sent when user did not badged out.
- Upgraded embedded OpenSSL to version 3.1.4 (including security fixes).
- Fixed issues with Novell passwordExpirationTime attribute.
2.3.12 (January 26 2024)
- The 'waproxy_pubaddr' in 'conf/webadm.conf' is renamed 'public_hostname'.
> This setting applies to both 'waproxy_proxies' and 'reverse_proxies'.
> The old setting name remains valid for backward compatibility.
- Fixed a segmentation fault which can occur with watchd deamon at shutdown.
- Fixed client certificates being required with requests comming from local
Radius Bridge on the secondary cluster node.
- Fixed some remaining minor OCSP responder problems.
- Added support for Novell PasswordEpirationTime attribute.
- Fixed manager API 'get_user_settings' returning all application settings
including private settings when requesting an empty array of settings.
- Upgraded embedded OpenSSL to version 3.1.4 (stable 3.1 release).
- Restored broken PKCS#12 certificate export for Apple MacOS/IOS.
- Added support for RCDevs cloud services' protocol update 2024.
- Fixed automatic database schema update with MariaDB.
- Fixed detection of expired user certificates in self-services.
- Fixed badging location reporting issues for remote workers.
- Fixed some right restrictions not being enforced with manager methods
exported by applications like OpenOTP.
2.3.11 (December 13 2023)
- Display a scrollbar when left menus are too long under the admin portal.
- Added support for signature with smartcards and eIds requiring terminal
authentication or other types of authorization.
- Enhanced the badged/office groups' management (use few LDAP operations).
- Log proxy user permission errors when filling LDAP badged groups.
- Fixed minor display issues with MSSP license on master tenant.
- Fixed exceptions with OCSP responder when request is malformed.
- Fixed some user alerts not being sent in time.
- Fixed broken object rename under a tenant.
2.3.10 (November 30 2023)
- Added WAPI functions to live check for weak and leaked passwords.
The feature is inluded in the latest OpenOTP and PwReset applications.
> Common weak password hashes are regularly downloaded locally by WebADM.
> Additionally RCDevs cloud services can check for leaked passwords in
a password reset by using PwnedPassword at https://haveibeenpwned.com/.
> Of course in the later case, passwords are not sent out of WebADM.
The PwnedPassword protocol with sub-hash is being used.
> You can now activate this feature in the RCDevs Password Reset WebApp.
- Added support for tenants when using ActiveDirectory as root LDAP.
2.3.9 (November 17 2023)
- Added a client policy setting allowing login with failed LDAP passwords
when password expired, must be reset or account is locked-out.
- Fixed a cache reload issue which can cause failed requests in very rare
circumstances while updating configuration objects.
- Issued CRLs are now signed with sha256 hash instead of sha1.
- Fixed setup script not setting organization name in the TLS certificate.
- Fixed agreement signature failing with large PDF files.
2.3.8 (November 8 2023)
- Upgraded embedded Apache to version 2.4.58 (including security fixes).
- Upgraded embedded OpenSSL to version 3.0.12 (current long-term release).
- Upgraded MySQL ODBC driver to the latest stable version (8.2).
> Older MySQLv5 driver is no longer supported in WebADM and uses the
default MySQL8 driver now (when 'MySQL' database type is used).
- Added optional management IP restriction for Admin Roles.
- Added an Admin Role setting allowing to role members to use the WebADM
proxy user for LDAP access rights.
- Fixed OptionSet user alerts and badging group purging not handled
by the background tasks when Option Sets are set inside domain trees.
- Fixed setup screen shown in WebADM tenants when forcing index URL.
- Fixed broken 'ldap_routing' setting.
- Fixed WebADM CA service (RSignd) not working correctly in IPv6 mode.
- Complete rewrite of the HSM framework (new HSMs supported).
> Any local PKCS#11 driver is now supported (see webadm.conf.default).
> SafeNet Luna and AWS CloudHSM are now supported.
> HSM with dedicated key handles is supported within tenants.
- Many optimizations and enahcements in the internal encryption framework.
- Fixed user/host count not refreshed when forcing license re-count when
inside a WebADM tenant.
- Added an environment variable in the optional conf/webadm.env to enable
HTTP listening on IPv6 interfaces (ex. INTERFACE6=::).
2.3.7 (October 19 2023)
- Added support for PKI login with client certificates in OpenOTP.
- Client certificate generation supports PKCS#12 export package format.
- Added a home menu with links to the documentations for Cloud tenants.
- Introducing WebADM chatbot assistant for customers with paid support.
> The AI assistant will be regularly improved in the coming months.
- Fixed admin search when selecting the treebase on Active Directory.
- Added tenants' resource allocation status in the license info page.
- Fixed empty client IP with RADIUS requests coming for localhost.
- Fixed OCSP issues when Adobe Reader queries the local CA.
- Fixed required badging not working with group exclusion in a policy.
- Fixed an SQL query issue when pruning expired API keys.
2.3.6 (September 13 2023)
- Added a WAPI framework for SpanKey to send event to syslog.
> Feature included in SpanKey Server v2.1.3.
- Adjusted CEF metadata when syslog_fomat 'CEF' is used.
> WebADM CEF metadata in use are: rt (timestamp), sid (session ID),
src (source IP), and user (domain\userId).
- Added support for CockroachDB via the PostgreSQL ODBC driver.
- Fixed CA and client certificate configs not working with PostgreSQL.
- Upgraded OpenLDAP libraries to version 2.6.6 (bug fixes).
- Upgraded embedded Redis server to version 7.2.1 (bug fixes).
- Fixed inventory import not working from a WebADM Tenant.
- Added support for SAML method in OpenLDAP.
- Allow tenant selection when importing messages or inventories from
the master tenant.
- Upgraded embedded OpenSSL to version 1.1.1w (including security fixes).
- Added a 'help' entry in the top menu (for direct access to RCDevs
online documentations).
2.3.5 (August 25 2023)
- Added an OptionSet setting to set the default LDAP search base under
the Admin portal.
- Do not fail with external CAs defined with multiple CommonNames.
- Fixed OCSP responses not being parsed correctly by clients with
non-WebADM CAs.
- Fixed manager AD sync methods errors with non-tenant licenses.
- Fixed TLS certificate generation timeout stopping after 60 seconds
during Radiusd, LDProxy and WAProxy setups.
- Display license users and hosts count in the Admin portal's home page.
- Multi-Tenant license model is not in preview state anymore.
- Upgraded embedded Redis server to version 7.2.0 (features and fixes).
- Added email notifications when access is denied because the user is not
currently badged-in (requires OptionSet 'Badging' alerts to be enabled).
- Fixed segmentation faults under very high loads.
- Optimized WebADM startup (much faster).
2.3.4 (August 1 2023)
- Added Manager methods for syncing a remote AD/LDAP with a WebADM
hosted tenant. These methods are used by RCDevs AD/LDAP sync scripts.
> Sync_LDAP_Object allows syncing a subset of attributes for an object.
The object is automatically created when not existing (based on the
provided attribute and object class information).
The object is automatically moved if the DN changed since last sync.
> Sync_LDAP_Delete allows removing all orphan DNs from the synced
LDAP container (non-existing objects on the remote LDAP are removed).
- Added an OptionSet setting for mapping LDAP DN during a AD/LDAP sync.
> This is necessary for DN consistency because the local tree structure
(ie. DN suffixes) differs from the remote AD/LDAP tree.
- Fixed SAML metadata & OpenID .well-known URLs with WAProxies.
- Fixed add group member issues using via tree browser in Admin Portal.
- Fixed OpenOTP & SpanKey broken 'bin/report' tools.
- Upgraded embedded Redis server to version 7.0.12 (bug fixes).
- Upgraded OpenLDAP libraries to version 2.6.5 (bug fixes).
- Upgraded embedded OpenSSL to version 1.1.1v (including security fixes).
2.3.3 (July 13 2023)
- Added API key database encryption.
> Secret tokens are now encrypted with AES256 by default.
- Fixed minor issues with the client policies' agreement signing feature.
- Updated the setup script with support for cluster setup with HA PKI.
- Fixed setup issues where slave refuses to setup its SSL certificate
using the master server's PKI service.
- Fixed manager method 'pki_remove_user_certificate' (parameter type).
- Fixed request Id numeric format in responses from the Manager interface
when the numeric Id is a big integer.
- Added compatibility with WebADM HelpDesk (broken since v2.3).
2.3.2 (June 26 2023)
- Fixed group setting error when a group has just been removed and group
cache is still present for a user.
- Fixed a CRL generation issue with revoked certificates generated with
the newer Rsignd 'rnd' serial number format.
- Fixed some Redis connection issues when WebADM is configured as an AD
intermediate CA.
2.3.1 (June 13 2023)
- Enhanced the added user agreement functionality.
> Send QRCode by email in case user did not receive the push request.
> Send the signed contract to the signing user.
- Fixed group creation issues with Active Directory.
2.3.0 (June 9 2023)
- Added multi-tenant licensing support. Please contact RCDevs Sales for
more information about the multi-tenant WebADM or you plan to act as
an IAM service provider for your customers.
> WebADM multi-tenant (ie. Service Provide edition) allows multiple
organizations to co-habit under the same HA cluster, with their own
configurations, applications, domains, policies etc...
> Added service provider branding options for tenants.
- Added support for shared event logs allowing to view log entries from
either server in the cluster in the log viewer.
> The feature works with clustered WebADM only and is enabled with the
'log_shared' configuration in 'webadm.conf'.
- Added support for Web services' API keys. Both client certificates and
API keys can be used now.
- Simplified cache clearing options.
- Many minor enhancements and optimizations.
- Added configurations for SQL log retention time.
- The configuration 'record_path' has been replaced by 'storage_path'.
- Added user consent and agreement signing during login transaction.
> With HTML documents, a user consent is shown for signed confirmation.
> With other documents, the user has to sign the attached document.
> These features are configured via Client Policies and provide eIDAS-
compliant login terms and conditions signature with PaDES (PDF) or
CaDES, during a user authentication workflow with OpenOTP and SpanKey.
2.2.4 (April 29 2023)
- Fixed certificate issues when Rsignd is configured with 'rnd' serial
numbers mode. Issues include OCSP, CRL and certificate auto-renewals.
- Updates JQuery to the latest version (security fixes).
- Added DKIM signing for outgoing emails (see dkim configs in webadm.conf).
- Fixed a library dependency issue with nghttp on some distributions.
2.2.3 (April 20 2023)
- Upgraded embedded Apache to version 2.4.57 (including security fixes).
- The PKI service now supports running on both cluster nodes. You need to
set 'serial_format' to 'rnd' in rsignd.conf for HA PKI services.
Random serials use 128bit random Hex values instead of auto-incremented
decimal values.
- New installation build the PKI with 4096 bits.
- Fixed a dependency issue when WebADM APIs are accessed over HTTP2.
- Generated CRL is now in DER format by default. The query-string format
parameter allows choosing between DER and PEM.
2.2.2 (March 23 2023)
- Upgraded embedded Apache to version 2.4.56 (including security fixes).
- Upgraded embedded Redis server to version 7.0.9 (bug fixes).
- Multiple minor enhancements and bug fixes introduced with version 2.2.
2.2.1 (February 26 2023)
- Upgraded embedded OpenSSL to version 1.1.1t (including security fixes).
- Added clickable usernames for auto-filters in the access badging viewer.
- Minor bug fixes.
2.2.0 (January 20 2023)
- Upgraded embedded PHP runtime to the 8.1 stable branch.
- Upgraded embedded Apache to version 2.4.55 (including security fixes).
Many code rewrites due the PHP API and error handling changes.
- Many design changes (stylesheets, logos, etc..).
> Please clear your browsers' cache after updating in case WebADM
icons or stylesheets would not be displayed correctly.
- New Admin and application icons.
> Tree icons are now based on object classes. You can also safely
remove all 'icon' entries from the 'conf/object.xml' file.
- Added frameworks to support RCDevs physical access control devices.
- Added frameworks to support the new YumiSign Portal WebApp.
- Badged and Office auto-filled LDAP groups support Unix groups too.
- Fixed user language being wrongly set after loging into WebApps.
- The license user count now ignores disabled ActiveDirectory users.
- Added a crash reporting system allowing WebADM to send crash data.
> Data only includes file name, line number and function name.
- Removed FIDO U2F for MFA login (deprecated in flavor of FIDO2).
- Added indexes to all SQL 'date' database fields (during setup).
- Added support services in license details (RCDevs Services' SLA).
2.1.19 (December 22 2022)
- Added an AUTH license option (included in all existing licenses).
> The option now allows RCDevs to distribute license with 'Sign' or
'Badge' options only (ie. without Authentication Services).
> The PSD2 'Confirm' license options is now part of the 'Sign' options.
- Fixed an issue with LDAP paged results introduced in 2.1.18.
- Fixed issues wih password reset in ActiveDirectory.
- Fixed language selection not working for 'English' in WebApps.
- Added support for SelfDesk Web badging.
2.1.18 (December 11 2022)
- Multiple enhancement to the badging subsystem (for OpenOTP v2.1.8).
> Most of the badging features are now configured via OptionSets.
> New badging policies are available via Client Policies.
> For now Mobile Badging is provided for FREE to all existing RCDevs
Customers. Please Ask RCDevs sales to activate the badging feature
in your current OpenOTP license.
> To Activate the badging feature in OpenOTP, enable 'Mobile Badging'
under the OpenOTP application settings. On the mobile phone, start
the OpenOTP Token app, then click/open your Token instance and click
the 'Synchronization'. The 'Badge-In/Badge-Out' button appears now.
- Added a google-map location picker to select office location in the
OptionSets. An automatic address resolver is provided too.
- Moved CHECK badging expiration into OptionSets.
- Added auto-populated groups for badged-in user with OpenSets.
- Added the 'Badging Source IP Match' client policy options.
- Added support for the 'MIXED' badging option in OpenOTP 2.1.7-2.
- Display badged-in status in the user edit under the Admin portal.
- Removed '{crypt}' LDAP password encoding option in 'objects.xml'.
- Fixed issues wih password reset in ActiveDirectory.
- fixed issues with user alerts.
2.1.17 (December 2 2022)
- Multiple enhancements and fixes to the Remote Badging subsystem.
- Added a home section with enabled features and daily statistics.
- Added a section jumper menu in all application settings editors.
- Added more options to the user presence and badging viewer.
- Display google map badging locations in blue in the log viewer.
- Domain alert settings are moved to the OptionSet object.
If you configured user alerts in WebADM domains, please set the same
settings in an OptionSet applying to your domain tree base.
- Fixed client settings' issues with SpanKey using Risk-Based Policy.
2.1.16 (November 23 2022)
- Added support for RCDevs Mobile Token badging with OpenOTP v2.1.6.
> Added a user badging report under the 'Databases' menu.
> Features local/remote user badging and time tracking.
> New OptionSet settings allow to configure remote work accounting
with per-country quotas.
- Added a client policy option to allow access for badged-in users only.
- Fixed CRL not being generated with too many revoked certificates.
- Upgraded embedded OpenSSL to version 1.1.1s (including bug fixes).
- Fixed a minor JS injection issue with CSR token issue and WebApps.
- Fixed MariaDB issues with DNs and accents (introduced in v2.1.13).
2.1.15 (October 7 2022)
- Added dynamic Client Policies' functionalities (Step Up / Step Down).
> Client policies operating mode can be temporarily re-configured in
'Step Up', 'Step Down' or 'Access Deny' enforcement mode.
> A manager function 'Set_Client_Mode' allows controlling the client
policies' enforcement mode programmatically.
- Added a Client Policy setting 'Risk-Based Auto Step Up Mode' to enable
risk-based dynamic enforcement mode with two options:
1) Step-Up-only when the source IP matches a botnet or a VPN endpoint.
2) Deny access for compromised botnet IPs and Step-Up for VPN endpoints.
- Added an event type description to all SQL logs but Alerts.
> After upgrading, you must login as super admin in order to let WebADM
update the 'WebApp' and 'WebSrv' SQL database tables!
- Tagged all log events with the correct log levels for syslog.
- Added log level textual keyword in the CEF log format.
- Updated MariaDB ODBC connector.
- Enhanced Cloud connection reliability in case unusual HTTP2 events.
- GeoIP databases are now auto-updated via RCDevs Cloud services.
- Added more detailed license expiration warnings.
- Fixed SQL certificate duplicate entry errors when using 'Require Client
Certificate' with Web services.
- Fixed a license cache issue with Cloud licenses when expired but still
working in extended/emergency mode.
- Removed deprecated Yubico YubiHSMv1 support. YubiHSMv2 will be supported
in an upcoming version.
2.1.14 (August 24 2022)
- Fixed compatibility issues with WebADM mixed schema setup mode.
- Object Settings/Data read and write operations now only use the first
attribute configured in webadm.conf which is matching the LDAP schema.
- Fixed database setup issues with SQL server and nvarchar lengths.
- Fixed certificate expiration alerts being sent only for the first user
certificate.
- Fixed incorrect displayed value of AD ObjectGUID under the edit.page.
- Fixed MariaDB ODBC driver not supporting unicode characters.
2.1.13 (August 19 2022)
- Voice Biometrics engine to version 2 (requires OpenOTP >= 2.1.3).
> The voice model v2 is not compatible the previously stored user voice
model. A re-registration is required for users with registered voice!
> Voice model storage v2 requires much less data and does not require
LDAP attribute chunking anymore.
- Upgraded embedded Redis server to version 7.0.4 (security fixes).
- Added support for LDAP-based RADIUS reply attribute with filtering.
2.1.12 (July 7 2022)
- Fixed a PostgreSQL ODBC driver dependency issue (file permission).
- Upgraded embedded OpenSSL to version 1.1.1q (including security fixes).
- Fixed incorrect CEF metadata format and added CEF event type.
- Fixed OpenOTP 'bin/report' tool issues when using SQL user data.
- Fixed Admin portal idle session expiration not honoured.
- Use latest ODBC drivers for MySQL and MariaDB.
- Advanced LDAP edit mode displays OpenLDAP internal attributes.
- Added a search option to return OpenLDAP internal attributes.
2.1.11 (June 27 2022)
- Upgraded embedded Apache to version 2.4.54 (including security fixes).
- Added setup options for configuring WebADM as ActiveDirectory sub-CA.
- Fixed LDAPExpireSubject not being translated in the user's language.
2.1.10 (June 1 2022)
- Mobile signature certificates are now added to the certificate SQL
table (under the Databases menu).
- Added support for mobile signature certificates revocation (including
those issued by RCDevs Enterprise Global CA).
- Fixed minor Rsignd issues for CSR decoding.
- Fixed broken WebADM SSL certificate auto-renewal when near expiration.
2.1.9 (May 6 2022)
- Added CRL URI information for client and server certificates.
- Allow revocation status for server certificates in the SQL database.
- Upgraded embedded Redis to version 7.0.0 (bug and security fixes).
- Upgraded embedded OpenSSL to version 1.1.1o (including security fixes).
- OCSP and CRL are available over both HTTP and HTTPs.
> Certificates are created with HTTP URIs.
> You need a WAProxy upgrade to support HTTP URIs if you use WAProxy.
- Server and client certificate table is referenced with serial numbers.
> Table will be auto-updated by WebADM background scripts.
2.1.8 (April 22 2022)
- Updated WebApps frameworks to return password change failed reason
(required by the latest RCDevs' SelfReg WebApp).
- Updated WebApps frameworks to allow more options for user certificate
generation (required by the latest RCDevs' SelfDesk WebApp).
- Fixed broken SQL record pruning under the Admin portal.
- Updated JQuery to version 3.6 (security fixes).
- Fixed CSRF issues with RCDevs' SAML IdP Provider.
- Fixed a setup issue while generating server self-certificate.
2.1.7 (April 14 2022)
- Added TLS Web Server Authentication extended key usage for server
certificates (fixes EAP-TLS issues with Radius Bridge).
- OCSP endpoints are provided via WAProxy public URLs when WAProxy or
a reverse-proxy is configured.
- Added options for S/Mime and Microsoft Smartcard login when creating
user certificates under the Admin portal.
- Allow admin certificates to be used for login, S/Mime, etc...
- Fixed License cache issues.
2.1.6 (April 6 2022)
- Added support for OpenOTP Advanced Signature with RCDevs Global CA.
- Upgraded embedded Apache to version 2.4.53 (including security fixes).
- Upgraded embedded OpenSSL to version 1.1.1n (including bug fixes).
- Added a Manager method to link and unlink inventory item (Tokens).
- Fixed session server connection issues when using an AD sub-CA.
- Fixed user certificate generation without an email address.
- Fixed user certificates not working for EAP-TLS login (Wifi).
> Failing user certificates have to be re-generated.
2.1.5 (February 22 2022)
- TLS encryption is enforced for Session Servers on default port 4000.
Cleartext session server communication on port 4000 is deprecated.
> Please remove the 'encryption="NONE"' from your Session Server's.
> Your can safely enable server secrets over untrusted networks.
> the keyword 'encryption' is not valid anymore for Session Server.
Your 'servers.xml' file is also auto-modified during update.
> Session Server replication over a WebADM cluster now uses TLS.
> IMPORTANT: With this upgrade, you need to update both servers in
a cluster for session master management and replication to work.
2.1.4 (February 15 2022)
- Fixed broken user certificate generation under the Admin portal.
- Fixed eIDAS CA cert import not displayed under the trusted CA list.
2.1.3 (February 7 2022)
- Added AuthorityInfoAccess with OCSP and CA URLs for user certificates.
- Added ExtendedKeyUsage information with E-mail Protection, Client
Authentication and Microsoft Smartcard login with user certificates.
- Fine-tuned Content-Security-Policy, Strict-Transport-Security and
X-Frame-Options HTTPS headers.
- Added a CSRF protection to the Admin portal with per-session subdirs.
- Fixed issues with 'auto' mode for waproxy_proxies and reverse_proxies.
- Fixed an issue with cached user certificates used for PKI login.
2.1.2 (January 24 2022)
- Added an endpoint for retrieving webadm trusted CA bundle.
> Used by latest versions of RCDevs Radiusd and WAProxy.
- Added startup consistency checks for internal the CA certificate.
- The list of trusted CA certificates is available under the Admin menu.
> Trusted CA certificates are now manged graphically at cluster level.
> The 'pki/trusted' folder is converted to the new CA bundle format
during the WebADM upgrade process.
- WebADM session cookies now have the 'SameSite' set to 'Strict'.
- Added an 'auto' mode for waproxy_proxies and reverse_proxies which
automatically detects proxies based on headers (use only with caution).
- Created user certificates are now compatible with AD userPrincipalName.
2.1.1 (December 24 2021)
- Added OptionSet settings (MinUID and MinGID) to configure the minimum
values for auto-incremented UNIX UIDs and GIDs.
- Upgraded embedded Apache to version 2.4.52 (including security fixes).
- Upgraded embedded OpenSSL to version 1.1.1m (including bug fixes).
2.1.0 (December 10 2021)
- Fixed LDIF import/export for ActiveDirectory groups.
- Removed OptionSet setting for using external PKI (Rsignd only now).
- Added import of external certificates on user accounts (ex. eIDAS).
> Certificates issued by trusted external CAs (in pki/trusted/) can
login on all WebApps in PKI mode and via OpenOTP PKILogin method.
- Added OCSP validation for logins with external certificates.
- Major improvements to the LDAP group searches for applications.
- UNIX groups with memberUid now works in all the app frameworks.
- User's gidNumber is handled too for any LDAP group searched.
- Fixed several issues and inconsistencies with LDAP Group Search Base.
- Added support for OCSP and OpenOTP PKI method with user certificates
generated by external CAs.
- Fixed issues connecting to WebADM PKI server when using external CA.
- MemberGUID is now part of the unicity check.
- Many small fixes and Major improvements to the PKI subsystem.
- Added a Manager method for unlocking WebApp access for applications
configured with 'Access Locked' enabled.
- Newly-created Admin certificates can be used for WebApps' login.
- Manager method 'Get_User_ID' is replaced by method 'Get_User_IDs'.
2.0.25 (November 10 2021)
- Upgraded embedded Apache to version 2.4.51 (including security fixes).
- Upgraded embedded Redis server to version 6.2.6 (bug fixes).
- Upgraded OpenLDAP libraries to version 2.6.0 (bug fixes).
- Fixed a problem with expired cache with Cloud licenses.
- Added support for OpenOTP licenses with signing credits.
- Added support for alternative names in the user certificate forms.
- Added support for s/mime usage when creating a user certificate.
- Record SQL alerts for admin sessions with non-super admins.
- User editor displays a warning when an AD user account is locked.
- Fixed per-domain email 'from' not working with background tasks.
- Fixed per-domain certificate and password expired alerts not working.
- Fixed too many delays when Cloud services are not reachable
- Fixed client policies' required groups not working with Posix groups
containing memberUid.
- Better support of schema not extended with mixed AD environments.
- Fixed dependency issues with the MariaDB database driver.
2.0.24 (September 28 2021)
- Upgraded embedded Apache to version 2.4.49 (including security fixes).
- Added support for LDProxy option to return LDAP diagnostic messages.
- New qualified signature services' features required by OpenOTP 2.0.1.
- Added support for XaDES (XML) qualified signature format.
2.0.23 (September 13 2021)
- Email user warnings for certificate or password expirations has to be
configured in the Domain settings.
It is also possible to adjust the warning period and re-send delays.
> The 'user_warning' setting in 'webadm.conf' is now deprecated.
- Final WAPI support for PaDES/CaDES digital signatures (OpenOTP v2.0).
- Fixed a missing libpq dependency with PostgreSQL database under Debian.
- Fixed per-client default domain not working with SpanKey NSS.
- Added preference saving for log viewers, searches, etc...
- Fixed failures with removal of object classes from the admin interface.
- Fixed 'bin/encrypt' and 'bin/verify' batch scripts not working with more
than 1000 users.
- Upgraded OpenSSL to version 1.1.1l (including security fixes).
- Enhanced RCDevs' Cloud microservice protocol to support longer requests
(required by the new OpenOTPv2 PDF signing functionalities).
- Removed Session max memory. Memory usage is now handled dynamically.
> Removed 'REDIS_MEMSIZE' and 'REDIS_NOSYNC' environment variables.
2.0.22 (July 5 2021)
- Added WAPI functions for services to seal and timestamp PDF documents.
- Added support for OpenOTP v2.0 (WAPI 69).
- Minor enhancements to the OCSP service.
- Allow WebApps to create logfile events for every user operation.
> Removed the 'log_mixsql' setting in 'webadm.conf' (now always on).
2.0.21 (June 28 2021)
- Added compatibility with Microsoft AzureAD.
- Added some configuration templates under 'docs/ActiveDirectory' to use
extended AD / OpenLDAP as base directory with mounted unextended AD(s).
- Fixed EUTL verification issues (required by upcoming OpenOTP v2.0).
- Fixed an SQL duplicate key error with WebADM statistics table.
- Fixed %DOMAIN% variable not working in webadm.conf's message templates.
2.0.20 (June 11 2021)
- Upgraded embedded Apache to version 2.4.48 (including security fixes).
- Upgraded OpenLDAP libraries to version 2.5.5 (bug fixes).
- Upgraded embedded Redis server to version 6.2.4 (bug fixes).
- Fixed containers not detected correctly in the treeview when logging-in
inside a mount point.
- Added a Manager method for counting the activated users within a domain.
- Added WAPI function for OpenOTP to validate a signature is EUTL-compliant.
- EUTL trusted CA list is fetched regularly via the background tasks.
- The JSON /status.php API returns connector issues and not HTTP 500 error.
- Freeware options like advanced/qualified signature are valid for 1 month.
2.0.19 (May 12 2021)
- Added user DN and client ID chaining in the log viewer when an application
calls a service application (ex. OpenOTP calls SMSHub). SMSHub logs can
now be filtered for a specific user and OptionSet view restrictions apply.
- Fixed MSSQL issues with SQL data store.
> Please use MariaDB driver with MariaDB and MySQL8 driver with MySQL to
avoid database issues.
> With MariaDB and MSSQL be sure to have the database collation set to UTF8
for all WebADM tables if you encounter strange characters in the SQL logs.
- Disallow the 'bin/pwcrypt' with freeware license.
- Upgraded OpenLDAP libraries to version 2.5.4.
- Upgraded embedded Redis server to version 6.2.3.
- Upgraded GeoIP databases (cities and countries).
- Added HSM configuration tools in '/opt/webadm/doc/scripts/'.
> HSM usage documentations are provided on RCDevs' documentation site.
- Minor HSM management improvements (high availability and failover).
- Added a WAPI method to unlock WebApp with locked access (used by HelpDesk).
- Improved Cloud service APIs used for OpenOTP file signing methods.
- Graphical setup sets the proxy user password only when the proxy account
does not already exists.
2.0.18 (May 3 2021)
- Upgraded all ODBC database drivers with the unicode-enabled versions.
- Fixed reported issues related to the MySQL8 ODBC connections.
- Added an optional 'charset' parameter for SQL servers in servers.xml.
> Set charset="latin1" if you encounter database character issues after an
upgrade to WebADM v2.0.16 or later.
- Domain UPN Suffix can optionally be a list of domain suffixes.
- Added a '/status' page cache to optimize RCDevs microservices requests.
2.0.17 (April 19 2021)
- Added support for per-domain Token Logo, email address, etc... with service
provider licenses.
- Better support of CardContact smartcard-based HSM (performance improvements).
- Auto renew SSL certificate before starting sending warnings.
> Warnings are now sent once per day and not per hour.
- Removed a PCRE2 library requirement with MirKey and eHSMs.
- Expired licenses do not try to contact RCDevs online services anymore.
2.0.16 (April 4 2021)
- Added support for dedicated Push servers (as part of the branding options).
- Minor Watchd connection enhancements.
- Enhanced MirKey support with HSM timeout management.
- Fixed minor javascript issues when un-checking some application settings.
- Fixed all objects displayed as containers when loging in a LDAP MountPoint.
- Fixed a segmentation fault issue when using the MySQL8 SQL database driver.
> MySQL database type now refers the MariaDB ODBC driver.
> If you encounter problems like segfaults, please change SQL database type
to 'MariaDB' in 'conf/servers.xml'.
> If you really need MySQL drivers then set 'MySQL5' or 'MySQL8' database type.
- Upgraded OpenSSL to version 1.1.1k (including security fixes).
- Upgraded OpenLDAP libraries to version 2.4.58.
2.0.15 (March 16 2021)
- Added support for ellipticSecure eHSM and MIRKey.
- Upgraded OpenSSL to version 1.1.1j (including security fixes).
- Upgraded embedded Redis server to version 6.2.1 (newest stable branch).
- Fixed renewed WebADM certificate being renamed 'webadm2.crt'.
- Fixed certificate auto-renewal broken on slave WebADM nodes.
- Updated GeoIP databases (February 2022).
- The 'admin_session' and 'manager_session' settings can now be set in the
form 'shared:60' where the 'shared' stores sessions in the Redis server
instead of SHM memory (useful with load-balancers without sticky sessions).
- Aligned the data/time format in 'webadm.log' and 'sessiond.log' log files.
- Fixed license expiration issues with Perpetual licenses.
- Removed TiQR Web Service application from the all-in-one build.
> Your applications' configurations may be incorrect after upgrade if you
enabled any TiQR setting. In this case, just edit and re-apply the
configurations under the 'Application' menu in WebADM.
- Fixed Cluster menu not displaying (bug introduced in 2.0.15-1).
2.0.14
- Added a role deletion right for issuing client certificates required
during the SpanKey client setup.
- Allow OpenOTP clients (ex. MFAVPN) to reside on the same host as WAProxy.
- Upgraded OpenLDAP libraries to version 2.4.57.
- Added support for RCDevs staging licenses (for microservices beta-testing).
2.0.13
- Fixed issues when SpanKey or other clients sending OpenOTP requests reside
on the same server as a WAProxy.
- More optimizations and stability fixes with reverse-proxies used as WAProxy.
- Minor enhancements to the client policies domain-based restrictions.
- Fixed error on 'websrv_get_proxy_options()' with YubiCloud via a HTTP proxy.
- Added error reasons in Manager JSON-RPC failed responses.
2.0.12
- Upgraded embedded PHP runtime to the 7.2 stable branch.
> This WebADM version requires updated versions for all WebDAM apps.
- Reverse proxies are now usable like WAProxies (support app publishing).
- Remove an unnecessary dependency to libltdl.
- Prevent a Cloud error with 'connection failed while calling xxxx'.
- Fixed detection of ActiveDirectory Forest Level 2019.
- Fixed wrong host IP with RadiusBridge clients causing client policies not
being correctly matched (bug present since WebAD v2.0.0).
- Upgraded embedded Redis server to version 6.0.10.
2.0.10
- Fixed support ticket containing unicode characters.
- Fixed broken manager method 'Update_Inventory_Items'.
- Fixed broken Admin portal login with MFA in Challenge-Response mode.
- Upgraded OpenSSL to version 1.1.1i (including security fixes).
- Updated MariaDB ODBC driver to the latest version.
- Fixed MySQL8 and MySQL5 drivers' issues with UTF-8.
- Updated JQuery to the latest version (including security fixes).
- Added Cloud services' status to the /status.php?json=1 page.
- Prompt for certificate key password when needed at startup.
2.0.9
- Fixed very rare RCDevs' Cloud services reconnection issues.
- Added several Cloud Services' communication optimizations.
- Fixed regex backslashes not possible in the OpenID settings editor.
2.0.8
- Changed the response format of the Manager method 'Server_Status' with more
application and server details.
- Fixed minor issues with PKCS#11 HSMs.
- Added a 'json' parameter to the WebADM HTTP status page to get more details.
When called with https://myserver/status.php?json=1, the result is similar to
the 'Server_Status' Manager method.
- Added a notification subsystem for important software notice to be fed.
- Fixed minor watchd issues with error handling.
- Enabled LibGMP assembly optimizations (for performances).
- Added support ticket direct creation from the WebADM home page.
- Upgraded OpenLDAP libraries to version 2.4.56.
2.0.7
- Added a new cloud service for preparing and sealing signed PDF files.
> This is required by OpenOTP v1.5.1 with 'Prepare Attached Files' option.
- Improved RCDevs' Cloud microservice communications.
- Fixed DNS hostname length limitations in watchd.
- Added HTTP2 flow control mechanisms in watchd.
- Added more company customization options for service providers.
- Fixed a missing libexpat library dependency.
- Added support for Feitian PKCS#11 HSMs (ePass2003).
- Added support for HSM-based Rsignd certificate authority.
- Upgraded OpenLDAP libraries to version 2.4.55.
- Use latest ODBC drivers for MySQL and MariaDB.
2.0.6
- Fixed the issue with message 'untrusted cloud service my_service' causing
Cloud-based licenses to fail after an upgrade.
- Fixed a Cloud access issue with WebADMv1 Enterprise licenses.
2.0.4
- Added Client IP address chaining in SQL logs (ex. OpenOTP calling SMSHub).
- Added a Web service setting to enable service requests via WAProxies.
> This is now a mandatory requirement if you published Web services over
Internet via a WAProxy with the 'PUBLISH_WEBSRVS' setting.
> If not specifically enabled in WebADM, the service requests are refused.
> The setting allows publishing services independently (like for WebApps).
- Better handling / detection of reverse-proxies and WAProxy.
- Added support for HTTP Web proxies with HTTP basic authentication.
- Added a status endpoint for reverse-proxies or monitoring systems which
need to poll a WebADM URL.
> The status URL is https://webadm_server/status.php.
- Fixed Web service requests failing when coming from a server configured
as reverse-proxy/waproxy in webadm.conf.
- Upgraded OpenLDAP libraries to version 2.4.53.
- Upgraded embedded Redis server to version 6.0.8.
- Upgraded unixODBC to version 2.3.9.
- QRCode generation optimizations.
- SMS Cost per country is displayed in the license details.
- Added implicit SSL trust with local CA for remote PKI connections.
- Upgraded OpenSSL to version 1.1.1h (including security fixes).
- Cloud license cache does not need a refresh after a WebADM upgrade.
- Use latest ODBC drivers for PostgreSQL, MySQL and MariaDB.
- Fixed client IP address issues with reverse-proxies and IPV6.
- Fixed a missing dependency to libtool in the ODBC libraries.
- Fixed empty WebApps portal (index) page.
2.0.3
- Fixed 'could not get client IP address' issues.
- Fixed log origin mismatch with microservices' errors.
- Upgraded OpenLDAP libraries to version 2.4.52.
- Upgraded embedded Redis server to version 6.0.7.
- Upgraded unixODBC to version 2.3.8.
2.0.2
- Fixed certificate client creation broken (ex. RadiusBridge setup).
- Added support for reverse proxy chaining.
- New version numbering for WebADM and all application: The em-dash is now
used for the release numbering for RPM & DEB packages. Patch level is in
the last version number.
- Fixed issues with mobile endpoint calls from mobiles on IPv6 addresses.
- Several minor bug fixes (2.0.0 = > 2.0.1).
2.0.1
- Replaced Push Servers and License Servers with RCDevs Cloud micro-services.
> RCDevs Cloud micro-services provides access to RCDevs online services
like OpenOTP Push notification in a much more efficient way. Your WebADM
establishes a set of permanent HTTP2-TLS connections with RCDevs services
which work via HTTP proxies, under which service requests are tunneled.
- Added voice biometrics framework.
> You need OpenOTP >= 1.5.0 in order to use voice biometrics authentication.
> You need RCDevs Directory Server >= 1.0.10-3 which includes voice schema.
> If you use Active Directory, please check RCDevs online documentation for
how to add the WebADM Voice attribute to your WebADM AD schema class.
- Added support for PKCS#11 SCHSM USB devices.
> WebADM currently supports Nitrokey and SmartContact HSM devices.
> YubiHSMv2 support will come later this year.
- WebADM v2 requires a license file even in freeware mode. After upgrade,
please get your free license at https://cloud.rcdevs.com/freeware-license/.
> The license is required in order to use RCDevs Cloud services.
> All your WebADM v1 freeware features are maintained.
- Fixed SMTP authentication issues with Office 365 as mail server.
- Allow web services' request settings with multiple values.
- Upgraded OpenSSL to version 1.1.1g (including security fixes).
- Upgraded embedded Apache to version 2.4.46 (including security fixes).
- Upgraded embedded Redis server to version 6.0.6.
- Upgraded OpenLDAP libraries to version 2.4.50.
- The 'bin/pwcrypt' tool for encrypting passwords in WebADM config files is
now available with a Freeware license.
- Local session server connections now use domain socket (optimization).
- Fixed OpenOTP Token unregister not sending the unregistration Push.
- Fixed issues with MountPoints having an empty LDAP base DN.
- Fixed PostgreSQL connection with a CA certificate configured.
- Fixed license expiration issues with trial licenses.
1.7.11
- Fixed an re-encrypt issue breaking the RADIUS reply data.
- Fixed a license counting issue occurring in very specific circumstances.
- Upgraded OpenSSL to version 1.1.1f (including security fixes).
- Upgraded embedded Apache to version 2.4.43 (including security fixes).
- Upgraded Watchd to the latest version (optimizations and stability).
- Fixed a certificate login issue when only one admin certificate is set.
- Fixed push notifications failing when the first push Id is refused.
- Fixed MariaDB Driver issues when a CA certificate is set.
- Fixed SMSHub user/group actions not being listed in the Admin portal.
1.7.10
- Fixed SQLite database setup issues when the sqlite file does not exist.
- With SQLite, the database name in 'servers.xml' is now optional.
- Added a LDAP schema extension template for 389 Directory.
- Fixed the bin/extend command not working with LDAP MountPoints.
- Added a Manager method to sign certificate requests (CSR).
- OCSP now supports certificates issued with trusted CAs (other than WebADM).
> Trusted CA certificates must be added to /opt/webadm/pki/trusted/.
- WAPI method 'get_user_domains' now ignores domains out of the MountPoint.
- Added support for SpanKey SSH access with user certificates (v2.0.7).
- Optimizations in the application setting management (WAPI 61).
- Objects under the 'Config' menu are sorted alphabetically.
- Setup creates SSL the certificate with SubjectAltName set.
- Local SSL certificate is auto-renewed when near expiration.
> New SSL certificates are generated for one year for compliance with Chrome.
- Upgraded OpenLDAP libraries to version 2.4.49.
1.7.9
- Fixed a locking issue with the background script which may occur when the
WebADM license gets updated from the license servers.
- Fixed an LDAP issue with WebApps trying to fetch LDAP groups members.
- Added more debug information for failed ldap queries in log_debug mode.
- Fixed broken iFrame WebApp embedding with the 'inline=1' flag.
- Added support for WAProxy Web service forwarding feature in version 1.1.5-2.
- Upgraded embedded Redis server to version 5.0.7.
- Removed unwanted string-based array indexes in the Manager JSON responses.
> You may need to adapt your client code if you parsed the JSON manually!
- Minor Watchd performance enhancements and stability fixes.
- Fixed broken MFA login in the WebADM Admin Portal with OTP challenge.
- Fixed non-sensitive user data being software-encrypted anyway.
- Manager methods Get_User_Data and Set_User_Data require the Data Admin Role.
- Copyright owner is now RCDevs Security SA Luxembourg.
- Fixed LDAP MountPoint server failover when the first server is down.
- Added a Manager method to retrieve SQL application logs.
- Added a Manager method to enable the client certificate auto-confirm mode.
- Added Docker start mode with '/opt/webadm/bin/webadm start docker'.
1.7.8
- Added options to require LDAP attribute values/patterns in Client Policies.
- Added WAPI function extensions for SpanKey NSS to support cascaded Domains.
- Hide contextual actions for disabled applications.
- TiQR and OpenSSO Web services are removed from the all-in-one package.
> You may still install these extra components separately.
- Admin/Manager client certificates can be exported as bundled PEM or PKCS12.
- Updated the internal Mail/SMTP framework.
- Fixed webapp language translations not working with IE11.
- Debug mode includes SMTP debug information.
- .htaccess file are prevented in Apache configuration.
- Added a re-encrypt action when editing a user (for both data and settings).
- Fixed inventory link update when renaming/moving obects with Manager API.
- Added support for user ActiveDirectory principal names (UPN).
> The 'list_domains' setting must be disabled to use UPNs.
> Warning: With the settings disabled, the text domain input is now removed!
Users must login with domain\username (windows format) to force a domain.
> The 'upn_domain' settings in RadiusBridge and LDAPBridge are now obsolete.
1.7.7
- Added user source (suser) and bridges client IPs (src) to CEF log entries.
- Fixed broken OpenOTP Manager method 'register_inventory'.
- Added a policy option to use non-branded mobile token for specific clients.
- Upgraded embedded Apache to version 2.4.41.
- Upgraded OpenSSL to version 1.1.1d (including security fixes).
- Multiple optimizations to the LDAP/SQL crypto framework.
- Major watchd enhancements (uses socket poll API and handles DNS timeouts).
- Fixed offline cloud license cache expiration.
- Fixed watchd failing to start because redis is not started yet.
- Fixed upgrade not permitted with permanent license before the maintenance
expiration.
- Added the possibility to override any WebApp localized text by creating a
<webapp_dir>/lang/custom.json file. English texts can be overriden too.
- Display ActiveDirectory Lockout-Time warnings and allow user unlocking.
- Added compatibility with RedHat 8 and CentOS 8.
1.7.6
- Added import date to the Inventory database.
> Added optional date options to the Manager 'Inventory_Search' method.
- Upgraded OpenLDAP to version 2.4.28 (stability).
- Added an inter-process communication subsystem for applications.
> This greatly enhances the performances by limiting the number of
session manager calls while waiting for mobile responses.
- Added an 'ip_blacklist' setting to webadm.conf for disabling the automatic
WebApp' IP address blacklisting for 10 seconds after 5 unsuccessful logins.
- Added a credential cache for the Manager API access to improve the Manager
performances under high load.
- Changed to the new 'RCDevs Security' logo under the 'About' page.
- Added latest background job logs the support ticket generation.
- Added more setting supported scopes for application settings.
- Added WebApp WAPI functions for activating/de-activating users.
- Issue SpanKey client certificates even when client certs are not required.
- Enhancements to the setup script.
1.7.5
- Upgraded OpenSSL library to version 1.1.1c (includes TLS1.3 support).
> Set SSL_PROTOCOL="TLSv1.2 +TLSv1.1 +TLSv1" in conf/webadm.env if you
need support for older protocols (TLSv1.1 or SSLv3).
- Upgraded all ODBC Drivers to the latest versions.
- Better support of MariaDB with SSL/TLS encryption.
- Removed support Oracle database.
- Fixed Web service event log 'Enforcing Client...' with wrong log Id.
- Added support for SASL methods with LDAP binds.
- Added support for future licensing options.
- Rsignd PKI requires TLSv1.2 or TLSv1.3.
1.7.4
- Manager methods for reading and writing user attributes can handle
binary attributes with base64 encoding.
- Major optimizations to the WebApp language translation engine.
- AD ObjectGUID and ObjectSID are flagged binary in objects.xml.
- Fixed SudoCommands parse errors with SpanKey server when fetched from
a client policy or application config.
- Fixed license count with metadata licenses (counting activated groups).
- Fixed SQL errors with MSSQL database and metadata licenses.
- Added certificate auto-renewal support for SpanKey client certificates.
- Added HTTPs SSL certificate auto-renew when cert is near expiration.
- Minor enhancements and optimizations to the background script.
- Fixed mobile Push not sent when first multiple Tokens are registered
and the first mobile push fails.
- Added optional WebADM main configurations in the support tickets.
- Added direct access to user Records from the user edit view.
- Fixed cluster nodes not refreshing their config object caches when
another node updates a configuration object.
- Fixed update version validation issues with permanent licenses.
- Added more options for mobile application Branding (OpenOTP Token).
1.7.3
- Fixed license counting issues with per-metadata licenses.
- Fixed push error when push IOS/Android push identifier changed.
- Upgraded OpenSSL to version 1.0.2s (including security fixes).
- Generated QRCodes are now a bit smaller.
- Fixed issues for Android push IDs.
> The RCDevs' team apologies for any inconvenience and issue due to
the move to the Firebase Push notification protocol for Android.
- Added a new complex config type required for SpanKey Sudo.
- Removed MaxRequest configuration in all Web Services.
- Fixed display issues in the edit object page with delegated admins.
- Increased WebADM worker memory limit to 128M.
1.7.2
- Fixed LDAP object search over MountPoints through the Manager API.
- Fixed log file viewer showing a blank log in rare occasions.
- Fixed WebApp's 'Close' buttons sometimes not closing correctly.
- Fixed some OCSP response's serial number getting negative values.
- Unspecified MySQL database version now defaults to the MySQL8 driver.
> Set database type to 'MySQL5' in 'servers.xml' if you previously had
set 'MySQL' and encounter any MySQL connection issue after upgrade!
- Updated MariaDB ODBC driver to the new 3.1 stable branch.
- Added SSL support with the MariaDB ODBC driver.
- The OCSP service is now fault-tolerant (does not rely on rsignd).
> Requires RADIUS Bridge v1.3.8.
- Fixed OCSP cache not re-populated when cleaning the session caches.
- Added SQL logs for incoming OCSP requests (in Web Service log).
- Fixed disconnections with CSRF issues under the RCDevs SAML/OpenID IdP.
- Added support for licenses with product options (ex. OpenOTP Signing).
- Secure Email now uses AES-128 encryption by default.
1.7.1
- Fixed issues with group search base and SpanKey NSS groups.
- Fixed Device container creation with RCDevs Directory server.
- Fixed user certificate creation issues.
- Fixed a minor compatibility issue with LDProxy and LDAP MountPoints.
- Fixed AD group type edition issues.
- Fixed an issue with Rsignd not clearing zombie processes.
- Fixed SpanKey client certificates always expiring after 365 days.
- Enhancements to the Auditd record viewer.
- Added application methods for retrieving user groups (required for
an upcoming RCDevs products).
- Added a Manager method to check if a user is activated.
- Added Client Id to the SQL records (ie. SpanKey clients).
- Added client certificate auto-confirm for batch SpanKey client setups.
- Added the setting 'log_revdns' to reverse-lookup IPs in SQL logs.
- Several performance enhancements to the core frameworks.
- Added WAPI functions for cluster-level application caching.
- Added 'config_container' in 'webadm.conf' to optionally replace and
simplify all the containers' configuration.
- Upgraded embedded Apache to version 2.4.39.
1.7.0
- Added WebADM Devices (access points, badgers and geo tracking devices).
> Please contact RCDevs sales for more information.
- WebADM compiled PHP source code now relies on optimized HHVM bytecode.
> It is more than 10 times faster and requires half the memory.
> A single WebADM instance now handles about 1000 login requests/sec.
- Removed Trust Domain support (deprecated with Web services since a year).
- Fixed issues with server certificate creation during slave WebADM setup.
- Fixed Watchd 'resource temporarily unavailable' under very high load.
- Fixed failed config objects not displayed under the 'Config' menu.
- Fixed OptionSets not enforced when applied to user's login context.
- Upgraded embedded Apache to version 2.4.38.
- Fixed AD user unlock with PwReset.
- Fixed SQL connection warnings.
- Added per-year excluded days in the policy configurations.
- Unique attribute flags in 'objects.xml' is now obsolete.
> All the 'uid_attrs' in webadm.conf are now checked for unicity.
- Removed ExcludedHours, ExcludedAddresses and ExcludedLocations from
the Client Policies (other AllowedXXX are kept).
- GID numbers are now auto-incremented like UID numbers (see objects.xml).
- Fixed application messages not always honoring the user language.
- Added a LDAP prefetch cache to optimize the number of LDAP queries.
> WebADM uses less LDAP queries for finding users and reading their data.
- Log Id remains consistent when a service is called by another service.
- Added direct logfile view from the SQL logs (per user session).
- Fixed issues with userPassword LDAP encoding with SHA1 and SSHA.
- Added a record viewer for Auditd logs produced by upcoming SpanKey.
- New bin/setup script (more similar to the one in the VMWare appliance).
- Upgraded OpenSSL to version 1.0.2r (including security fixes).
- WebADM 32 bit version is discontinued in the 1.7 branch.
1.6.9
- Fixed ActiveDirectory object attribute update failing when objectSID
or objectGUID is displayed.
- Added encryption frameworks for upcoming RCDevs products.
- Fixed an error in the CEF logs where the 'CEF|0' should be 'CEF:0'.
> If you use WebADM with rsyslog and CEF for Splunk for example, please
be check that the correction does not alter your centralized audit!
- Added statistic database cleanup in the WebADM background jobs.
- Added Inventory import from license servers (requires cloud license).
- Removed RCDevs HSM server support (it will be replaced by PKCS#11).
- Watchd master processes (main threads) are not renamed anymore.
- Added manager methods to activate and de-activate users and groups.
- Fixed MountPoints not being displayed with the right vendor icon.
- Fixed dynamic groups' member listing on LDAP mount points.
- Added options to the support ticket generation.
- Upgraded OpenSSL to version 1.0.2q (including security fixes).
- Upgraded embedded Redis server to version 5.0.3.
- Added different expirations for user, client and server certificates.
- Fixed password change from the self-service desk with ActiveDirectory.
- Added WAPI functions for WebApps to be able to use client policies.
> This is required for the upcoming RCDevs OpenID/SAML version 1.3.
- Host count is now removed for services with per-user licensing.
- Removed DES-related ciphers from the embedded Apache TLS configuration.
- Fixed issues MFA login with combined OTP and FIDO2 authentication challenges.
- SSLProtocol and SSLCipherSuite can be reconfigured in conf/webadm.env.
> Apache as well as Rsignd PKI inherits the SSLProtocol and SSLCipherSuite.
- The tools bin/extend, bin/verify and bin/encrypt can work per container.
- Fixed LDAP schema objet class attribute parsing failures on OpenLDAP.
- Major Watchd performance enhancements and code rewrite.
- Added support for LDAP passwords with SHA2 and SHA512.
- Added a manager method to get detailed license information.
- Removed manager method 'Count_Remaining_Users' (use Count_Activated_Users).
- Upgraded embedded PHP runtime to the 7.2 stable branch.
- Added SpanKey client certificate revocation.
> A revocation is done by disabling a client certificate in the certificate
database table.
> Unknown certificates are automatically added to the database as active.
- Enhancements to the licensing subsystem.
1.6.8
- Performance improvements to the config object caching.
> WebADM now supports an unlimited number of domains / client policies.
- Web services (OpenOTP/SpanKey) deny access for disabled client policies.
- Fixed email not sent via manager calls (ex. SelfReg requests).
- Enhancements to the Cloud licensing subsystem.
- Fixed PwReset and SelfReg requests sent by OpenOTP resulting in expired
session ID errors when accessing the WebApps.
- Fixed MFA login in the Admin Portal not displaying the right domain list.
- Fixed graphical issues with the RADIUS Reply attribute editor.
- Fixed OptionSet not working on the tree root with RCDevs Directory.
- Added FIDO2 support for the MFA login in WebADM.
- Upgraded OpenSSL to version 1.0.2p (including security fixes).
- Fixed SQL metadata duplicated after rename / move with SQL data_Store.
- Fixed license error workflows with license servers.
- Fixed user counting issues introduced in in the 1.7 branch.
- Fixed client policy per internal network settings not beeing enforced.
- Display ActiveDirectory object SID and object GUID in the object editor.
- Fixed issues with ActiveDirectory locked accounts due to password policies.
- Fixed OCSP responder issues (now work with RadiusBridge EAP-TLS).
- Upgraded embedded Apache to version 2.4.35 (including security fixes).
- Web browser's page title is the WebApp description in self-services.
- Added a 'Password Must Change' option when reseting passwords with AD.
1.6.7
- Added SMS alerts support in webadm.conf (alert_mobile setting).
> For SMS alerts, a local SMSHub service must be running.
- Added final support for RCDevs Cloud license servers.
- Fixed WebADM license already expired when the license is near expiration.
- Fixed wrong WebApps' URLs when used behind a cascaded HTTP proxy chain.
- Added a user_warning setting ins webadm.conf to enable user notifications
when user certificates and AD domain password are near expiration.
- Added ActiveDirectory account lockout detection.
- Added a 10 seconds SQL statement execution timeout.
- Use OpenSSL FIPS module 2.0 (FIPS 140-2 certification).
> FIPS_mode_set is enabled by default in WebADM 64bit.
- Improved the SpanKey recorded session viewer.
- Added support for session data with dual lookup keys (SpanKey requirement).
- Upgraded embedded Apache to version 2.4.34 (including security fixes).
- Fixed missing Manager SQL logs.
- Better support of RedHat 389 Directory.
- Added object LDAP move operations for Admin and Manager.
- Added the method name field for Manager SQL logs.
- Added an error structure to the manager response.
- Added support for AD nested groups in OpenOTP and SpanKey.
1.6.6
- Added custom CSS option for WebApps.
> CSS may contain image references within the app 'www' directory.
- Fixed an Apache issue causing the server to slow down after some time.
> This issue might end with server becoming unresponsive after a long time.
- Fixed issues in the WebADM license background counting with the counting
system introduced in WebADM v1.6.3. For technical reasons we had to revert
to the previous system counting the WebADM activation class.
> Please contact RCDevs sales for related licensing issues.
> Added new licensing options for service providers (pay as you go).
- WebADM background job sends AD password near expiration warnings via email.
- WebADM background job sends certificate near expiration warnings via email.
- Added a MySQL ODBC driver for MySQL8 (use 'MySQL8' database type).
- Added support for RCDevs LDProxy with LDAP MountPoints.
- Added the possibility to set HTTPS SSL_PROTOCOL in conf/webadm.env.
> The default Apache SSLProtocol is "ALL -SSLv2 -SSLv3".
- Removed Web services' request counting mutex (performance).
- Fixed Minor MountPoint issues with Lotus Domino and Novell eDirectory.
- Improved YubiHSM stability in the event a WebADM worker would crash.
- Fixed SpanKey server host count issues (with WebADM 1.6+).
- Added the config 'log_mixsql' to SQL event logs in the webadm.log file.
- SpanKey NSS requests do not alter hosts count in the SpanKey license.
- Added the possiblity to set a custom NTP server in webadm.conf (ntp_server).
- Fixed a watchd issue in the hosts count for SpanKey2.
- Fixed minor visual issues with the Record database viewer.
- Minor enhancements to the WebADM statistics subsystem.
1.6.5
- Added WebADM server runtime metrics under the Statistics menu:
> This includes the number of requests per seconds, page loads, LDAP/SQL
response times, Mail/SMS counts and more.
> Added statistics WAPI framework for SMS metrics with SMSHub.
- Fixed one Watchd log warning occurring on servers with very low activity.
- Fixed mount point display bug with Lotus Domino LDAP server.
- Minor WAPI group listing function fixes affecting SelfReg group requests.
- Do not log ignored group (out of domain search base) with too many groups.
- Use new MaxMind geolocation database format 'mmsdb' (Geolite2).
- Do not check for new versions for custom applications.
- Watchd service monitoring optimizations.
1.6.4
- Added a Manager method to bulk-import Inventory items (import_inventory_item).
- Fixed Manager method 'search_inventory_items' ignoring the 'type' parameter.
- Fixed a mutex issue in WebADM v1.6.3 producing very slow service requests.
- Fixed application scripts not able to read/write files out of WebADM root dir.
- Added Rsignd support for RadiusBridge SSL certificates for Wifi EAP-TTLS.
- Added support for the new RadiusBridge auto-configuration wizard.
- Improved YubiHSM performances (near-double AES throughput with 2 HSM devices).
- Updated JQuery framework to the latest production version.
- Upgraded OpenSSL to version 1.0.2o (including security fixes).
- Upgraded embedded Apache to version 2.4.33 (including security fixes).
1.6.3
- Big improvements to the RCDevs license framework.
> License checks are performed in a background task (not impacting requests).
> Updated online licenses are now installed automatically in the background.
- Freeware edition uses the WebADM Watchd daemon like in Enterprise edition.
- Remote connector failover improvements (Watchd framework).
- Fixed timezone issues with countries having UTC time difference not being a
multiple of an hour.
- Added support for upcoming RCDevs cloud license servers.
- Added support for MountPoint without an LDAP base.
- Big improvements to the LDAP MountPoint framework.
1.6.2
- Added UTF-8 support to webadm log file.
- Added "TXT" option (ASCII) for QRcode generation via the Manager API.
- Fixed Rsignd creating PID file with wrong process ID number.
- Fixed the close button not working with AJAX alerts in the Admin portal.
- Fixed Inventory import with PostgreSQL database.
- Fixed server hostname validation with FQDN licenses under the license page.
- Fixed 10 secs mobile Push latencies occurring from time to time.
- WebADM server certificate generator allows subjectAltNames.
- Enhancements to the PKI subsystem and client/user certificate generation.
- Added the bin/dbprune script to purge old SQL log events.
> The script is intended to be used via a cron scheduled command.
- Added preliminary Service Provider options (reserved to MSP partners).
- Added support for push requests when the push Id changed for IOS and Android.
1.6.1
- Upgraded OpenSSL to version 1.0.2n (including security fixes).
- Fixed wrong estimated max number of Apache HTTP workers.
- Fixed SQL statement issues with PostgreSQL.
- Fixed SQL connection issues with MariaDB.
- Added file integrity for WebADM and applications check at startup.
- Added CA certificate for RCDevs push and license services.
- Added a manager API to modify inventory status and active state.
- Fixed one LDAP paging issue preventing Oracle DSEE to work correctly.
- Fixed login certificate issues with very long common names.
- Added optimizations to multi-handle cURL HTTP requests.
- Updated PostgreSQL ODBC driver.
1.6.0
- Added support for LDAP groups with broken member references.
- Added the SQL Record table used to store SpanKey session videos.
> WebADM record viewer supports playing terminal session and IO logs.
> This feature is used by the upcoming SpanKey v1.1 (Q1 2018).
- All WebADM SQL database requests now use prepared statements.
- Added support for per-object password policy in OpenLDAP.
> You need to replace conf/objects.xml with conf/objects.xml.default.
- Fixed one SQL warning when deleting users in LDAP.
- Fixed soap requests with X-Forwarded for headers containing ports.
- Removed unix UID and userPassword from user creation forms on AD.
> You need to update conf/objects.xml with conf/objects.xml.default.
- Upgraded embedded PHP runtime to the latest stable branch (7.1.x).
- Fixed the bin/restore script not restoring the encrypt_key correctly.
- Fixed wrong client policies' count displayed on the Admin home page.
- Fixed issues with Google maps in the log viewer.
- Rsignd server only accepts TLSv1.2 connections.
- Use Apache worker with multi-threaded workers for better performances.
- Watchd service enhancements (improved WebADM Enterprise start time).
- Major code rewrite in the SQL framework (performance enhancements)
- Added a Manager method 'Search_Inventory_Items' to query the inventory.
- Added additional fault detections and optimizations for YubiHSMs.
- Added support for OpenOTP/TiQR branded application versions.
- Added support for client policies' restrictions in WebApps.
- Updated OpenSSL to version 1.0.2m (including security fixes).
- Better support of Microsoft Internet Explorer for the Admin Portal.
- Added an optional 'ldap_treebase' configuration in webadm.conf.
- Big performance improvements for both WebADM and applications.
1.5.13
- Fixed SMTP issues with old Exchange server versions.
- Fixed local sendmail command failing with library dependency errors.
- Added support for web service authentication with client certificates.
- Added a 'Client IP' database field for Web service SQL logs.
1.5.12
- Added configuration endpoints for the upcoming RCDevs QuickVPN product.
- Upgraded embedded Apache to version 2.4.27 and PHP to version 7.0.21.
- Upgraded embedded Redis server to version 4.0.x.
- Added a tool to create third-party SSL certificates under the Admin menu.
- Display applications published on WAProxy under the 'Application' menu.
- Fixed one certificate signing issue with Rsignd on Oracle Linux 6.x.
- Fixed Self Service Token registration with QRCode raising a PHP7 error.
- Setting waproxy_pubaddr is now required if waproxy_proxies is configured.
- Updated SSL protocols and cypher suite to the current recommendations.
- Updated OpenSSL libraries to version 1.0.2l (including security fixes).
- Added support for client policies in WebApps (reserved for upcoming CP).
- Several optimizations in the Web services' and WebApps' frameworks.
- Fixed proxy user creation removing Domain Admin members with AD.
- Adjusted maximum WebADM HTTP workers to deal with high-volume Push Logins.
- Fixed denied WAProxy HTTP requests coming from public WAProxy IPs.
1.5.11
- Major memory and performace improvements with the newer PHP engine.
> Upgraded PHP internal runtime to version 7.0.x (stable).
> WebADM version >= 1.5.10-1 is not supported on RHEL5 platforms anymore.
> Replaced the unsupported PHP7 'hidef' extension with RCDevs 'setini' mass
constant definition PHP extension.
- Fixed upgrade failing to adjust PKI certs when upgrading from WebADM v1.3.
- Fixed the 'delete selection' action not working in the SQL log viewer.
- Fixed wrong timezone for some locations (WebADM relies on the system timezone).
- Added the setting 'waproxy_pubaddr' to set the public hostname of the WAProxy.
- Allow hostnames to be used in 'reverse_proxies' and 'waproxy_proxies' settings.
1.5.10
- Added WAPI functions to allow one WebApps to access pages of another WebApp.
> Required by RCDevs' OpenID/SAML Identity Provider v1.2.2.
- Application footer displays "Provided by" with the configured 'org_name'.
- Fixed upgrade of SQL database tables failing with broken SQL query (v1.5.9).
- Fixed user certificate creation being forbidden when no optionset exists.
- Added multilingual support for all RCDevs WebApp releases after March 24 2017.
- Many optimizations and enhancements to the localization subsystem.
- Improved HSM robustness under virtualized environments (ESX).
- Added an HSM health-check tester under the 'Admin' menu / 'HSM Details'.
- Enhanced the session replication checks at startup (only slaves make checks).
- Added HSM key handle 'Check ID' under the 'Hardware Modules Details' page for
checking HSM key handles' consistency across different clusters.
- Added the endpoint functionality with the '/ws/' namespace for WebApps too.
- Added HSM retries for locally-connected USB YubiHSMs when the USB devices fail
to respond in due time.
1.5.9
- Added OTP and U2F login support for the Admin Portal (admin_auth OTP/U2F/MFA).
- Added optional visibility scopes to the Inventory items (OU-restricted items).
- Added Inventory item history (user registration, status change, etc...).
- OptionSet treeview base can now be set out of the admin login subtree.
- The setting auth_mode is replaced by admin_auth (auto-modified by upgrade).
- Added WebADM backup and restore scripts in the /opt/webadm/bin/ directory.
> The scripts can be used for migrating a WebADM installation to a new server.
- Added the manager_auth setting to configure the Manager authentication method.
- Added the manager_clients setting to configure IPs allowed for the Manager API.
- New database drivers for MySQL, PostgreSQL, Microsoft SQL server and Oracle.
- Added support for MariaDB databases with native ODBC driver.
- Added compatibility with RCDevs License Server protocol version 2.
- Fixed LDIF import/export not working with attributes containing newlines.
- Fixed "Add Admin Role" action not filling-in the default AdminRole container.
- Fixed support for configuration passwords containing double-quote characters.
- Fixed WebADM not willing to start when libudev library is not installed.
- Added HTTP workers and shared memory scaling according to license information.
- Added SSL ODBC connection support for MySQL & PostgreSQL databases.
- Added an OCSP Responder (certificate revocation service) to WebADM PKI.
> The OCSP service HTTP-GET endpoint available at https://yourserver/ocsp/.
- Fixed tree base OptionSet permissions not working on RCDevs Directory.
- Fixed a HSM issue where a process gets blocked waiting for the USB response.
- Upgraded OpenSSL to version 1.0.2k (security fixes).
1.5.8
- OpenOTP & TiQR public endpoints are now available under the the WebADM HTTPS
URL and not under the Web service URL anymore. The U2F AppId and Mobile Token
endpoints are https://yourserver/ws/appid/ and https://yourserver/ws/openotp/.
> This change is required for the public endpoints to use custom certificates.
> WAProxy URLs are not impacted but you need WAProxy 1.1.1 with this version.
- Fixed Alert SQL log not listed under the Database menu in all 1.5 versions.
- Upgraded Watchd and YubiHSM libraries to the latest versions.
- Added syslog_format configuration in webadm.conf.
> log_format now applies to log files only.
> If you want CEF log events for syslog, then set syslog_format "CEF".
- Removed log_webapps and log_websrvs settings from webadm.conf.
- Added enhancements to the PKI login feature (certificate login types).
- Added Watchd and HSM library version information in the support tickets.
- Enhanced the license information page when a license server is used.
> The license server pool is displayed with connected clients' IPs.
- Added disable/enable inventory items (disabled items cannot be registered).
- SpanKey freeware (per host product license) is limited to 5 client systems.
1.5.7
- Changed the way WebADM handles its SSL certificates:
> WebADM and Rsignd now share the same SSL certificate files.
> You can use a custom SSL certificate (issued by an external CA) by copying
your custom cert/key files to /opt/webadm/pki/custom.crt and custom.key.
The custom certificate applies to the Admin portal and WebApps only.
WebADM services always use the SSL certificate generated by the internal CA.
> The upgrade procedure handles the necessary certificate changes automatically.
- Added an NTP clock drift check under the Admin menu.
- Fixed some license server issues (stability patches).
- Fixed a minor issue with the password encryption tool (bin/pwcrypt).
- Fixed Trust WebADM domains not working in all WebADM 1.5.x versions.
- Fixed the 'extend' tool when using the '-g' option with thousands of accounts.
- Added an additional WebADM internal security layer with PHP runtime chrooting.
- Upgraded embedded Apache server to version 2.4.25 (security fixes).
- Fixed client certificate login through WAProxy reverse-proxies.
> You need the latest WAProxy v1.1.0 from 12/2016 with this version of WebADM.
- Use igbinary serializer with Redis data storage for better performances.
> The session servers' data format changed so you need to update all clustered
WebADM servers for session replication to work.
1.5.6
- Added support for WebADM license server (licensing option to be available soon).
> Please contact RCDevs sales department for license Enterprise server options.
- Fixed a session server crash issue on 32bit Linux servers.
- Deny Web service requests for Client policies with an invalid configuration.
- Added a client policy setting to restrict the usable UID attributes per client.
- Added password expiration check in the WAPI (used for user self-service desk).
- Added support for ActiveDirectory nested groups (cascaded group membership).
- Added optional Redis authentication (requirepass) for the session services.
- Fixed inaccurate session replication delay under the Cluster admin page.
- Fixed auto-close the left-pane browser after multi-selections.
- Dropped the 12 bytes limitation for encrypted passwords in servers.xml.
- Removed the 'time_zone' configuration in webadm.conf (use system timezone).
- Added an endpoint in '/cacert/' to retrieve the WebADM CA certificate file.
> This is used by the auto-configuration scripts in other RCDevs software.
- Added a setting for configuring the email alert sender address.
1.5.5
- We introduced an issue with the latest watchd from v1.5.4 (released October 10).
> Please update immediately to 1.5.4-2 if you installed 1.5.4!
- Fixed the RADIUS reply attributes' editor failing to add a new row.
- Replaced internal XCache memory caching module with APC Userland (UPCu).
- Added log_debug setting to webadm.conf for debugging LDAP and SQL queries.
- Fixed wrong imported items' count in the Inventory viewer.
- Added Web service's API version checking support.
1.5.4
- Fixed admin certificate generation not working with LDAP DNs longer than 64
characters due to an OpenSSL limitation.
- Improved watchd service reliability by handling more protocol-specific errors.
- Added missing pending status for watchd all internal commands.
- Push service account is not required when WebADM has an Enterprise license file.
- Fixed single object copy displaying an error message in the Admin portal.
- Watchd now uses LDAP requests and not socket polling for checking LDAP servers.
- Upgraded OpenSSL library to version 1.0.2j.
- Boolean application settings always display their default value in the editors.
- User edit page displays a warning when AD password is near expiration.
- Fixed the item status update not working in the Inventory database viewer.
1.5.3
- The internal process execution timeouts are increased to 60 secs in order
to support the OpenOTP Push login method over SOAP requests (released soon).
- The cross-app framework inclusion functions provides version checking.
- Fixed word-wrapping in text settings (ex. OpenID server certificate).
- Fixed wrong config objects' count in the home page when aliases are used.
- Fixed an issue with the watchd daemon failing to read WebADM configurations
when servers.xml contains invisible characters.
- Upgraded Apache to version 2.4.23.
- Improved the performance of LDAP caching with clusters.
1.5.2
- Fixed an issue with data creation when the SQL data store is used.
- Added support for the upcoming OpenOTP with Push login.
- SpanKey server is now included in the all-in-one version.
- Fixed boolean settings configured to 'false' getting lost during app switching
in the client policy configurations.
- Upgraded embedded Redis server to version 3.2.
- Fixed PKI server not willing to start on 32bits versions.
- Fixed an issue where WebADM fails to reconnect the watchd service.
- Fixed an issue generating wrong SSO URLs in the RCDevs' OpenID IdP product.
- Added WAPI methods required for SpanKeys 1.0.1 with NSS provider.
1.5.1
- Fixed an issue where LDAP tree exports return a maximum of 1000 objects.
- Fixed PKI server not willing to start after upgrade with some Linux kernels.
- Added new WAPI extensions for supporting RCDevs SpanKey Server (to be release soon).
- The user transaction lock mechanism (used for Web services) can spool requests for a
few seconds instead of immediately refusing the transactions.
- Fixed admin session idle timeout not being respected.
- Added a search batch action to modify, remove or update application data.
- Increased Watchd host address resolution consistency: Watchd passes only host IPs to
WebADM (in the Enterprise version, WebADM does not need to resolve hostnames anymore).
- Added support for per client hosts licenses (required for RCDevs SpanKey server).
- Added the support for RCDevs Push servers in servers.xml.
- Admin and Service bottom links are hidden when accessing WebApps' portal form WAProxy.
- Upgraded Apache to version 2.4.20 and OpenSSL to version 1.0.2h.
1.5.0
- Completed the facelift for the Admin Portal and all Web applications.
- Added personalization configurations in webadm.conf.
> You may add your company name, logo and website URL to the WebApp's interfaces.
- Added an option to import Yubikey files generated by Yubico Personalization Tool.
- Added more controls for cross-site request forgery protection.
- Fixed connection drops with HSMHub server.
- Fixed users not un-linked from Inventory with OpenOTP.Token_Unregister Manager method.
- Added brute-force attack protection with source IP address blacklisting.
> The protection works for both the Admin Portal and the WebApps.
- Inventory link checks now validate the linked object exists in LDAP.
- Added a data_store settings to webadm.conf allowing to choose between LDAP (default)
and the SQL database for all user data and settings.
- Added more branding capabilities.
1.4.5
- Fixed an issue with WAProxy and WebADM error "Client IP address spoofing detected".
- Enhanced the code used for handling shared memory semaphores.
- Added support for CA Directory LDAP server.
- Added admin levels to WebADM configuration objects.
- Fixed Manager methods from installed applications not working with admin roles when
used with a non-super admin Manager account.
- Removed helper popup windows (replaced by inline pages).
- Added a RADIUS attributes' configuration helper (for OpenOTP v1.2.3).
- Added an application selector menu in the user setting configuration page.
- Added application categories under the 'Applications' menu.
- Added actions to rename configuration objects from the Admin menu.
- Invalid config objects like Domains or Client Policies now appear under the Admin menu.
1.4.4
- Added a 'user_level' setting for configuring the level of user expertise for managing
WebADM configurations and applications' features.
> 3 levels are supported: Beginner, Intermediate and Expert. The default is Expert.
- Extended WAPI with new features required for TiQR Sign with PGP signatures.
> TiQR application is now able to produce X.509 certificates signed by WebADM CA.
- Fixed an unterminated threads issue with Watchd and some MySQL implementations.
- Fixed one re-connection issue with RCDevs HSMHub server.
- Fixed Rsignd not starting when PkiServer ca_file setting is set in servers.xml.
- Changed Rsignd PKI certificate digest algorithm to be SHA256.
- Updated OpenSSL to version 1.0.2e and Apache to version 2.4.18.
1.4.3
- Added new configurations for reverse proxies and publishing proxies (WAProxy).
> If you use WebADM Publishing Proxy, then set the 'waproxy_proxies' setting.
> The 'reverse_proxy' setting is reserved for reverse-proxy which are not WAProxy.
> The 'waproxy_headers' setting is deprecated and replaced by 'waproxy_proxies'.
- Added HSM key handle consistency checks for locally-connected YubiHSM devices.
- Fixed a group search issue over mount points occurring in very rare circumstances.
- Fixed connector status not checked correctly at startup in the non-licensed version.
- Fixed user/group settings edition not working when no WebApp in installed.
- Fixed Manager service URL not working without the trailing slash.
- Fixed Rsignd not listening on the right TCP port when 'port' is set in rsignd.conf.
- Fixed direct group membership references not working cross mount point with AD.
- Fixed Watchd issues with MySQL and MariaDB servers where max_connect_errors had to
be set to the max value in WebDAM 1.4.x.
1.4.2
- Fixed WebADM (32 bit version only) not starting on older RHEL 5.x.
- Fixed HSM key handle consistency checks for all servers in WebADM clusters.
- Added configurations and localizations for application unlocking messages.
> The WebApp access unlock subject and message body can be customized in webadm.conf.
> Multilingual unlock messages can be configured in the localized message editor.
- Added final features and support for RCDevs HSMHub Server.
- Major code rewrites for the HSM cryptographic framework.
- Added RCDevs partner branding capabilities.
- Fixed Manager's LDAP searches failing when returning userCertificate binary data.
- WebADM can optionally authenticate any secure connections in servers.xml.
> The XML attribute 'ca_file' can be added for LDAP, Mail, HSM and Proxy connectors.
- Alerts are displayed in real-time at the bottom of the screen in the Admin sessions.
- The most sensitive user data (ex. Token seeds) cannot be accessed anymore in cleartext
even by super admins. The un-encrypted LDIF export option has been removed too.
- High availability and cluster functionalities now require an Enterprise license.
> All the WebADM features remain enabled in the limit of 40 activated users.
> Please check the WebADM Release Notes for more information.
- Minor bug fixes.
1.4.1
- Added support for RCDevs HSMHub Server (network HSM server with YubiHSM).
- Fixed session server not starting under rare circumstances.
- Fixed WebADM asking for object settings when creating an object form the create menu.
- Added support for systemd startup with RedHat and CentOS 7.
- Empty LDAP tree root (Novell / OpenLDAP) can be selected for domain search bases.
- The LDAP tree object selector only shows selectable items.
- Added several YubiHSM performance patches.
- Fixed MS-SQL Server database not working.
1.4.0
- Clusters now supports an unlimited number of servers with master-slave replication.
> Session server now relies on an embedded Redis v3.0 (replaced Memcached).
> Session data are not dropped anymore after a WebADM server restart.
> Please read the release notes for adjusting your servers.xml configuration file.
- Added a Watchd daemon which permanently monitors the connector statuses and Redis.
> Watchd monitors LDAP, SQL, Session, SMTP, Proxy, PKI services.
> Watchd severs provides real-time connector failover for the whole WebADM cluster.
> Watchd is responsible for managing session server replication and master election.
- Added optional LDAP requests' load-balancing when WebADM is used with many users.
- Changed PHP runtime to version 5.6 (stable).
- Added an AdminRoles configuration objects to define allowed features for other admins.
> By default now, other admins not part of an AdminRole do not have any right.
> other_admin setting in webadm.conf is now obsolete and replaced by AdminRole members.
- OptionSets configurations have bed deeply changed and many features have been moved
the to AdminRole objects. Please check the WebADM Admin documentation for AdminRoles.
- Added a 'temp' directory for PID file and temporary data.
- Optimised LDAP back-end replication delays (now handled by WebADM-watchd).
- httpd.log and soapd.log are replaced by one single log file 'webadm.log'.
- Fixed license server hostname check failing with IPv6 hosts.
- Added support for event logs in CEF format for webadm.log file and syslog audit.
- Force the AD password to be set when creating a new AD user (this is required by AD).
- Added a manager method to send an email with attachments to a recipient address.
- Manager API works in UID mode without providing the domain when default domain is set.
- Fixed geolocation popup windows not hiding on Safari in the log viewer.
- Fixed segmentation faults with PostgreSQL databases.
- Better support of UCS LDAP (configuration templates are available in /docs/Univention).
- Fixed a license import bug displaying "Invalid licence creation date" error.
- Fixed a problem when multiple LDAP naming contexts are defined in OpenLDAP.
- Fixed YubiHSM module not working on RHEL7 and variants.
> The updated YubiHSM module requires libudev to be installed on your system.
- The setting name 'case_sensitive' in webadm.conf has been replace by 'ldap_uidcase'.
- Added an online license check and new update mechanism.
> You need to add the setting "check_licenses Yes' to enable the online license checks.
- Customizable environment variables SESSION_MEMSIZE and SESSION_NOSYNC are renamed to
REDIS_MEMSIZE and REDIS_NOSYNC in conf/webadm.env.
- Customizable environment variables CACHE_THREADS and SESSION_THREAD have been removed.
- Memory optimisations (working processes consume 1/3 less memory than in WebADM 1.3).
- Performance optimisations (WebADM 1.4 is about 2 times faster than WebADM 1.3).
- Fixed inventory import issues with PostgreSQL databases.
- Added support for HSM locking / unlocking mechanisms with YubiHSM devices.
> The bin/yubitool command can be used to unlock HSM devices.
- Windows Server 2003 is not supported anymore by WebADM.
1.3.3
- Added support for Oracle Directory Server (or SUN Directory).
- Enhanced the mount point framework to be less sensitive to errors.
- Added the possibility to update the customer licenses from the Admin Portal.
> The RCDevs software license can be updated via file upload or license copy/paste.
- Fixed missing dependencies with RHEL5 on the new multi-architecture builds.
- Added application actions for LDAP group members (accessible in the group editor).
- Added support for WebADM Reverse Proxy (WAProxy) when a reverse-proxy is configured.
> By default no application nor Web service is accessible via reverse-proxies.
> Proxied applications to be published by setting the 'Proxied' setting.
- Added support for WebADM Domain name aliases (for both LDAP domains and trusts).
- Added support for WebADM Client Policy name aliases.
- Updated mod_ssl cipher suite to the current secure recommendation.
- Disabled SSLv3 to prevent the POODLE vulnerability.
- Fixed log viewer geolocation maps not displayed on Google Chrome browser.
- Fixed rsignd PKI message structure alignment for 64Bits architecture.
- Fixed startup crash with rsignd PKI server occurring very rarely.
- Fixed startup error displaying message 'local server is offline'.
- Enhanced user session encryption (in session server) and cookie management.
- Removed the Web services' setting 'Enable Request Setting' (now enabled by default).
- Added support for Univention Corporate Server LDAP.
1.3.2
- Fixed a compatibility issue with Client Policies and TiQR server v1.1.
- WebApp unlock system can optionally send user email notifications.
- Fixed license alerts displaying incorrect remaining license time.
- WebADM checks the LDAP/SQL/SMTP/PKI user connections at startup.
- Back and Cancel navigation controls in Admin Portal have been enhanced.
- Added a new XML setting scope 'client' for OpenOTP Application Passwords.
- Application-based password changes (ex. PwReset) respect AD password history.
- Added PKI login features in WebApps without always prompting for user certificates.
- Big enhancements to the PKI internal frameworks and certificate revocation system.
> The environment variable USER_CERT in webadm.env is not necessary anymore.
- Fixed a LDAP user read error occurring under very rare conditions.
- Fixed 'close' buttons not always working in WebApps.
- Fixed Self-Services' menu line wrap on mobile devices.
- Fixed an ODBC varchar issue with PostgreSQL (bug introduced since WebADM v1.3.0-3).
- Added a configuration setting 'encrypt_hsm' to enable HSM encryption in webadm.conf.
> By setting 'encrypt_hsm' to No, you can migrate the user data back to software
encryption when hardware encryption was previously used.
- Minor fixes in the cluster communications API for configuration updates.
- Added support for displaying the OpenLDAP 'memberOf' operational attribute.
- The setting 'Check Certificate Revocations' in LDAP OptionSets has been removed.
> The certificate revocation check is now always enabled and cannot be disabled.
1.3.1
- OpenOTP/TiQR Freeware license is extended to 20 users (all features included)!
- Fixed Web Services not accessible over SSL APIs.
- Added compatibility with older user data encoding for upgrades from WebADM v1.1.
> If needed change WA_MISSING_ENCRYPT_TYPE to 1 in /opt/webadm/lib/hidef/encrypt.ini.
- Startup checks validate HSM AES key(s) consistency over a WebADM cluster.
- Session replication is automatically disabled with more that 2 clustered nodes.
- Fixed a bug where user data encrypted with old versions of WebADM cannot be read.
- Added a 'default_domain' setting in webadm.conf when 'auth_mode' is set to UID.
- Fixed user certificate revocation not working on WebApps with PKI login mode.
- Fixed user certificate revocation not working for admin accounts in MountPoints.
- Admin certificate prompt now occurs only when auth_mode is set to PKI.
- User certificate login support for WebApps is now disabled by default.
> You can enable full PKI by setting USER_CERT=Optional in conf/webadm.env.
- Updated OpenSSL library to 1.0.1i with vulnerability fixe CVE-2014-3508.
- Fixed WebADM not working when LDAP server has several naming contexts defined.
- Fixed WebADM Domains not working when containing space characters.
- Added possibility to do a recursive LDIF export from the tree root.
- The 'Infos' main menu item in WebADM Admin Portal is renamed to 'Admin'.
> Added buttons for direct-access to WebADM configuration objects from Admin menu.
- The tree view now displays a maximum of 1500 children per container node.
> This max children value is configurable in webadm.conf by setting treeview_items.
> Over this limit, an inline search input appears for displaying filtered results.
- Optimized YubiHSM encryption by caching opened device handlers (4x faster).
- Added support for per-group forced settings in Client Policy configurations.
- Added auto-adjustment of memory and threads depending on the license user count.
- Fixed database table setup check failing with SQLite databases.
1.3.0
- HSM support with hardware encryption for sensitive data, settings and inventories.
> YubiHSM is currently supported for AES encryption and random number generation.
- Major enhancements to the user data storage encoding.
> Per-data encoding with support for software / hardware AES and cleartext data.
- Improved remote service connections' failover mechanisms.
- Improved Session server communication with compression for large data.
- Added a Manager method to retrieve server status information.
- Added transaction unlock delay to deal with LDAP replication time.
- Fixed broken PDF generation framework.
- Added support for mail with attachments and HTML contents.
- Added treeview node expand limitation to deal with large amounts of child nodes.
- Fixed a login issue where WebADM prompts for admin login twice.
- Fixed a minor issue with message localizations in multilingual WebApps.
- Fixed incompatibility with JSON message files contain UTF8 BOM headers.
- Fixed CSRF session protection not working when WebADM is used behind a port forward.
- Added startup checks for cluster consistency (AES keys, versions, configs, license).
- Added a configuration setting to handle LDAP user IDs in case-sensitive mode.
- Added the possibility to batch de-activate users with the bin/extend tool.
- Fixed WebApp session cookies now working across all cluster nodes.
- Better support for very large scale installations.
- Updated OpenSSL library to 1.0.1h with fixes CVE-2014-0160, CVE-2014-0224.
- Added a listener on port 80 (HTTP) with a redirection to HTTPS.
> The HTTP_PORT variable (if defined in conf/webadm.env) is replaced by HTTP_PORT_SSL.
> The HTTP_PORT_STD variable has been added for the HTTP redirection listener.
- Fixed an issue with some user groups sometimes not being resolved correctly in AD.
- Fixed display issues with failed LDAP MountPoints.
- Fixed an issue with session closed after redirections in the OpenID/SAML WebApp.
- Fixed issues with paged LDAP results on ActiveDirectory 2003.
- Fixed upgrade issues on few distributions which required using the --force parameter.
1.2.7
- Added support for cumulative application setting values (ex. OpenOTP ReplyData).
- Added 'Remove' buttons under the Applications menu to un-configure applications.
- Tabs corresponding to un-configured applications are ignored in self-services.
- Added support for session manager synchronous replication with WebADM Clusters.
> Please read HA documentation for clusters as additional TCP ports must be opened.
- Fixed a minor startup issue with permissions on log files.
- Aligned Rsignd log time format to the other WebADM log files.
- Added support for per-application WebApp session timeouts (used in SAML WebApp).
- Fixed an issue with OpenID/SAML and the CSRF session protection mechanisms.
- Fixed an issue with OpenID/SAML and HTTP URL redirections.
- WebADM supports OpenLDAP dynamic schema extension in 'cn=config'.
- Variable USER_CERT can be define in webadm.env to override Apache SSLVerifyClient.
- Enhancements to the SQL framework and Oracle databases are now fully supported!
> Optionally the servers.xml can contain tnsname="<TNS>" with Oracle databases.
In this case a 'tnsnames.ora' file must exist under conf/ directory.
- Fixed WebApp inline mode dropped after a WebApp HTTP redirect or error/success page.
- Admin, Manager and WebApps session timeouts are configurable independently.
By default the Manager Interface's cookie-based sessions are disabled.
- Bulk user activation script bin/extend supports user selection based on LDAP groups.
- Added support for custom WebApps' stylesheets (none of the WebApp is compatible yet).
- Added support for localized WebApps (none of the WebApp is compatible yet).
- Added support for 'lang=XX' parameter in WebApps and Web Services' URLs to force a
language and bypass user's LDAP language attribute(s).
- WebADM supports to be installed on an ActiveDirectory without the schema extension.
> Please read the updated WebADM Installation Manual for details.
- Better support for older Internet Explorer versions (IE7).
- WebADM uses the PHP 5.5 runtime.
- Added support for HTML emails.
- The WebApp logos are used as favicon under the WebApp URLs.
- Fixed issues with MountPoints and the Manager Interface.
- Added support for LDAP paged results (required with AD with large amount of users).
- Minor HTTP caching performance enhancements.
1.2.6
- Commercial applications (OpenOTP/TiQR) are limited to 35 active users instead of 25!
- License does not block requests immediately when the user limits are reached.
> Running services send email alerts and continue working until next restart.
- Added support for vendor-encrypted inventory files and transparent import decryption.
- Fixed the Manager function Rename_LDAP_Object not working correctly.
- Added an optional Client Policy Friendly Name setting.
- Added password expired detection to the LDAP password checks.
- More debug messages during the LDAP schema setup with Active Directory.
- Added conditional application settings (WAPI 18) Unsupported settings are greyed.
- Fixed unuseful warnings displayed in applications' command-line tools.
- Added --force flag to the upgrader to force an upgrade process having errors.
- Daily license alerts when subscription licenses expire in less than one month.
- Fixed application's admin pages sending mail alerts when logged to the Admin Portal.
- Added the possibility to specify the syslog facility when syslog is enabled.
- Fixed a Mail Server connection issue with SMTP authentication.
- Direct groups (AD groups) located outside LDAP Domain group search base are ignored.
- The OptionSet quota feature now counts only the number of activated accounts.
- Better W3C HTML compliance and browser support.
- Rewritten stylesheets and WebApps' default theme.
- Added detection and support of mobile devices in WebApps.
- Many minor changes to the admin interface.
- Fixed an Admin issue with the creation of users having passwords with ';' character.
- Fixed proxy user and admin groups creation in the graphical setup wizard.
- Added support for passwords with up to 256 characters.
- Added a configuration setting to disable DN and group settings cache when necessary.
- Big memory usage and performance enhancements.
- Fixed a bug with multi-selection application settings.
- Session manager and shared cache memory/threads are configurable in conf/webadm.env.
- Moved from Apache 2.2 back-end to the Apache 2.4 branch.
- WebADM internal constants can be modified and are stored in .ini files in lib/hidef.
- Uniformed the WebApps' authentication framework (SelfDesk uses its own login page).
- WebApp PKI login mode is replaced by the new 'Require User Certificate' setting.
- Any WebApp support PKI login mode with WebADM user certificates.
- New version check tool 'bin/update' is replaced with the 'bin/webadm update' command.
- Fixed several issues when WebADM is accessed from behind a reverse-proxy.
- Added per-method helps to the Manager interface methods under the Infos menu.
- Added support for encrypted CA and Rsignd private keys (with startup password prompt).
- Major coding enhancements to the Web applications and Web services' frameworks.
1.2.5
- Added support for network-based Client policies.
> With Client policies it is now possible to distinguish application settings when the
users are connecting from the trusted internal networks.
- Added time-based access policies to the Domain and Client policies.
- Added a graphical week calendar editor for time-based policies.
- Fixed an issue with SMTP sender address not working properly with OpenOTP.
- Added the 'pwcrypt' tool to encrypt sensitive settings of WebADM configuration files.
> This feature requires a valid (and newer) license file.
- Major performance enhancements to the cryptographic subsystem.
- New default data encryption method and new setting to configure the encryption mode.
> Encrypted data will be automatically updated at runtime.
- Optimized the server IP address checking in the WebADM licensing subsystem.
> If you have a hostname-based license file, please ensure your DNS is resolving your
license hostname correctly.
- Corrected a MountPoint issue introduced in WebADM v1.2.4.
- Fixed a password change issue with Samba accounts.
- Fixed an update issue with groups having more than 500 members.
1.2.4
- Added WebADM Inventory database and WAPI-15 (with Inventory framework).
> Inventory is used by applications like OpenOTP to store large amounts of Tokens.
You so OpenOTP v1.1.1 to use the inventory with Hardware Tokens.
- Added localized messages and inventory items import in the 'Import' menu.
- Enhancements to the log viewer with large databases.
- Added a 'select all' checkbox in log, messages and inventory viewers.
- Optional encrypt_mode level '2' for stronger encryption of LDAP and DB data.
> Be aware that changing the encryption mode will invalidate any password stored in
your application settings (ex. SMSC connection passwords).
You can add "encrypt_mode 2" in webadm.conf to enable level 2 data encryption.
- Better detection of ActiveDirectory 2003 directories.
- Hardened authenticated sessions to with protections against XSS and CSRF attacks.
- Fixed an issue with HTTP output buffering preventing some users to log in WebApps.
- Fixed an issue where WebADM shows primary connectors (LDAP/SQL/Session) as secondary.
- Fixed database verification issues with PostgreSQL.
- Added the /opt/webadm/bin/verify script for batch LDAP object checks.
- HTTP optimizations with stream compression.
- Dropped script timeout limit for long LDIF imports.
- Upgraded to OpenSSL 1.1.0e (security update).
- Added new XML application configuration features (WAPI 14).
- Fixed account de-activation in Active Directory.
- Minor fixes to the user settings' edit pages.
- Minor fixes for scripts in the applications' bin/ folders.
- Added the 'reverse_proxies' configuration in webadm.conf to be used when WebADM Web
Services or WebApps are accessed through a reverse-proxy or load-balancer server.
1.2.3
- Added support for country-based policies in WebADM Domain and Client objects.
You need to update your Web Service applications to use this feature.
- Added geolocations and IP-based filtering in the log viewer.
- Added map view of source IP addresses (per-IP and for the log selection).
- Enhanced the user data encryption system.
> WebADM can supports multiple encryption keys for key rollout. The first key is the
actual key and the other keys (if any) are still supported. WebADM will always
re-encrypt user data on-the-fly with the actual key.
> WebADM now checks if the user data were encrypted with the configured encrypt_key.
It is also able to detect if encrypt_key has changed and cannot decrypt user data.
> The bin/encrypt script can re-encrypt user data in batch with a new encrypt_key.
- Added SQLite database support for SQL-based audit tables and localized messages.
> The WebADM XML specification of an SQLite database (in servers.xml) should contain
the full path of the sqlite .db file in the "database" XML attribute.
- Fixed long timeouts occurring with LDAP server failover mechanism.
- Better logfile logging and log session IDs enhancements.
- Increased performances of Session Manager encryption.
- Added an option to force decryption of user data on the user data editor.
- Added source IP addresses to the SQL logs (Admin, Manag, WebApp, WebSrv).
- Added WAPI functions data encryption and IP address geo localization.
- Fixed issues with XML log statistics' exports.
- Fixed a bug with user data corruption when managed by other admins.
- Added 'smbpasswd' (for Samba passwords) and 'adspasswd' encodings in objects.xml.
> Please copy objects.xml.new to objects.xml to enable Samba password management.
- Fixed some AD password change issues with unicode characters.
- Updated the HTTP, Memcached and PHP components.
- Fixed admin login with certificates and admin DN containing unicode characters.
- Fixed error message 'Could not get WebADM user options' at login.
- Added XML-RPC support for Web services.
- Added basic support for 389 Directory Server.
- Fixed LDAP password not working after import/copy.
- Web Services' WSDL binding address now defaults to the SSL service.
- Web services' URLs not ending with the trailing '/' are now supported.
- Added an action in the user edit view to deactivate an account.
- Added a tool to test alert emails under the 'Infos' menu.
- Application's IP restrictions support IP/netmask format.
- Enhancements to the WebADM PKI server (client hostnames and command-line options).
- Added IPv6 support.
- New RCDevs Logo.
1.2.2
- Fixed a LDAP failover problem with LDAP-TLS connections.
- Enhanced the LDAP user data encryption system.
- Several email addresses can be set for alert_email in webadm.conf.
- Added a helper tool to manage user data encryption (bin/encrypt).
- HTTPd log events are now prefixed with the component name and session ID for Admin
and Manager logs (like for WebApp logs).
- Added optional misc settings to configure the treeview width and the default portal.
- Fixed an issue with unicode characters introduced with WebADM v1.2.1-1 and PHP 5.4.
- Fixed an issue with group settings priority ordering with multiple groups per-user.
- The Manager Interface supports batch JSON-RPC requests.
- Fixed Manager Interface function 'Get_QRCode' not working.
- Added Manager Interface function 'Get_Random_Bytes' to generate pseudo-random bytes.
- Added support for PNG and JPEG formats in the QRCode framework.
- Manager Interface function 'Set_User_Attr' supports ldap_mod_add operations.
- Added Manager Interface function 'Del_User_Attrs' to delete attributes or values.
- Added optional syslog reporting.
> You need to add the configuration directive "log_syslog Yes/No" in webadm.conf.
- Added PDF generation support.
- Added XML export format for SQL logs and localized messages.
- Fixed a log statistics export issue in the log viewer.
- Added resolution of user groups with memberUID attributes on posixGroups.
- Fixed issues with the 'Allowed Applications' in OptionSets.
- Added application configuration details in support tickets.
- Added group_mode 'Disabled' to disable LDAP groups in WebADM and applications.
- Performance improvements.
- Added support for Oracle/Sun Directory.
- WebADM uses the PHP 5.4 runtime.
1.2.1
- Added support for upcoming RCDevs permanent licenses.
- Fixed an issue with mount points having spaces in the Mount DN.
- Fixed Manager Interface responses sometimes returning JSON arrays instead of objects.
- Added an email alert notification when activated user count is near the license limit.
- Fixed a bug causing a failure with OpenOTP HOTP Token resync in some situations.
- Disabled SSLv2 protocol and SSL weak ciphers for PCI compliance.
- Optionset quotas are handled by the Manager Interface.
- Enhanced remote services' connection failover system.
- Much faster QRCode calculations.
- Added LDAP schema extension support for OpenLDAP versions with dynamic configurations
and Apple OpenDirectory.
- Fixed an issue when editing user settings containing double-quote characters.
- Fixed an issue with mails when the sender address is not a fully-formed address.
- Fixed some WebApps buttons not working when the default theme is not used.
1.2.0
- WebADM includes a JSON-RPC Manager API for Admin and Application functions.
The API is accessible through the manag/ URL and requires user authentication.
Please look at the the 1.2 documentation for details on the Manager interface.
- Added a SQL table for the Manager logs.
- All WebApps support the access locking mechanism.
- Session Manager uses a per-stored-object encryption.
- Interface enhancements and bug fixes.
- New WebApp layout and style.
- Fixed several display problems with some browsers.
1.1.5
- Added an optionset option to allow other admins to access user data unencrypted.
- License check will not count users for domains where the application is not allowed.
- Enhanced failure detection of the connected remote services (in servers.xml).
- Removed internal component versions from HTTP headers.
- Corrected a bug in the bin/setup script in slave mode.
- Fixed ODBC database setup issues with newer version of PostgreSQL.
- Added direct log viewer links on the user edit page for WebADM Accounts.
- The WebADM setup creates the admin groups and group presence is checked at login.
- Fixed a database log access issue when an optionset exists and has a Tree Base defined.
- Fixed a copy/import issue for objects with a password with RCDevs Directory Server.
- Enhancements in the PKI authentication subsystem.
- Fixed an issue with PKI login mode when optionset certificate revocations is enabled.
- Added a menu entry to jump between servers when WebADM is installed in cluster mode.
- Licenses emergency extension (for Enterprise licenses excluding trials and temporary).
When a license expires, it will auto-extend for one month and send an alert every day.
If not renewed within the auto-extension period, the license expires completely.
- Optimizations in the cluster node's configuration change notification system.
- Several Admin Portal interface enhancements.
1.1.4
- The 'Extended Logs' application setting is now configured in the webadm.conf file
with the log_webapps and log_websrvs settings.
- The 'Enable Alerts' application setting is removed (SQL Alerts are always enabled).
- An alert cache prevents the same alert email to be sent twice in a 10min interval.
And a maximum of one alert email is sent per minute.
- Included the Suhosin hardened PHP patches from http://www.hardened-php.net/suhosin/.
- Corrected a deadlock problem occurring with some Web services.
- Added a debugging console for licensed versions.
- Improved the license caching system.
- Improved automatic connectors failover for LDAP/SQL/SMTP/PKI/Session servers.
- Added a graphical editor for the Client objects' Priority Application Settings.
- Added a button to activate users with WebADM functionalities.
- Added the Require Client setting for Web services.
- Added default domain support for all WebApps.
1.1.3
- Settings super_admins and other_admins can contain a list of LDAP group of users.
- LDAP MountPoints can be setup with multiple LDAP servers for redundancy.
- SMTP mail server(s) can now be configured in conf/servers.xml.
> When no SMTP server is configured, WebADM uses the local mail transfer agent.
- Fixed a tree browser problem with Internet Explorer.
- Added SSHA encoding support for LDAP passwords.
- SQL Database schema has been removed from the conf directory.
- WebADM displays warnings when licensed products are near expiration.
- Fixed LDAP connections problems with SSL.
- Fixed webadmAccount object class removal not working with Active Directory.
- Added a script (in bin/extend) to extend LDAP users with webadmAccount in batch.
- Added a search result batch action to remove webadmAccount object class from users.
- Fixed a pre-2008 AD Domain detection issue.
- Fixed pre-2008 AD user counting limitations.
- Fixed error messages not correctly displayed on license error.
- Better support for special characters in LDAP objects' DN.
- Fixed a schema extension issue with mounted LDAP.
1.1.2
- Added API functionalities required for the TiQR service.
- Added new admin pages for starting WebApps and Web Services user actions in WebADM.
- Enhanced certificate management for WebApps.
- Fixed an OptionSet problem where SQL restrictions were applied to super admins.
- Fixed a problem preventing LDAP modifications on eDirectory tree roots.
1.1.1
- Fixed an issue with LDAP DN containing special characters.
- Fixed a display bug in the user application settings editor.
- Added Alert SQL log.
> Please update your conf/database.conf file.
- Removed PHP multibyte functions overloading.
> Please update all applications to the latest versions.
- Added support for web services setting scope 'config' required by OpenOTP.
- Added PHP socket support.
- WebApp user sessions are now fully encrypted in the session manager.
- Sensitive configurations are now encrypted in the local shared memory cache.
- Added status of LDAP configurations in the home page.
- Corrected few minor problems of the new 1.1.0 release.
- Added logfile viewer for HTTPd and SOAPd logs (in the Database menu).
- Added WebADM Client objects support for Trust Domains.
- Ordered display WebApps and Web Services.
1.1.0
- Group-based client access control and application policies.
WebADM includes a new config object type (Client) which allows:
> Defining client application access rules based on allowed and excluded group
lists. For example, a VPN client can be restricted to some group of users.
> Defining client policies with Web Services settings which will always be
enforced for the client. For example, you want the VPN to authenticate users
with LDAP+OTP passwords and Token, whatever policy is defined for the user.
- Extended Domain settings with allowed groups and excluded groups capabilities
like for WebADM clients.
- LDAP attribute prefetch mechanism of common attributes for LDAP optimizations.
- User groups and group settings caching for LDAP optimizations.
- Added a group_mode settings in the webadm.conf config file to force using only
direct or indirect LDAP groups.
- PKI server enhancements.
- Many minor enhancements and fixes requested by the users.
1.0.10
- Freeware license is now limited to 25 users instead of 15.
- Added support for RCDevs Directory Server (OpenLDAP-based LDAP server).
- Enhanced server automatic failover system.
- Added setup in slave node mode (for cluster setup).
- Fixed few minor bugs of 1.0.9.
- Fixed session corrupted message appearing when blocking timer is pending.
- Added SSL certificates update scripts in docs/scripts/.
- Minor display enhancements.
- Upgraded to PHP 5.3.5.
- With DN and UID auth_mode, non super-administrators must be registered in the
other_admins in conf/webadm.conf to be able to enter the Admin Portal.
With PKI auth_mode, this setting is ignored as as access is granted based on
the user certificates.
- Fixed default setting value for user/group settings when the application
setting does not have a default value.
- Corrected login pages layout.
- Caching improvements.
- Internal security enhancements.
1.0.9
- HTTPD and SOAPD servers are now running under the same Apache instance.
> Shared cache is now shared between both services.
> Port configuration is customizable in the bin/webadm script.
> No more conf/httpd.conf and conf/soapd.conf required.
- Added LDAP DN cache system.
- Many code improvements.
- Fixed LDAP object caching issues in WebApps.
- Better error handling for WebApps and Web Services.
- Added WebApp API functions required for OpenID.
- Cleaned HTTP and SOAP logs.
- Added GD graphic library support.
- Fixed an OpenLDAP schema file problem.
- Fixed OpenLDAP setup problems.
- Fixed OpenLDAP password encodings.
- Localized message editor enhancements.
- Group settings enhancements.
- User settings default values are now the application values.
- LDAP framework enhancements.
- Fixed a bug with Rsignd when signing certificates.
1.0.8
- WebApp and WebSrv API updated to version 3.
- WebApp direct access URL changed.
> Direct WebApps access is now possible with URL /webapps/mywebapp/
- WebADM base URL redirects to /webapps/ when Admin is disabled.
- Javascript corrections.
- Added new UI framework to support WebApps themes.
> Add 'webapps_theme "default"' to your webadm.conf to activate default theme.
- Extended WebSrvs API with request setting handling functions.
- Mutex enhancements.
- Added WebApp access locking system.
- Rsignd PKI server is now configured in servers.xml.
- Rsignd PKI client is now implemented in a PHP extension.
- Updated all libraries to latest versions.
1.0.7
- Added webadmGroup object class to the LDAP schema for simpler group settings
management.
- Added ActiveDirectory 2003 support (with restrictions).
- Fixed PostgreSQL database initialization problems.
- Fixed WSDL download URL from WebADM Application menu.
- Enhanced setup script.
- Added web services functions required by OpenSSO.
- Added other_admins setting in webadm.conf.
- Added search batch action to add webadmAccount object class to users.
- Fixed webapp header problems.
1.0.6
- Enhanced license caching system.
- Fixed Web services config cache reload when Web service configurations are
modified.
- Added Oracle ODBC driver.
- Fixed minor display problems.
- Fixed a bug in the update checker binary 'bin/update'.
- Session Manager enhancements.
- WebApp sessions now use Session Manager instead of shared memory.
- WebApps work behind load-balancers.
- General code enhancements.
- Admin portal is now located under '/admin' URL.
- Updated memcached version.
- Added Setting to enable mail alerts per applications.
- Fixed mount point problems.
- Added AllowedClients and AllowedAddresses settings for web services.
- Added cache_timeout setting in webadm.conf.
- Remove max cluster requests setting for web services.
1.0.5
- Added Trust Domain support.
- Added Session Manager CRC checks.
- Enhancements in the Web Services requests limit handling.
- Fixed a problem with the Domain group search base setting.
- Added RequiredGroup Domain setting.
- Domains can be hidden from the login portals when using UID login mode.
- Added a setting in webadm.conf to list or not the domains with UID login mode.
- Added support for WebApps with Admin pages.
- Extended WebApp API with SessionManager data storage and message localizations.
- Added RCDevs commercial software license support.
- Added email alerts system.
- Code corrections and optimizations.
1.0.4
- New logo.
- Languages are now configured in conf/webadm.conf.
> Update your webadm.conf file.
- HTTP proxy support (multiple HTTP proxies configurable in conf/servers.xml).
> You can set a HTTP proxy in the servers.xml file.
- Added support and maintenance features for RCDevs customers (members):
> Maintenance Ticket issuing system.
> SSH remote maintenance system.
- Fixed a checkbox problem in the localized messages viewer.
- Fixed a problem with Domain LDAP group search bases.
1.0.3
- Code reorganizations.
- Web services user locks use the distributed session manager.
- Webapps use the user locking system for user data and user settings updates.
- Web services have per-host and per-cluster max concurrent requests settings.
Cluster means all the servers using the same session manager.
- Updated backend component versions.
- Fixed conf/object.xml definitions to allow domain object creation on OpenLDAP.
- Domains can be disabled.
- Domain can be restricted to a list of clients (NAS Identifiers).
- Minor bug fixes.
1.0.2
- WebADM supports application-specific admin pages.
> The admin pages are available when editing a WebADM user account.
- User edit page displays the application names in the WebADM data list.
- Application settings can have a LDAP-only scope that makes them usable
only on LDAP objects.
1.0.1
- Home page displays applications status.
- Minor bug fix in webadmData LDAP updates.
- Added WebApp PKI API for user user certificates management.
- Added automatic user certificate provisioning by email.
- Version checking is configurable in conf/webadm.conf.
- Added timezone configuration in conf/webadm.conf.
1.0.0
First official release.
- Changed the cacert certificate verify internals not to require the CA
root certificates to be provided when only an intermediate CA trust is
required (for all WebADM connectors).
- Upgraded embedded OpenSSL to version 3.2.1 (including security fixes).
- Added a tenant object configuration to adjust the SQL log retention time.
- Added a tenant self-configuration option to customize log retention time.
- Added an 'ignored_proxies' undocumented settting to allow internal Web
access via load-balancers / reverse-proxies.
- Fixed a SQL query memory issue with MariaDB introduced in v2.3.12.
- Fixed WebADM complaining because no_badgein_message and no_badgein_subject
are unrecognized settings.
2.3.13 (February 5 2024)
- Fixed user badging dashboard not displaying remote statistics.
- Fixed issue with badged LDAP groups not being purged correctly.
- Fixed alerts not sent when user did not badged out.
- Upgraded embedded OpenSSL to version 3.1.4 (including security fixes).
- Fixed issues with Novell passwordExpirationTime attribute.
2.3.12 (January 26 2024)
- The 'waproxy_pubaddr' in 'conf/webadm.conf' is renamed 'public_hostname'.
> This setting applies to both 'waproxy_proxies' and 'reverse_proxies'.
> The old setting name remains valid for backward compatibility.
- Fixed a segmentation fault which can occur with watchd deamon at shutdown.
- Fixed client certificates being required with requests comming from local
Radius Bridge on the secondary cluster node.
- Fixed some remaining minor OCSP responder problems.
- Added support for Novell PasswordEpirationTime attribute.
- Fixed manager API 'get_user_settings' returning all application settings
including private settings when requesting an empty array of settings.
- Upgraded embedded OpenSSL to version 3.1.4 (stable 3.1 release).
- Restored broken PKCS#12 certificate export for Apple MacOS/IOS.
- Added support for RCDevs cloud services' protocol update 2024.
- Fixed automatic database schema update with MariaDB.
- Fixed detection of expired user certificates in self-services.
- Fixed badging location reporting issues for remote workers.
- Fixed some right restrictions not being enforced with manager methods
exported by applications like OpenOTP.
2.3.11 (December 13 2023)
- Display a scrollbar when left menus are too long under the admin portal.
- Added support for signature with smartcards and eIds requiring terminal
authentication or other types of authorization.
- Enhanced the badged/office groups' management (use few LDAP operations).
- Log proxy user permission errors when filling LDAP badged groups.
- Fixed minor display issues with MSSP license on master tenant.
- Fixed exceptions with OCSP responder when request is malformed.
- Fixed some user alerts not being sent in time.
- Fixed broken object rename under a tenant.
2.3.10 (November 30 2023)
- Added WAPI functions to live check for weak and leaked passwords.
The feature is inluded in the latest OpenOTP and PwReset applications.
> Common weak password hashes are regularly downloaded locally by WebADM.
> Additionally RCDevs cloud services can check for leaked passwords in
a password reset by using PwnedPassword at https://haveibeenpwned.com/.
> Of course in the later case, passwords are not sent out of WebADM.
The PwnedPassword protocol with sub-hash is being used.
> You can now activate this feature in the RCDevs Password Reset WebApp.
- Added support for tenants when using ActiveDirectory as root LDAP.
2.3.9 (November 17 2023)
- Added a client policy setting allowing login with failed LDAP passwords
when password expired, must be reset or account is locked-out.
- Fixed a cache reload issue which can cause failed requests in very rare
circumstances while updating configuration objects.
- Issued CRLs are now signed with sha256 hash instead of sha1.
- Fixed setup script not setting organization name in the TLS certificate.
- Fixed agreement signature failing with large PDF files.
2.3.8 (November 8 2023)
- Upgraded embedded Apache to version 2.4.58 (including security fixes).
- Upgraded embedded OpenSSL to version 3.0.12 (current long-term release).
- Upgraded MySQL ODBC driver to the latest stable version (8.2).
> Older MySQLv5 driver is no longer supported in WebADM and uses the
default MySQL8 driver now (when 'MySQL' database type is used).
- Added optional management IP restriction for Admin Roles.
- Added an Admin Role setting allowing to role members to use the WebADM
proxy user for LDAP access rights.
- Fixed OptionSet user alerts and badging group purging not handled
by the background tasks when Option Sets are set inside domain trees.
- Fixed setup screen shown in WebADM tenants when forcing index URL.
- Fixed broken 'ldap_routing' setting.
- Fixed WebADM CA service (RSignd) not working correctly in IPv6 mode.
- Complete rewrite of the HSM framework (new HSMs supported).
> Any local PKCS#11 driver is now supported (see webadm.conf.default).
> SafeNet Luna and AWS CloudHSM are now supported.
> HSM with dedicated key handles is supported within tenants.
- Many optimizations and enahcements in the internal encryption framework.
- Fixed user/host count not refreshed when forcing license re-count when
inside a WebADM tenant.
- Added an environment variable in the optional conf/webadm.env to enable
HTTP listening on IPv6 interfaces (ex. INTERFACE6=::).
2.3.7 (October 19 2023)
- Added support for PKI login with client certificates in OpenOTP.
- Client certificate generation supports PKCS#12 export package format.
- Added a home menu with links to the documentations for Cloud tenants.
- Introducing WebADM chatbot assistant for customers with paid support.
> The AI assistant will be regularly improved in the coming months.
- Fixed admin search when selecting the treebase on Active Directory.
- Added tenants' resource allocation status in the license info page.
- Fixed empty client IP with RADIUS requests coming for localhost.
- Fixed OCSP issues when Adobe Reader queries the local CA.
- Fixed required badging not working with group exclusion in a policy.
- Fixed an SQL query issue when pruning expired API keys.
2.3.6 (September 13 2023)
- Added a WAPI framework for SpanKey to send event to syslog.
> Feature included in SpanKey Server v2.1.3.
- Adjusted CEF metadata when syslog_fomat 'CEF' is used.
> WebADM CEF metadata in use are: rt (timestamp), sid (session ID),
src (source IP), and user (domain\userId).
- Added support for CockroachDB via the PostgreSQL ODBC driver.
- Fixed CA and client certificate configs not working with PostgreSQL.
- Upgraded OpenLDAP libraries to version 2.6.6 (bug fixes).
- Upgraded embedded Redis server to version 7.2.1 (bug fixes).
- Fixed inventory import not working from a WebADM Tenant.
- Added support for SAML method in OpenLDAP.
- Allow tenant selection when importing messages or inventories from
the master tenant.
- Upgraded embedded OpenSSL to version 1.1.1w (including security fixes).
- Added a 'help' entry in the top menu (for direct access to RCDevs
online documentations).
2.3.5 (August 25 2023)
- Added an OptionSet setting to set the default LDAP search base under
the Admin portal.
- Do not fail with external CAs defined with multiple CommonNames.
- Fixed OCSP responses not being parsed correctly by clients with
non-WebADM CAs.
- Fixed manager AD sync methods errors with non-tenant licenses.
- Fixed TLS certificate generation timeout stopping after 60 seconds
during Radiusd, LDProxy and WAProxy setups.
- Display license users and hosts count in the Admin portal's home page.
- Multi-Tenant license model is not in preview state anymore.
- Upgraded embedded Redis server to version 7.2.0 (features and fixes).
- Added email notifications when access is denied because the user is not
currently badged-in (requires OptionSet 'Badging' alerts to be enabled).
- Fixed segmentation faults under very high loads.
- Optimized WebADM startup (much faster).
2.3.4 (August 1 2023)
- Added Manager methods for syncing a remote AD/LDAP with a WebADM
hosted tenant. These methods are used by RCDevs AD/LDAP sync scripts.
> Sync_LDAP_Object allows syncing a subset of attributes for an object.
The object is automatically created when not existing (based on the
provided attribute and object class information).
The object is automatically moved if the DN changed since last sync.
> Sync_LDAP_Delete allows removing all orphan DNs from the synced
LDAP container (non-existing objects on the remote LDAP are removed).
- Added an OptionSet setting for mapping LDAP DN during a AD/LDAP sync.
> This is necessary for DN consistency because the local tree structure
(ie. DN suffixes) differs from the remote AD/LDAP tree.
- Fixed SAML metadata & OpenID .well-known URLs with WAProxies.
- Fixed add group member issues using via tree browser in Admin Portal.
- Fixed OpenOTP & SpanKey broken 'bin/report' tools.
- Upgraded embedded Redis server to version 7.0.12 (bug fixes).
- Upgraded OpenLDAP libraries to version 2.6.5 (bug fixes).
- Upgraded embedded OpenSSL to version 1.1.1v (including security fixes).
2.3.3 (July 13 2023)
- Added API key database encryption.
> Secret tokens are now encrypted with AES256 by default.
- Fixed minor issues with the client policies' agreement signing feature.
- Updated the setup script with support for cluster setup with HA PKI.
- Fixed setup issues where slave refuses to setup its SSL certificate
using the master server's PKI service.
- Fixed manager method 'pki_remove_user_certificate' (parameter type).
- Fixed request Id numeric format in responses from the Manager interface
when the numeric Id is a big integer.
- Added compatibility with WebADM HelpDesk (broken since v2.3).
2.3.2 (June 26 2023)
- Fixed group setting error when a group has just been removed and group
cache is still present for a user.
- Fixed a CRL generation issue with revoked certificates generated with
the newer Rsignd 'rnd' serial number format.
- Fixed some Redis connection issues when WebADM is configured as an AD
intermediate CA.
2.3.1 (June 13 2023)
- Enhanced the added user agreement functionality.
> Send QRCode by email in case user did not receive the push request.
> Send the signed contract to the signing user.
- Fixed group creation issues with Active Directory.
2.3.0 (June 9 2023)
- Added multi-tenant licensing support. Please contact RCDevs Sales for
more information about the multi-tenant WebADM or you plan to act as
an IAM service provider for your customers.
> WebADM multi-tenant (ie. Service Provide edition) allows multiple
organizations to co-habit under the same HA cluster, with their own
configurations, applications, domains, policies etc...
> Added service provider branding options for tenants.
- Added support for shared event logs allowing to view log entries from
either server in the cluster in the log viewer.
> The feature works with clustered WebADM only and is enabled with the
'log_shared' configuration in 'webadm.conf'.
- Added support for Web services' API keys. Both client certificates and
API keys can be used now.
- Simplified cache clearing options.
- Many minor enhancements and optimizations.
- Added configurations for SQL log retention time.
- The configuration 'record_path' has been replaced by 'storage_path'.
- Added user consent and agreement signing during login transaction.
> With HTML documents, a user consent is shown for signed confirmation.
> With other documents, the user has to sign the attached document.
> These features are configured via Client Policies and provide eIDAS-
compliant login terms and conditions signature with PaDES (PDF) or
CaDES, during a user authentication workflow with OpenOTP and SpanKey.
2.2.4 (April 29 2023)
- Fixed certificate issues when Rsignd is configured with 'rnd' serial
numbers mode. Issues include OCSP, CRL and certificate auto-renewals.
- Updates JQuery to the latest version (security fixes).
- Added DKIM signing for outgoing emails (see dkim configs in webadm.conf).
- Fixed a library dependency issue with nghttp on some distributions.
2.2.3 (April 20 2023)
- Upgraded embedded Apache to version 2.4.57 (including security fixes).
- The PKI service now supports running on both cluster nodes. You need to
set 'serial_format' to 'rnd' in rsignd.conf for HA PKI services.
Random serials use 128bit random Hex values instead of auto-incremented
decimal values.
- New installation build the PKI with 4096 bits.
- Fixed a dependency issue when WebADM APIs are accessed over HTTP2.
- Generated CRL is now in DER format by default. The query-string format
parameter allows choosing between DER and PEM.
2.2.2 (March 23 2023)
- Upgraded embedded Apache to version 2.4.56 (including security fixes).
- Upgraded embedded Redis server to version 7.0.9 (bug fixes).
- Multiple minor enhancements and bug fixes introduced with version 2.2.
2.2.1 (February 26 2023)
- Upgraded embedded OpenSSL to version 1.1.1t (including security fixes).
- Added clickable usernames for auto-filters in the access badging viewer.
- Minor bug fixes.
2.2.0 (January 20 2023)
- Upgraded embedded PHP runtime to the 8.1 stable branch.
- Upgraded embedded Apache to version 2.4.55 (including security fixes).
Many code rewrites due the PHP API and error handling changes.
- Many design changes (stylesheets, logos, etc..).
> Please clear your browsers' cache after updating in case WebADM
icons or stylesheets would not be displayed correctly.
- New Admin and application icons.
> Tree icons are now based on object classes. You can also safely
remove all 'icon' entries from the 'conf/object.xml' file.
- Added frameworks to support RCDevs physical access control devices.
- Added frameworks to support the new YumiSign Portal WebApp.
- Badged and Office auto-filled LDAP groups support Unix groups too.
- Fixed user language being wrongly set after loging into WebApps.
- The license user count now ignores disabled ActiveDirectory users.
- Added a crash reporting system allowing WebADM to send crash data.
> Data only includes file name, line number and function name.
- Removed FIDO U2F for MFA login (deprecated in flavor of FIDO2).
- Added indexes to all SQL 'date' database fields (during setup).
- Added support services in license details (RCDevs Services' SLA).
2.1.19 (December 22 2022)
- Added an AUTH license option (included in all existing licenses).
> The option now allows RCDevs to distribute license with 'Sign' or
'Badge' options only (ie. without Authentication Services).
> The PSD2 'Confirm' license options is now part of the 'Sign' options.
- Fixed an issue with LDAP paged results introduced in 2.1.18.
- Fixed issues wih password reset in ActiveDirectory.
- Fixed language selection not working for 'English' in WebApps.
- Added support for SelfDesk Web badging.
2.1.18 (December 11 2022)
- Multiple enhancement to the badging subsystem (for OpenOTP v2.1.8).
> Most of the badging features are now configured via OptionSets.
> New badging policies are available via Client Policies.
> For now Mobile Badging is provided for FREE to all existing RCDevs
Customers. Please Ask RCDevs sales to activate the badging feature
in your current OpenOTP license.
> To Activate the badging feature in OpenOTP, enable 'Mobile Badging'
under the OpenOTP application settings. On the mobile phone, start
the OpenOTP Token app, then click/open your Token instance and click
the 'Synchronization'. The 'Badge-In/Badge-Out' button appears now.
- Added a google-map location picker to select office location in the
OptionSets. An automatic address resolver is provided too.
- Moved CHECK badging expiration into OptionSets.
- Added auto-populated groups for badged-in user with OpenSets.
- Added the 'Badging Source IP Match' client policy options.
- Added support for the 'MIXED' badging option in OpenOTP 2.1.7-2.
- Display badged-in status in the user edit under the Admin portal.
- Removed '{crypt}' LDAP password encoding option in 'objects.xml'.
- Fixed issues wih password reset in ActiveDirectory.
- fixed issues with user alerts.
2.1.17 (December 2 2022)
- Multiple enhancements and fixes to the Remote Badging subsystem.
- Added a home section with enabled features and daily statistics.
- Added a section jumper menu in all application settings editors.
- Added more options to the user presence and badging viewer.
- Display google map badging locations in blue in the log viewer.
- Domain alert settings are moved to the OptionSet object.
If you configured user alerts in WebADM domains, please set the same
settings in an OptionSet applying to your domain tree base.
- Fixed client settings' issues with SpanKey using Risk-Based Policy.
2.1.16 (November 23 2022)
- Added support for RCDevs Mobile Token badging with OpenOTP v2.1.6.
> Added a user badging report under the 'Databases' menu.
> Features local/remote user badging and time tracking.
> New OptionSet settings allow to configure remote work accounting
with per-country quotas.
- Added a client policy option to allow access for badged-in users only.
- Fixed CRL not being generated with too many revoked certificates.
- Upgraded embedded OpenSSL to version 1.1.1s (including bug fixes).
- Fixed a minor JS injection issue with CSR token issue and WebApps.
- Fixed MariaDB issues with DNs and accents (introduced in v2.1.13).
2.1.15 (October 7 2022)
- Added dynamic Client Policies' functionalities (Step Up / Step Down).
> Client policies operating mode can be temporarily re-configured in
'Step Up', 'Step Down' or 'Access Deny' enforcement mode.
> A manager function 'Set_Client_Mode' allows controlling the client
policies' enforcement mode programmatically.
- Added a Client Policy setting 'Risk-Based Auto Step Up Mode' to enable
risk-based dynamic enforcement mode with two options:
1) Step-Up-only when the source IP matches a botnet or a VPN endpoint.
2) Deny access for compromised botnet IPs and Step-Up for VPN endpoints.
- Added an event type description to all SQL logs but Alerts.
> After upgrading, you must login as super admin in order to let WebADM
update the 'WebApp' and 'WebSrv' SQL database tables!
- Tagged all log events with the correct log levels for syslog.
- Added log level textual keyword in the CEF log format.
- Updated MariaDB ODBC connector.
- Enhanced Cloud connection reliability in case unusual HTTP2 events.
- GeoIP databases are now auto-updated via RCDevs Cloud services.
- Added more detailed license expiration warnings.
- Fixed SQL certificate duplicate entry errors when using 'Require Client
Certificate' with Web services.
- Fixed a license cache issue with Cloud licenses when expired but still
working in extended/emergency mode.
- Removed deprecated Yubico YubiHSMv1 support. YubiHSMv2 will be supported
in an upcoming version.
2.1.14 (August 24 2022)
- Fixed compatibility issues with WebADM mixed schema setup mode.
- Object Settings/Data read and write operations now only use the first
attribute configured in webadm.conf which is matching the LDAP schema.
- Fixed database setup issues with SQL server and nvarchar lengths.
- Fixed certificate expiration alerts being sent only for the first user
certificate.
- Fixed incorrect displayed value of AD ObjectGUID under the edit.page.
- Fixed MariaDB ODBC driver not supporting unicode characters.
2.1.13 (August 19 2022)
- Voice Biometrics engine to version 2 (requires OpenOTP >= 2.1.3).
> The voice model v2 is not compatible the previously stored user voice
model. A re-registration is required for users with registered voice!
> Voice model storage v2 requires much less data and does not require
LDAP attribute chunking anymore.
- Upgraded embedded Redis server to version 7.0.4 (security fixes).
- Added support for LDAP-based RADIUS reply attribute with filtering.
2.1.12 (July 7 2022)
- Fixed a PostgreSQL ODBC driver dependency issue (file permission).
- Upgraded embedded OpenSSL to version 1.1.1q (including security fixes).
- Fixed incorrect CEF metadata format and added CEF event type.
- Fixed OpenOTP 'bin/report' tool issues when using SQL user data.
- Fixed Admin portal idle session expiration not honoured.
- Use latest ODBC drivers for MySQL and MariaDB.
- Advanced LDAP edit mode displays OpenLDAP internal attributes.
- Added a search option to return OpenLDAP internal attributes.
2.1.11 (June 27 2022)
- Upgraded embedded Apache to version 2.4.54 (including security fixes).
- Added setup options for configuring WebADM as ActiveDirectory sub-CA.
- Fixed LDAPExpireSubject not being translated in the user's language.
2.1.10 (June 1 2022)
- Mobile signature certificates are now added to the certificate SQL
table (under the Databases menu).
- Added support for mobile signature certificates revocation (including
those issued by RCDevs Enterprise Global CA).
- Fixed minor Rsignd issues for CSR decoding.
- Fixed broken WebADM SSL certificate auto-renewal when near expiration.
2.1.9 (May 6 2022)
- Added CRL URI information for client and server certificates.
- Allow revocation status for server certificates in the SQL database.
- Upgraded embedded Redis to version 7.0.0 (bug and security fixes).
- Upgraded embedded OpenSSL to version 1.1.1o (including security fixes).
- OCSP and CRL are available over both HTTP and HTTPs.
> Certificates are created with HTTP URIs.
> You need a WAProxy upgrade to support HTTP URIs if you use WAProxy.
- Server and client certificate table is referenced with serial numbers.
> Table will be auto-updated by WebADM background scripts.
2.1.8 (April 22 2022)
- Updated WebApps frameworks to return password change failed reason
(required by the latest RCDevs' SelfReg WebApp).
- Updated WebApps frameworks to allow more options for user certificate
generation (required by the latest RCDevs' SelfDesk WebApp).
- Fixed broken SQL record pruning under the Admin portal.
- Updated JQuery to version 3.6 (security fixes).
- Fixed CSRF issues with RCDevs' SAML IdP Provider.
- Fixed a setup issue while generating server self-certificate.
2.1.7 (April 14 2022)
- Added TLS Web Server Authentication extended key usage for server
certificates (fixes EAP-TLS issues with Radius Bridge).
- OCSP endpoints are provided via WAProxy public URLs when WAProxy or
a reverse-proxy is configured.
- Added options for S/Mime and Microsoft Smartcard login when creating
user certificates under the Admin portal.
- Allow admin certificates to be used for login, S/Mime, etc...
- Fixed License cache issues.
2.1.6 (April 6 2022)
- Added support for OpenOTP Advanced Signature with RCDevs Global CA.
- Upgraded embedded Apache to version 2.4.53 (including security fixes).
- Upgraded embedded OpenSSL to version 1.1.1n (including bug fixes).
- Added a Manager method to link and unlink inventory item (Tokens).
- Fixed session server connection issues when using an AD sub-CA.
- Fixed user certificate generation without an email address.
- Fixed user certificates not working for EAP-TLS login (Wifi).
> Failing user certificates have to be re-generated.
2.1.5 (February 22 2022)
- TLS encryption is enforced for Session Servers on default port 4000.
Cleartext session server communication on port 4000 is deprecated.
> Please remove the 'encryption="NONE"' from your Session Server's.
> Your can safely enable server secrets over untrusted networks.
> the keyword 'encryption' is not valid anymore for Session Server.
Your 'servers.xml' file is also auto-modified during update.
> Session Server replication over a WebADM cluster now uses TLS.
> IMPORTANT: With this upgrade, you need to update both servers in
a cluster for session master management and replication to work.
2.1.4 (February 15 2022)
- Fixed broken user certificate generation under the Admin portal.
- Fixed eIDAS CA cert import not displayed under the trusted CA list.
2.1.3 (February 7 2022)
- Added AuthorityInfoAccess with OCSP and CA URLs for user certificates.
- Added ExtendedKeyUsage information with E-mail Protection, Client
Authentication and Microsoft Smartcard login with user certificates.
- Fine-tuned Content-Security-Policy, Strict-Transport-Security and
X-Frame-Options HTTPS headers.
- Added a CSRF protection to the Admin portal with per-session subdirs.
- Fixed issues with 'auto' mode for waproxy_proxies and reverse_proxies.
- Fixed an issue with cached user certificates used for PKI login.
2.1.2 (January 24 2022)
- Added an endpoint for retrieving webadm trusted CA bundle.
> Used by latest versions of RCDevs Radiusd and WAProxy.
- Added startup consistency checks for internal the CA certificate.
- The list of trusted CA certificates is available under the Admin menu.
> Trusted CA certificates are now manged graphically at cluster level.
> The 'pki/trusted' folder is converted to the new CA bundle format
during the WebADM upgrade process.
- WebADM session cookies now have the 'SameSite' set to 'Strict'.
- Added an 'auto' mode for waproxy_proxies and reverse_proxies which
automatically detects proxies based on headers (use only with caution).
- Created user certificates are now compatible with AD userPrincipalName.
2.1.1 (December 24 2021)
- Added OptionSet settings (MinUID and MinGID) to configure the minimum
values for auto-incremented UNIX UIDs and GIDs.
- Upgraded embedded Apache to version 2.4.52 (including security fixes).
- Upgraded embedded OpenSSL to version 1.1.1m (including bug fixes).
2.1.0 (December 10 2021)
- Fixed LDIF import/export for ActiveDirectory groups.
- Removed OptionSet setting for using external PKI (Rsignd only now).
- Added import of external certificates on user accounts (ex. eIDAS).
> Certificates issued by trusted external CAs (in pki/trusted/) can
login on all WebApps in PKI mode and via OpenOTP PKILogin method.
- Added OCSP validation for logins with external certificates.
- Major improvements to the LDAP group searches for applications.
- UNIX groups with memberUid now works in all the app frameworks.
- User's gidNumber is handled too for any LDAP group searched.
- Fixed several issues and inconsistencies with LDAP Group Search Base.
- Added support for OCSP and OpenOTP PKI method with user certificates
generated by external CAs.
- Fixed issues connecting to WebADM PKI server when using external CA.
- MemberGUID is now part of the unicity check.
- Many small fixes and Major improvements to the PKI subsystem.
- Added a Manager method for unlocking WebApp access for applications
configured with 'Access Locked' enabled.
- Newly-created Admin certificates can be used for WebApps' login.
- Manager method 'Get_User_ID' is replaced by method 'Get_User_IDs'.
2.0.25 (November 10 2021)
- Upgraded embedded Apache to version 2.4.51 (including security fixes).
- Upgraded embedded Redis server to version 6.2.6 (bug fixes).
- Upgraded OpenLDAP libraries to version 2.6.0 (bug fixes).
- Fixed a problem with expired cache with Cloud licenses.
- Added support for OpenOTP licenses with signing credits.
- Added support for alternative names in the user certificate forms.
- Added support for s/mime usage when creating a user certificate.
- Record SQL alerts for admin sessions with non-super admins.
- User editor displays a warning when an AD user account is locked.
- Fixed per-domain email 'from' not working with background tasks.
- Fixed per-domain certificate and password expired alerts not working.
- Fixed too many delays when Cloud services are not reachable
- Fixed client policies' required groups not working with Posix groups
containing memberUid.
- Better support of schema not extended with mixed AD environments.
- Fixed dependency issues with the MariaDB database driver.
2.0.24 (September 28 2021)
- Upgraded embedded Apache to version 2.4.49 (including security fixes).
- Added support for LDProxy option to return LDAP diagnostic messages.
- New qualified signature services' features required by OpenOTP 2.0.1.
- Added support for XaDES (XML) qualified signature format.
2.0.23 (September 13 2021)
- Email user warnings for certificate or password expirations has to be
configured in the Domain settings.
It is also possible to adjust the warning period and re-send delays.
> The 'user_warning' setting in 'webadm.conf' is now deprecated.
- Final WAPI support for PaDES/CaDES digital signatures (OpenOTP v2.0).
- Fixed a missing libpq dependency with PostgreSQL database under Debian.
- Fixed per-client default domain not working with SpanKey NSS.
- Added preference saving for log viewers, searches, etc...
- Fixed failures with removal of object classes from the admin interface.
- Fixed 'bin/encrypt' and 'bin/verify' batch scripts not working with more
than 1000 users.
- Upgraded OpenSSL to version 1.1.1l (including security fixes).
- Enhanced RCDevs' Cloud microservice protocol to support longer requests
(required by the new OpenOTPv2 PDF signing functionalities).
- Removed Session max memory. Memory usage is now handled dynamically.
> Removed 'REDIS_MEMSIZE' and 'REDIS_NOSYNC' environment variables.
2.0.22 (July 5 2021)
- Added WAPI functions for services to seal and timestamp PDF documents.
- Added support for OpenOTP v2.0 (WAPI 69).
- Minor enhancements to the OCSP service.
- Allow WebApps to create logfile events for every user operation.
> Removed the 'log_mixsql' setting in 'webadm.conf' (now always on).
2.0.21 (June 28 2021)
- Added compatibility with Microsoft AzureAD.
- Added some configuration templates under 'docs/ActiveDirectory' to use
extended AD / OpenLDAP as base directory with mounted unextended AD(s).
- Fixed EUTL verification issues (required by upcoming OpenOTP v2.0).
- Fixed an SQL duplicate key error with WebADM statistics table.
- Fixed %DOMAIN% variable not working in webadm.conf's message templates.
2.0.20 (June 11 2021)
- Upgraded embedded Apache to version 2.4.48 (including security fixes).
- Upgraded OpenLDAP libraries to version 2.5.5 (bug fixes).
- Upgraded embedded Redis server to version 6.2.4 (bug fixes).
- Fixed containers not detected correctly in the treeview when logging-in
inside a mount point.
- Added a Manager method for counting the activated users within a domain.
- Added WAPI function for OpenOTP to validate a signature is EUTL-compliant.
- EUTL trusted CA list is fetched regularly via the background tasks.
- The JSON /status.php API returns connector issues and not HTTP 500 error.
- Freeware options like advanced/qualified signature are valid for 1 month.
2.0.19 (May 12 2021)
- Added user DN and client ID chaining in the log viewer when an application
calls a service application (ex. OpenOTP calls SMSHub). SMSHub logs can
now be filtered for a specific user and OptionSet view restrictions apply.
- Fixed MSSQL issues with SQL data store.
> Please use MariaDB driver with MariaDB and MySQL8 driver with MySQL to
avoid database issues.
> With MariaDB and MSSQL be sure to have the database collation set to UTF8
for all WebADM tables if you encounter strange characters in the SQL logs.
- Disallow the 'bin/pwcrypt' with freeware license.
- Upgraded OpenLDAP libraries to version 2.5.4.
- Upgraded embedded Redis server to version 6.2.3.
- Upgraded GeoIP databases (cities and countries).
- Added HSM configuration tools in '/opt/webadm/doc/scripts/'.
> HSM usage documentations are provided on RCDevs' documentation site.
- Minor HSM management improvements (high availability and failover).
- Added a WAPI method to unlock WebApp with locked access (used by HelpDesk).
- Improved Cloud service APIs used for OpenOTP file signing methods.
- Graphical setup sets the proxy user password only when the proxy account
does not already exists.
2.0.18 (May 3 2021)
- Upgraded all ODBC database drivers with the unicode-enabled versions.
- Fixed reported issues related to the MySQL8 ODBC connections.
- Added an optional 'charset' parameter for SQL servers in servers.xml.
> Set charset="latin1" if you encounter database character issues after an
upgrade to WebADM v2.0.16 or later.
- Domain UPN Suffix can optionally be a list of domain suffixes.
- Added a '/status' page cache to optimize RCDevs microservices requests.
2.0.17 (April 19 2021)
- Added support for per-domain Token Logo, email address, etc... with service
provider licenses.
- Better support of CardContact smartcard-based HSM (performance improvements).
- Auto renew SSL certificate before starting sending warnings.
> Warnings are now sent once per day and not per hour.
- Removed a PCRE2 library requirement with MirKey and eHSMs.
- Expired licenses do not try to contact RCDevs online services anymore.
2.0.16 (April 4 2021)
- Added support for dedicated Push servers (as part of the branding options).
- Minor Watchd connection enhancements.
- Enhanced MirKey support with HSM timeout management.
- Fixed minor javascript issues when un-checking some application settings.
- Fixed all objects displayed as containers when loging in a LDAP MountPoint.
- Fixed a segmentation fault issue when using the MySQL8 SQL database driver.
> MySQL database type now refers the MariaDB ODBC driver.
> If you encounter problems like segfaults, please change SQL database type
to 'MariaDB' in 'conf/servers.xml'.
> If you really need MySQL drivers then set 'MySQL5' or 'MySQL8' database type.
- Upgraded OpenSSL to version 1.1.1k (including security fixes).
- Upgraded OpenLDAP libraries to version 2.4.58.
2.0.15 (March 16 2021)
- Added support for ellipticSecure eHSM and MIRKey.
- Upgraded OpenSSL to version 1.1.1j (including security fixes).
- Upgraded embedded Redis server to version 6.2.1 (newest stable branch).
- Fixed renewed WebADM certificate being renamed 'webadm2.crt'.
- Fixed certificate auto-renewal broken on slave WebADM nodes.
- Updated GeoIP databases (February 2022).
- The 'admin_session' and 'manager_session' settings can now be set in the
form 'shared:60' where the 'shared' stores sessions in the Redis server
instead of SHM memory (useful with load-balancers without sticky sessions).
- Aligned the data/time format in 'webadm.log' and 'sessiond.log' log files.
- Fixed license expiration issues with Perpetual licenses.
- Removed TiQR Web Service application from the all-in-one build.
> Your applications' configurations may be incorrect after upgrade if you
enabled any TiQR setting. In this case, just edit and re-apply the
configurations under the 'Application' menu in WebADM.
- Fixed Cluster menu not displaying (bug introduced in 2.0.15-1).
2.0.14
- Added a role deletion right for issuing client certificates required
during the SpanKey client setup.
- Allow OpenOTP clients (ex. MFAVPN) to reside on the same host as WAProxy.
- Upgraded OpenLDAP libraries to version 2.4.57.
- Added support for RCDevs staging licenses (for microservices beta-testing).
2.0.13
- Fixed issues when SpanKey or other clients sending OpenOTP requests reside
on the same server as a WAProxy.
- More optimizations and stability fixes with reverse-proxies used as WAProxy.
- Minor enhancements to the client policies domain-based restrictions.
- Fixed error on 'websrv_get_proxy_options()' with YubiCloud via a HTTP proxy.
- Added error reasons in Manager JSON-RPC failed responses.
2.0.12
- Upgraded embedded PHP runtime to the 7.2 stable branch.
> This WebADM version requires updated versions for all WebDAM apps.
- Reverse proxies are now usable like WAProxies (support app publishing).
- Remove an unnecessary dependency to libltdl.
- Prevent a Cloud error with 'connection failed while calling xxxx'.
- Fixed detection of ActiveDirectory Forest Level 2019.
- Fixed wrong host IP with RadiusBridge clients causing client policies not
being correctly matched (bug present since WebAD v2.0.0).
- Upgraded embedded Redis server to version 6.0.10.
2.0.10
- Fixed support ticket containing unicode characters.
- Fixed broken manager method 'Update_Inventory_Items'.
- Fixed broken Admin portal login with MFA in Challenge-Response mode.
- Upgraded OpenSSL to version 1.1.1i (including security fixes).
- Updated MariaDB ODBC driver to the latest version.
- Fixed MySQL8 and MySQL5 drivers' issues with UTF-8.
- Updated JQuery to the latest version (including security fixes).
- Added Cloud services' status to the /status.php?json=1 page.
- Prompt for certificate key password when needed at startup.
2.0.9
- Fixed very rare RCDevs' Cloud services reconnection issues.
- Added several Cloud Services' communication optimizations.
- Fixed regex backslashes not possible in the OpenID settings editor.
2.0.8
- Changed the response format of the Manager method 'Server_Status' with more
application and server details.
- Fixed minor issues with PKCS#11 HSMs.
- Added a 'json' parameter to the WebADM HTTP status page to get more details.
When called with https://myserver/status.php?json=1, the result is similar to
the 'Server_Status' Manager method.
- Added a notification subsystem for important software notice to be fed.
- Fixed minor watchd issues with error handling.
- Enabled LibGMP assembly optimizations (for performances).
- Added support ticket direct creation from the WebADM home page.
- Upgraded OpenLDAP libraries to version 2.4.56.
2.0.7
- Added a new cloud service for preparing and sealing signed PDF files.
> This is required by OpenOTP v1.5.1 with 'Prepare Attached Files' option.
- Improved RCDevs' Cloud microservice communications.
- Fixed DNS hostname length limitations in watchd.
- Added HTTP2 flow control mechanisms in watchd.
- Added more company customization options for service providers.
- Fixed a missing libexpat library dependency.
- Added support for Feitian PKCS#11 HSMs (ePass2003).
- Added support for HSM-based Rsignd certificate authority.
- Upgraded OpenLDAP libraries to version 2.4.55.
- Use latest ODBC drivers for MySQL and MariaDB.
2.0.6
- Fixed the issue with message 'untrusted cloud service my_service' causing
Cloud-based licenses to fail after an upgrade.
- Fixed a Cloud access issue with WebADMv1 Enterprise licenses.
2.0.4
- Added Client IP address chaining in SQL logs (ex. OpenOTP calling SMSHub).
- Added a Web service setting to enable service requests via WAProxies.
> This is now a mandatory requirement if you published Web services over
Internet via a WAProxy with the 'PUBLISH_WEBSRVS' setting.
> If not specifically enabled in WebADM, the service requests are refused.
> The setting allows publishing services independently (like for WebApps).
- Better handling / detection of reverse-proxies and WAProxy.
- Added support for HTTP Web proxies with HTTP basic authentication.
- Added a status endpoint for reverse-proxies or monitoring systems which
need to poll a WebADM URL.
> The status URL is https://webadm_server/status.php.
- Fixed Web service requests failing when coming from a server configured
as reverse-proxy/waproxy in webadm.conf.
- Upgraded OpenLDAP libraries to version 2.4.53.
- Upgraded embedded Redis server to version 6.0.8.
- Upgraded unixODBC to version 2.3.9.
- QRCode generation optimizations.
- SMS Cost per country is displayed in the license details.
- Added implicit SSL trust with local CA for remote PKI connections.
- Upgraded OpenSSL to version 1.1.1h (including security fixes).
- Cloud license cache does not need a refresh after a WebADM upgrade.
- Use latest ODBC drivers for PostgreSQL, MySQL and MariaDB.
- Fixed client IP address issues with reverse-proxies and IPV6.
- Fixed a missing dependency to libtool in the ODBC libraries.
- Fixed empty WebApps portal (index) page.
2.0.3
- Fixed 'could not get client IP address' issues.
- Fixed log origin mismatch with microservices' errors.
- Upgraded OpenLDAP libraries to version 2.4.52.
- Upgraded embedded Redis server to version 6.0.7.
- Upgraded unixODBC to version 2.3.8.
2.0.2
- Fixed certificate client creation broken (ex. RadiusBridge setup).
- Added support for reverse proxy chaining.
- New version numbering for WebADM and all application: The em-dash is now
used for the release numbering for RPM & DEB packages. Patch level is in
the last version number.
- Fixed issues with mobile endpoint calls from mobiles on IPv6 addresses.
- Several minor bug fixes (2.0.0 = > 2.0.1).
2.0.1
- Replaced Push Servers and License Servers with RCDevs Cloud micro-services.
> RCDevs Cloud micro-services provides access to RCDevs online services
like OpenOTP Push notification in a much more efficient way. Your WebADM
establishes a set of permanent HTTP2-TLS connections with RCDevs services
which work via HTTP proxies, under which service requests are tunneled.
- Added voice biometrics framework.
> You need OpenOTP >= 1.5.0 in order to use voice biometrics authentication.
> You need RCDevs Directory Server >= 1.0.10-3 which includes voice schema.
> If you use Active Directory, please check RCDevs online documentation for
how to add the WebADM Voice attribute to your WebADM AD schema class.
- Added support for PKCS#11 SCHSM USB devices.
> WebADM currently supports Nitrokey and SmartContact HSM devices.
> YubiHSMv2 support will come later this year.
- WebADM v2 requires a license file even in freeware mode. After upgrade,
please get your free license at https://cloud.rcdevs.com/freeware-license/.
> The license is required in order to use RCDevs Cloud services.
> All your WebADM v1 freeware features are maintained.
- Fixed SMTP authentication issues with Office 365 as mail server.
- Allow web services' request settings with multiple values.
- Upgraded OpenSSL to version 1.1.1g (including security fixes).
- Upgraded embedded Apache to version 2.4.46 (including security fixes).
- Upgraded embedded Redis server to version 6.0.6.
- Upgraded OpenLDAP libraries to version 2.4.50.
- The 'bin/pwcrypt' tool for encrypting passwords in WebADM config files is
now available with a Freeware license.
- Local session server connections now use domain socket (optimization).
- Fixed OpenOTP Token unregister not sending the unregistration Push.
- Fixed issues with MountPoints having an empty LDAP base DN.
- Fixed PostgreSQL connection with a CA certificate configured.
- Fixed license expiration issues with trial licenses.
1.7.11
- Fixed an re-encrypt issue breaking the RADIUS reply data.
- Fixed a license counting issue occurring in very specific circumstances.
- Upgraded OpenSSL to version 1.1.1f (including security fixes).
- Upgraded embedded Apache to version 2.4.43 (including security fixes).
- Upgraded Watchd to the latest version (optimizations and stability).
- Fixed a certificate login issue when only one admin certificate is set.
- Fixed push notifications failing when the first push Id is refused.
- Fixed MariaDB Driver issues when a CA certificate is set.
- Fixed SMSHub user/group actions not being listed in the Admin portal.
1.7.10
- Fixed SQLite database setup issues when the sqlite file does not exist.
- With SQLite, the database name in 'servers.xml' is now optional.
- Added a LDAP schema extension template for 389 Directory.
- Fixed the bin/extend command not working with LDAP MountPoints.
- Added a Manager method to sign certificate requests (CSR).
- OCSP now supports certificates issued with trusted CAs (other than WebADM).
> Trusted CA certificates must be added to /opt/webadm/pki/trusted/.
- WAPI method 'get_user_domains' now ignores domains out of the MountPoint.
- Added support for SpanKey SSH access with user certificates (v2.0.7).
- Optimizations in the application setting management (WAPI 61).
- Objects under the 'Config' menu are sorted alphabetically.
- Setup creates SSL the certificate with SubjectAltName set.
- Local SSL certificate is auto-renewed when near expiration.
> New SSL certificates are generated for one year for compliance with Chrome.
- Upgraded OpenLDAP libraries to version 2.4.49.
1.7.9
- Fixed a locking issue with the background script which may occur when the
WebADM license gets updated from the license servers.
- Fixed an LDAP issue with WebApps trying to fetch LDAP groups members.
- Added more debug information for failed ldap queries in log_debug mode.
- Fixed broken iFrame WebApp embedding with the 'inline=1' flag.
- Added support for WAProxy Web service forwarding feature in version 1.1.5-2.
- Upgraded embedded Redis server to version 5.0.7.
- Removed unwanted string-based array indexes in the Manager JSON responses.
> You may need to adapt your client code if you parsed the JSON manually!
- Minor Watchd performance enhancements and stability fixes.
- Fixed broken MFA login in the WebADM Admin Portal with OTP challenge.
- Fixed non-sensitive user data being software-encrypted anyway.
- Manager methods Get_User_Data and Set_User_Data require the Data Admin Role.
- Copyright owner is now RCDevs Security SA Luxembourg.
- Fixed LDAP MountPoint server failover when the first server is down.
- Added a Manager method to retrieve SQL application logs.
- Added a Manager method to enable the client certificate auto-confirm mode.
- Added Docker start mode with '/opt/webadm/bin/webadm start docker'.
1.7.8
- Added options to require LDAP attribute values/patterns in Client Policies.
- Added WAPI function extensions for SpanKey NSS to support cascaded Domains.
- Hide contextual actions for disabled applications.
- TiQR and OpenSSO Web services are removed from the all-in-one package.
> You may still install these extra components separately.
- Admin/Manager client certificates can be exported as bundled PEM or PKCS12.
- Updated the internal Mail/SMTP framework.
- Fixed webapp language translations not working with IE11.
- Debug mode includes SMTP debug information.
- .htaccess file are prevented in Apache configuration.
- Added a re-encrypt action when editing a user (for both data and settings).
- Fixed inventory link update when renaming/moving obects with Manager API.
- Added support for user ActiveDirectory principal names (UPN).
> The 'list_domains' setting must be disabled to use UPNs.
> Warning: With the settings disabled, the text domain input is now removed!
Users must login with domain\username (windows format) to force a domain.
> The 'upn_domain' settings in RadiusBridge and LDAPBridge are now obsolete.
1.7.7
- Added user source (suser) and bridges client IPs (src) to CEF log entries.
- Fixed broken OpenOTP Manager method 'register_inventory'.
- Added a policy option to use non-branded mobile token for specific clients.
- Upgraded embedded Apache to version 2.4.41.
- Upgraded OpenSSL to version 1.1.1d (including security fixes).
- Multiple optimizations to the LDAP/SQL crypto framework.
- Major watchd enhancements (uses socket poll API and handles DNS timeouts).
- Fixed offline cloud license cache expiration.
- Fixed watchd failing to start because redis is not started yet.
- Fixed upgrade not permitted with permanent license before the maintenance
expiration.
- Added the possibility to override any WebApp localized text by creating a
<webapp_dir>/lang/custom.json file. English texts can be overriden too.
- Display ActiveDirectory Lockout-Time warnings and allow user unlocking.
- Added compatibility with RedHat 8 and CentOS 8.
1.7.6
- Added import date to the Inventory database.
> Added optional date options to the Manager 'Inventory_Search' method.
- Upgraded OpenLDAP to version 2.4.28 (stability).
- Added an inter-process communication subsystem for applications.
> This greatly enhances the performances by limiting the number of
session manager calls while waiting for mobile responses.
- Added an 'ip_blacklist' setting to webadm.conf for disabling the automatic
WebApp' IP address blacklisting for 10 seconds after 5 unsuccessful logins.
- Added a credential cache for the Manager API access to improve the Manager
performances under high load.
- Changed to the new 'RCDevs Security' logo under the 'About' page.
- Added latest background job logs the support ticket generation.
- Added more setting supported scopes for application settings.
- Added WebApp WAPI functions for activating/de-activating users.
- Issue SpanKey client certificates even when client certs are not required.
- Enhancements to the setup script.
1.7.5
- Upgraded OpenSSL library to version 1.1.1c (includes TLS1.3 support).
> Set SSL_PROTOCOL="TLSv1.2 +TLSv1.1 +TLSv1" in conf/webadm.env if you
need support for older protocols (TLSv1.1 or SSLv3).
- Upgraded all ODBC Drivers to the latest versions.
- Better support of MariaDB with SSL/TLS encryption.
- Removed support Oracle database.
- Fixed Web service event log 'Enforcing Client...' with wrong log Id.
- Added support for SASL methods with LDAP binds.
- Added support for future licensing options.
- Rsignd PKI requires TLSv1.2 or TLSv1.3.
1.7.4
- Manager methods for reading and writing user attributes can handle
binary attributes with base64 encoding.
- Major optimizations to the WebApp language translation engine.
- AD ObjectGUID and ObjectSID are flagged binary in objects.xml.
- Fixed SudoCommands parse errors with SpanKey server when fetched from
a client policy or application config.
- Fixed license count with metadata licenses (counting activated groups).
- Fixed SQL errors with MSSQL database and metadata licenses.
- Added certificate auto-renewal support for SpanKey client certificates.
- Added HTTPs SSL certificate auto-renew when cert is near expiration.
- Minor enhancements and optimizations to the background script.
- Fixed mobile Push not sent when first multiple Tokens are registered
and the first mobile push fails.
- Added optional WebADM main configurations in the support tickets.
- Added direct access to user Records from the user edit view.
- Fixed cluster nodes not refreshing their config object caches when
another node updates a configuration object.
- Fixed update version validation issues with permanent licenses.
- Added more options for mobile application Branding (OpenOTP Token).
1.7.3
- Fixed license counting issues with per-metadata licenses.
- Fixed push error when push IOS/Android push identifier changed.
- Upgraded OpenSSL to version 1.0.2s (including security fixes).
- Generated QRCodes are now a bit smaller.
- Fixed issues for Android push IDs.
> The RCDevs' team apologies for any inconvenience and issue due to
the move to the Firebase Push notification protocol for Android.
- Added a new complex config type required for SpanKey Sudo.
- Removed MaxRequest configuration in all Web Services.
- Fixed display issues in the edit object page with delegated admins.
- Increased WebADM worker memory limit to 128M.
1.7.2
- Fixed LDAP object search over MountPoints through the Manager API.
- Fixed log file viewer showing a blank log in rare occasions.
- Fixed WebApp's 'Close' buttons sometimes not closing correctly.
- Fixed some OCSP response's serial number getting negative values.
- Unspecified MySQL database version now defaults to the MySQL8 driver.
> Set database type to 'MySQL5' in 'servers.xml' if you previously had
set 'MySQL' and encounter any MySQL connection issue after upgrade!
- Updated MariaDB ODBC driver to the new 3.1 stable branch.
- Added SSL support with the MariaDB ODBC driver.
- The OCSP service is now fault-tolerant (does not rely on rsignd).
> Requires RADIUS Bridge v1.3.8.
- Fixed OCSP cache not re-populated when cleaning the session caches.
- Added SQL logs for incoming OCSP requests (in Web Service log).
- Fixed disconnections with CSRF issues under the RCDevs SAML/OpenID IdP.
- Added support for licenses with product options (ex. OpenOTP Signing).
- Secure Email now uses AES-128 encryption by default.
1.7.1
- Fixed issues with group search base and SpanKey NSS groups.
- Fixed Device container creation with RCDevs Directory server.
- Fixed user certificate creation issues.
- Fixed a minor compatibility issue with LDProxy and LDAP MountPoints.
- Fixed AD group type edition issues.
- Fixed an issue with Rsignd not clearing zombie processes.
- Fixed SpanKey client certificates always expiring after 365 days.
- Enhancements to the Auditd record viewer.
- Added application methods for retrieving user groups (required for
an upcoming RCDevs products).
- Added a Manager method to check if a user is activated.
- Added Client Id to the SQL records (ie. SpanKey clients).
- Added client certificate auto-confirm for batch SpanKey client setups.
- Added the setting 'log_revdns' to reverse-lookup IPs in SQL logs.
- Several performance enhancements to the core frameworks.
- Added WAPI functions for cluster-level application caching.
- Added 'config_container' in 'webadm.conf' to optionally replace and
simplify all the containers' configuration.
- Upgraded embedded Apache to version 2.4.39.
1.7.0
- Added WebADM Devices (access points, badgers and geo tracking devices).
> Please contact RCDevs sales for more information.
- WebADM compiled PHP source code now relies on optimized HHVM bytecode.
> It is more than 10 times faster and requires half the memory.
> A single WebADM instance now handles about 1000 login requests/sec.
- Removed Trust Domain support (deprecated with Web services since a year).
- Fixed issues with server certificate creation during slave WebADM setup.
- Fixed Watchd 'resource temporarily unavailable' under very high load.
- Fixed failed config objects not displayed under the 'Config' menu.
- Fixed OptionSets not enforced when applied to user's login context.
- Upgraded embedded Apache to version 2.4.38.
- Fixed AD user unlock with PwReset.
- Fixed SQL connection warnings.
- Added per-year excluded days in the policy configurations.
- Unique attribute flags in 'objects.xml' is now obsolete.
> All the 'uid_attrs' in webadm.conf are now checked for unicity.
- Removed ExcludedHours, ExcludedAddresses and ExcludedLocations from
the Client Policies (other AllowedXXX are kept).
- GID numbers are now auto-incremented like UID numbers (see objects.xml).
- Fixed application messages not always honoring the user language.
- Added a LDAP prefetch cache to optimize the number of LDAP queries.
> WebADM uses less LDAP queries for finding users and reading their data.
- Log Id remains consistent when a service is called by another service.
- Added direct logfile view from the SQL logs (per user session).
- Fixed issues with userPassword LDAP encoding with SHA1 and SSHA.
- Added a record viewer for Auditd logs produced by upcoming SpanKey.
- New bin/setup script (more similar to the one in the VMWare appliance).
- Upgraded OpenSSL to version 1.0.2r (including security fixes).
- WebADM 32 bit version is discontinued in the 1.7 branch.
1.6.9
- Fixed ActiveDirectory object attribute update failing when objectSID
or objectGUID is displayed.
- Added encryption frameworks for upcoming RCDevs products.
- Fixed an error in the CEF logs where the 'CEF|0' should be 'CEF:0'.
> If you use WebADM with rsyslog and CEF for Splunk for example, please
be check that the correction does not alter your centralized audit!
- Added statistic database cleanup in the WebADM background jobs.
- Added Inventory import from license servers (requires cloud license).
- Removed RCDevs HSM server support (it will be replaced by PKCS#11).
- Watchd master processes (main threads) are not renamed anymore.
- Added manager methods to activate and de-activate users and groups.
- Fixed MountPoints not being displayed with the right vendor icon.
- Fixed dynamic groups' member listing on LDAP mount points.
- Added options to the support ticket generation.
- Upgraded OpenSSL to version 1.0.2q (including security fixes).
- Upgraded embedded Redis server to version 5.0.3.
- Added different expirations for user, client and server certificates.
- Fixed password change from the self-service desk with ActiveDirectory.
- Added WAPI functions for WebApps to be able to use client policies.
> This is required for the upcoming RCDevs OpenID/SAML version 1.3.
- Host count is now removed for services with per-user licensing.
- Removed DES-related ciphers from the embedded Apache TLS configuration.
- Fixed issues MFA login with combined OTP and FIDO2 authentication challenges.
- SSLProtocol and SSLCipherSuite can be reconfigured in conf/webadm.env.
> Apache as well as Rsignd PKI inherits the SSLProtocol and SSLCipherSuite.
- The tools bin/extend, bin/verify and bin/encrypt can work per container.
- Fixed LDAP schema objet class attribute parsing failures on OpenLDAP.
- Major Watchd performance enhancements and code rewrite.
- Added support for LDAP passwords with SHA2 and SHA512.
- Added a manager method to get detailed license information.
- Removed manager method 'Count_Remaining_Users' (use Count_Activated_Users).
- Upgraded embedded PHP runtime to the 7.2 stable branch.
- Added SpanKey client certificate revocation.
> A revocation is done by disabling a client certificate in the certificate
database table.
> Unknown certificates are automatically added to the database as active.
- Enhancements to the licensing subsystem.
1.6.8
- Performance improvements to the config object caching.
> WebADM now supports an unlimited number of domains / client policies.
- Web services (OpenOTP/SpanKey) deny access for disabled client policies.
- Fixed email not sent via manager calls (ex. SelfReg requests).
- Enhancements to the Cloud licensing subsystem.
- Fixed PwReset and SelfReg requests sent by OpenOTP resulting in expired
session ID errors when accessing the WebApps.
- Fixed MFA login in the Admin Portal not displaying the right domain list.
- Fixed graphical issues with the RADIUS Reply attribute editor.
- Fixed OptionSet not working on the tree root with RCDevs Directory.
- Added FIDO2 support for the MFA login in WebADM.
- Upgraded OpenSSL to version 1.0.2p (including security fixes).
- Fixed SQL metadata duplicated after rename / move with SQL data_Store.
- Fixed license error workflows with license servers.
- Fixed user counting issues introduced in in the 1.7 branch.
- Fixed client policy per internal network settings not beeing enforced.
- Display ActiveDirectory object SID and object GUID in the object editor.
- Fixed issues with ActiveDirectory locked accounts due to password policies.
- Fixed OCSP responder issues (now work with RadiusBridge EAP-TLS).
- Upgraded embedded Apache to version 2.4.35 (including security fixes).
- Web browser's page title is the WebApp description in self-services.
- Added a 'Password Must Change' option when reseting passwords with AD.
1.6.7
- Added SMS alerts support in webadm.conf (alert_mobile setting).
> For SMS alerts, a local SMSHub service must be running.
- Added final support for RCDevs Cloud license servers.
- Fixed WebADM license already expired when the license is near expiration.
- Fixed wrong WebApps' URLs when used behind a cascaded HTTP proxy chain.
- Added a user_warning setting ins webadm.conf to enable user notifications
when user certificates and AD domain password are near expiration.
- Added ActiveDirectory account lockout detection.
- Added a 10 seconds SQL statement execution timeout.
- Use OpenSSL FIPS module 2.0 (FIPS 140-2 certification).
> FIPS_mode_set is enabled by default in WebADM 64bit.
- Improved the SpanKey recorded session viewer.
- Added support for session data with dual lookup keys (SpanKey requirement).
- Upgraded embedded Apache to version 2.4.34 (including security fixes).
- Fixed missing Manager SQL logs.
- Better support of RedHat 389 Directory.
- Added object LDAP move operations for Admin and Manager.
- Added the method name field for Manager SQL logs.
- Added an error structure to the manager response.
- Added support for AD nested groups in OpenOTP and SpanKey.
1.6.6
- Added custom CSS option for WebApps.
> CSS may contain image references within the app 'www' directory.
- Fixed an Apache issue causing the server to slow down after some time.
> This issue might end with server becoming unresponsive after a long time.
- Fixed issues in the WebADM license background counting with the counting
system introduced in WebADM v1.6.3. For technical reasons we had to revert
to the previous system counting the WebADM activation class.
> Please contact RCDevs sales for related licensing issues.
> Added new licensing options for service providers (pay as you go).
- WebADM background job sends AD password near expiration warnings via email.
- WebADM background job sends certificate near expiration warnings via email.
- Added a MySQL ODBC driver for MySQL8 (use 'MySQL8' database type).
- Added support for RCDevs LDProxy with LDAP MountPoints.
- Added the possibility to set HTTPS SSL_PROTOCOL in conf/webadm.env.
> The default Apache SSLProtocol is "ALL -SSLv2 -SSLv3".
- Removed Web services' request counting mutex (performance).
- Fixed Minor MountPoint issues with Lotus Domino and Novell eDirectory.
- Improved YubiHSM stability in the event a WebADM worker would crash.
- Fixed SpanKey server host count issues (with WebADM 1.6+).
- Added the config 'log_mixsql' to SQL event logs in the webadm.log file.
- SpanKey NSS requests do not alter hosts count in the SpanKey license.
- Added the possiblity to set a custom NTP server in webadm.conf (ntp_server).
- Fixed a watchd issue in the hosts count for SpanKey2.
- Fixed minor visual issues with the Record database viewer.
- Minor enhancements to the WebADM statistics subsystem.
1.6.5
- Added WebADM server runtime metrics under the Statistics menu:
> This includes the number of requests per seconds, page loads, LDAP/SQL
response times, Mail/SMS counts and more.
> Added statistics WAPI framework for SMS metrics with SMSHub.
- Fixed one Watchd log warning occurring on servers with very low activity.
- Fixed mount point display bug with Lotus Domino LDAP server.
- Minor WAPI group listing function fixes affecting SelfReg group requests.
- Do not log ignored group (out of domain search base) with too many groups.
- Use new MaxMind geolocation database format 'mmsdb' (Geolite2).
- Do not check for new versions for custom applications.
- Watchd service monitoring optimizations.
1.6.4
- Added a Manager method to bulk-import Inventory items (import_inventory_item).
- Fixed Manager method 'search_inventory_items' ignoring the 'type' parameter.
- Fixed a mutex issue in WebADM v1.6.3 producing very slow service requests.
- Fixed application scripts not able to read/write files out of WebADM root dir.
- Added Rsignd support for RadiusBridge SSL certificates for Wifi EAP-TTLS.
- Added support for the new RadiusBridge auto-configuration wizard.
- Improved YubiHSM performances (near-double AES throughput with 2 HSM devices).
- Updated JQuery framework to the latest production version.
- Upgraded OpenSSL to version 1.0.2o (including security fixes).
- Upgraded embedded Apache to version 2.4.33 (including security fixes).
1.6.3
- Big improvements to the RCDevs license framework.
> License checks are performed in a background task (not impacting requests).
> Updated online licenses are now installed automatically in the background.
- Freeware edition uses the WebADM Watchd daemon like in Enterprise edition.
- Remote connector failover improvements (Watchd framework).
- Fixed timezone issues with countries having UTC time difference not being a
multiple of an hour.
- Added support for upcoming RCDevs cloud license servers.
- Added support for MountPoint without an LDAP base.
- Big improvements to the LDAP MountPoint framework.
1.6.2
- Added UTF-8 support to webadm log file.
- Added "TXT" option (ASCII) for QRcode generation via the Manager API.
- Fixed Rsignd creating PID file with wrong process ID number.
- Fixed the close button not working with AJAX alerts in the Admin portal.
- Fixed Inventory import with PostgreSQL database.
- Fixed server hostname validation with FQDN licenses under the license page.
- Fixed 10 secs mobile Push latencies occurring from time to time.
- WebADM server certificate generator allows subjectAltNames.
- Enhancements to the PKI subsystem and client/user certificate generation.
- Added the bin/dbprune script to purge old SQL log events.
> The script is intended to be used via a cron scheduled command.
- Added preliminary Service Provider options (reserved to MSP partners).
- Added support for push requests when the push Id changed for IOS and Android.
1.6.1
- Upgraded OpenSSL to version 1.0.2n (including security fixes).
- Fixed wrong estimated max number of Apache HTTP workers.
- Fixed SQL statement issues with PostgreSQL.
- Fixed SQL connection issues with MariaDB.
- Added file integrity for WebADM and applications check at startup.
- Added CA certificate for RCDevs push and license services.
- Added a manager API to modify inventory status and active state.
- Fixed one LDAP paging issue preventing Oracle DSEE to work correctly.
- Fixed login certificate issues with very long common names.
- Added optimizations to multi-handle cURL HTTP requests.
- Updated PostgreSQL ODBC driver.
1.6.0
- Added support for LDAP groups with broken member references.
- Added the SQL Record table used to store SpanKey session videos.
> WebADM record viewer supports playing terminal session and IO logs.
> This feature is used by the upcoming SpanKey v1.1 (Q1 2018).
- All WebADM SQL database requests now use prepared statements.
- Added support for per-object password policy in OpenLDAP.
> You need to replace conf/objects.xml with conf/objects.xml.default.
- Fixed one SQL warning when deleting users in LDAP.
- Fixed soap requests with X-Forwarded for headers containing ports.
- Removed unix UID and userPassword from user creation forms on AD.
> You need to update conf/objects.xml with conf/objects.xml.default.
- Upgraded embedded PHP runtime to the latest stable branch (7.1.x).
- Fixed the bin/restore script not restoring the encrypt_key correctly.
- Fixed wrong client policies' count displayed on the Admin home page.
- Fixed issues with Google maps in the log viewer.
- Rsignd server only accepts TLSv1.2 connections.
- Use Apache worker with multi-threaded workers for better performances.
- Watchd service enhancements (improved WebADM Enterprise start time).
- Major code rewrite in the SQL framework (performance enhancements)
- Added a Manager method 'Search_Inventory_Items' to query the inventory.
- Added additional fault detections and optimizations for YubiHSMs.
- Added support for OpenOTP/TiQR branded application versions.
- Added support for client policies' restrictions in WebApps.
- Updated OpenSSL to version 1.0.2m (including security fixes).
- Better support of Microsoft Internet Explorer for the Admin Portal.
- Added an optional 'ldap_treebase' configuration in webadm.conf.
- Big performance improvements for both WebADM and applications.
1.5.13
- Fixed SMTP issues with old Exchange server versions.
- Fixed local sendmail command failing with library dependency errors.
- Added support for web service authentication with client certificates.
- Added a 'Client IP' database field for Web service SQL logs.
1.5.12
- Added configuration endpoints for the upcoming RCDevs QuickVPN product.
- Upgraded embedded Apache to version 2.4.27 and PHP to version 7.0.21.
- Upgraded embedded Redis server to version 4.0.x.
- Added a tool to create third-party SSL certificates under the Admin menu.
- Display applications published on WAProxy under the 'Application' menu.
- Fixed one certificate signing issue with Rsignd on Oracle Linux 6.x.
- Fixed Self Service Token registration with QRCode raising a PHP7 error.
- Setting waproxy_pubaddr is now required if waproxy_proxies is configured.
- Updated SSL protocols and cypher suite to the current recommendations.
- Updated OpenSSL libraries to version 1.0.2l (including security fixes).
- Added support for client policies in WebApps (reserved for upcoming CP).
- Several optimizations in the Web services' and WebApps' frameworks.
- Fixed proxy user creation removing Domain Admin members with AD.
- Adjusted maximum WebADM HTTP workers to deal with high-volume Push Logins.
- Fixed denied WAProxy HTTP requests coming from public WAProxy IPs.
1.5.11
- Major memory and performace improvements with the newer PHP engine.
> Upgraded PHP internal runtime to version 7.0.x (stable).
> WebADM version >= 1.5.10-1 is not supported on RHEL5 platforms anymore.
> Replaced the unsupported PHP7 'hidef' extension with RCDevs 'setini' mass
constant definition PHP extension.
- Fixed upgrade failing to adjust PKI certs when upgrading from WebADM v1.3.
- Fixed the 'delete selection' action not working in the SQL log viewer.
- Fixed wrong timezone for some locations (WebADM relies on the system timezone).
- Added the setting 'waproxy_pubaddr' to set the public hostname of the WAProxy.
- Allow hostnames to be used in 'reverse_proxies' and 'waproxy_proxies' settings.
1.5.10
- Added WAPI functions to allow one WebApps to access pages of another WebApp.
> Required by RCDevs' OpenID/SAML Identity Provider v1.2.2.
- Application footer displays "Provided by" with the configured 'org_name'.
- Fixed upgrade of SQL database tables failing with broken SQL query (v1.5.9).
- Fixed user certificate creation being forbidden when no optionset exists.
- Added multilingual support for all RCDevs WebApp releases after March 24 2017.
- Many optimizations and enhancements to the localization subsystem.
- Improved HSM robustness under virtualized environments (ESX).
- Added an HSM health-check tester under the 'Admin' menu / 'HSM Details'.
- Enhanced the session replication checks at startup (only slaves make checks).
- Added HSM key handle 'Check ID' under the 'Hardware Modules Details' page for
checking HSM key handles' consistency across different clusters.
- Added the endpoint functionality with the '/ws/' namespace for WebApps too.
- Added HSM retries for locally-connected USB YubiHSMs when the USB devices fail
to respond in due time.
1.5.9
- Added OTP and U2F login support for the Admin Portal (admin_auth OTP/U2F/MFA).
- Added optional visibility scopes to the Inventory items (OU-restricted items).
- Added Inventory item history (user registration, status change, etc...).
- OptionSet treeview base can now be set out of the admin login subtree.
- The setting auth_mode is replaced by admin_auth (auto-modified by upgrade).
- Added WebADM backup and restore scripts in the /opt/webadm/bin/ directory.
> The scripts can be used for migrating a WebADM installation to a new server.
- Added the manager_auth setting to configure the Manager authentication method.
- Added the manager_clients setting to configure IPs allowed for the Manager API.
- New database drivers for MySQL, PostgreSQL, Microsoft SQL server and Oracle.
- Added support for MariaDB databases with native ODBC driver.
- Added compatibility with RCDevs License Server protocol version 2.
- Fixed LDIF import/export not working with attributes containing newlines.
- Fixed "Add Admin Role" action not filling-in the default AdminRole container.
- Fixed support for configuration passwords containing double-quote characters.
- Fixed WebADM not willing to start when libudev library is not installed.
- Added HTTP workers and shared memory scaling according to license information.
- Added SSL ODBC connection support for MySQL & PostgreSQL databases.
- Added an OCSP Responder (certificate revocation service) to WebADM PKI.
> The OCSP service HTTP-GET endpoint available at https://yourserver/ocsp/.
- Fixed tree base OptionSet permissions not working on RCDevs Directory.
- Fixed a HSM issue where a process gets blocked waiting for the USB response.
- Upgraded OpenSSL to version 1.0.2k (security fixes).
1.5.8
- OpenOTP & TiQR public endpoints are now available under the the WebADM HTTPS
URL and not under the Web service URL anymore. The U2F AppId and Mobile Token
endpoints are https://yourserver/ws/appid/ and https://yourserver/ws/openotp/.
> This change is required for the public endpoints to use custom certificates.
> WAProxy URLs are not impacted but you need WAProxy 1.1.1 with this version.
- Fixed Alert SQL log not listed under the Database menu in all 1.5 versions.
- Upgraded Watchd and YubiHSM libraries to the latest versions.
- Added syslog_format configuration in webadm.conf.
> log_format now applies to log files only.
> If you want CEF log events for syslog, then set syslog_format "CEF".
- Removed log_webapps and log_websrvs settings from webadm.conf.
- Added enhancements to the PKI login feature (certificate login types).
- Added Watchd and HSM library version information in the support tickets.
- Enhanced the license information page when a license server is used.
> The license server pool is displayed with connected clients' IPs.
- Added disable/enable inventory items (disabled items cannot be registered).
- SpanKey freeware (per host product license) is limited to 5 client systems.
1.5.7
- Changed the way WebADM handles its SSL certificates:
> WebADM and Rsignd now share the same SSL certificate files.
> You can use a custom SSL certificate (issued by an external CA) by copying
your custom cert/key files to /opt/webadm/pki/custom.crt and custom.key.
The custom certificate applies to the Admin portal and WebApps only.
WebADM services always use the SSL certificate generated by the internal CA.
> The upgrade procedure handles the necessary certificate changes automatically.
- Added an NTP clock drift check under the Admin menu.
- Fixed some license server issues (stability patches).
- Fixed a minor issue with the password encryption tool (bin/pwcrypt).
- Fixed Trust WebADM domains not working in all WebADM 1.5.x versions.
- Fixed the 'extend' tool when using the '-g' option with thousands of accounts.
- Added an additional WebADM internal security layer with PHP runtime chrooting.
- Upgraded embedded Apache server to version 2.4.25 (security fixes).
- Fixed client certificate login through WAProxy reverse-proxies.
> You need the latest WAProxy v1.1.0 from 12/2016 with this version of WebADM.
- Use igbinary serializer with Redis data storage for better performances.
> The session servers' data format changed so you need to update all clustered
WebADM servers for session replication to work.
1.5.6
- Added support for WebADM license server (licensing option to be available soon).
> Please contact RCDevs sales department for license Enterprise server options.
- Fixed a session server crash issue on 32bit Linux servers.
- Deny Web service requests for Client policies with an invalid configuration.
- Added a client policy setting to restrict the usable UID attributes per client.
- Added password expiration check in the WAPI (used for user self-service desk).
- Added support for ActiveDirectory nested groups (cascaded group membership).
- Added optional Redis authentication (requirepass) for the session services.
- Fixed inaccurate session replication delay under the Cluster admin page.
- Fixed auto-close the left-pane browser after multi-selections.
- Dropped the 12 bytes limitation for encrypted passwords in servers.xml.
- Removed the 'time_zone' configuration in webadm.conf (use system timezone).
- Added an endpoint in '/cacert/' to retrieve the WebADM CA certificate file.
> This is used by the auto-configuration scripts in other RCDevs software.
- Added a setting for configuring the email alert sender address.
1.5.5
- We introduced an issue with the latest watchd from v1.5.4 (released October 10).
> Please update immediately to 1.5.4-2 if you installed 1.5.4!
- Fixed the RADIUS reply attributes' editor failing to add a new row.
- Replaced internal XCache memory caching module with APC Userland (UPCu).
- Added log_debug setting to webadm.conf for debugging LDAP and SQL queries.
- Fixed wrong imported items' count in the Inventory viewer.
- Added Web service's API version checking support.
1.5.4
- Fixed admin certificate generation not working with LDAP DNs longer than 64
characters due to an OpenSSL limitation.
- Improved watchd service reliability by handling more protocol-specific errors.
- Added missing pending status for watchd all internal commands.
- Push service account is not required when WebADM has an Enterprise license file.
- Fixed single object copy displaying an error message in the Admin portal.
- Watchd now uses LDAP requests and not socket polling for checking LDAP servers.
- Upgraded OpenSSL library to version 1.0.2j.
- Boolean application settings always display their default value in the editors.
- User edit page displays a warning when AD password is near expiration.
- Fixed the item status update not working in the Inventory database viewer.
1.5.3
- The internal process execution timeouts are increased to 60 secs in order
to support the OpenOTP Push login method over SOAP requests (released soon).
- The cross-app framework inclusion functions provides version checking.
- Fixed word-wrapping in text settings (ex. OpenID server certificate).
- Fixed wrong config objects' count in the home page when aliases are used.
- Fixed an issue with the watchd daemon failing to read WebADM configurations
when servers.xml contains invisible characters.
- Upgraded Apache to version 2.4.23.
- Improved the performance of LDAP caching with clusters.
1.5.2
- Fixed an issue with data creation when the SQL data store is used.
- Added support for the upcoming OpenOTP with Push login.
- SpanKey server is now included in the all-in-one version.
- Fixed boolean settings configured to 'false' getting lost during app switching
in the client policy configurations.
- Upgraded embedded Redis server to version 3.2.
- Fixed PKI server not willing to start on 32bits versions.
- Fixed an issue where WebADM fails to reconnect the watchd service.
- Fixed an issue generating wrong SSO URLs in the RCDevs' OpenID IdP product.
- Added WAPI methods required for SpanKeys 1.0.1 with NSS provider.
1.5.1
- Fixed an issue where LDAP tree exports return a maximum of 1000 objects.
- Fixed PKI server not willing to start after upgrade with some Linux kernels.
- Added new WAPI extensions for supporting RCDevs SpanKey Server (to be release soon).
- The user transaction lock mechanism (used for Web services) can spool requests for a
few seconds instead of immediately refusing the transactions.
- Fixed admin session idle timeout not being respected.
- Added a search batch action to modify, remove or update application data.
- Increased Watchd host address resolution consistency: Watchd passes only host IPs to
WebADM (in the Enterprise version, WebADM does not need to resolve hostnames anymore).
- Added support for per client hosts licenses (required for RCDevs SpanKey server).
- Added the support for RCDevs Push servers in servers.xml.
- Admin and Service bottom links are hidden when accessing WebApps' portal form WAProxy.
- Upgraded Apache to version 2.4.20 and OpenSSL to version 1.0.2h.
1.5.0
- Completed the facelift for the Admin Portal and all Web applications.
- Added personalization configurations in webadm.conf.
> You may add your company name, logo and website URL to the WebApp's interfaces.
- Added an option to import Yubikey files generated by Yubico Personalization Tool.
- Added more controls for cross-site request forgery protection.
- Fixed connection drops with HSMHub server.
- Fixed users not un-linked from Inventory with OpenOTP.Token_Unregister Manager method.
- Added brute-force attack protection with source IP address blacklisting.
> The protection works for both the Admin Portal and the WebApps.
- Inventory link checks now validate the linked object exists in LDAP.
- Added a data_store settings to webadm.conf allowing to choose between LDAP (default)
and the SQL database for all user data and settings.
- Added more branding capabilities.
1.4.5
- Fixed an issue with WAProxy and WebADM error "Client IP address spoofing detected".
- Enhanced the code used for handling shared memory semaphores.
- Added support for CA Directory LDAP server.
- Added admin levels to WebADM configuration objects.
- Fixed Manager methods from installed applications not working with admin roles when
used with a non-super admin Manager account.
- Removed helper popup windows (replaced by inline pages).
- Added a RADIUS attributes' configuration helper (for OpenOTP v1.2.3).
- Added an application selector menu in the user setting configuration page.
- Added application categories under the 'Applications' menu.
- Added actions to rename configuration objects from the Admin menu.
- Invalid config objects like Domains or Client Policies now appear under the Admin menu.
1.4.4
- Added a 'user_level' setting for configuring the level of user expertise for managing
WebADM configurations and applications' features.
> 3 levels are supported: Beginner, Intermediate and Expert. The default is Expert.
- Extended WAPI with new features required for TiQR Sign with PGP signatures.
> TiQR application is now able to produce X.509 certificates signed by WebADM CA.
- Fixed an unterminated threads issue with Watchd and some MySQL implementations.
- Fixed one re-connection issue with RCDevs HSMHub server.
- Fixed Rsignd not starting when PkiServer ca_file setting is set in servers.xml.
- Changed Rsignd PKI certificate digest algorithm to be SHA256.
- Updated OpenSSL to version 1.0.2e and Apache to version 2.4.18.
1.4.3
- Added new configurations for reverse proxies and publishing proxies (WAProxy).
> If you use WebADM Publishing Proxy, then set the 'waproxy_proxies' setting.
> The 'reverse_proxy' setting is reserved for reverse-proxy which are not WAProxy.
> The 'waproxy_headers' setting is deprecated and replaced by 'waproxy_proxies'.
- Added HSM key handle consistency checks for locally-connected YubiHSM devices.
- Fixed a group search issue over mount points occurring in very rare circumstances.
- Fixed connector status not checked correctly at startup in the non-licensed version.
- Fixed user/group settings edition not working when no WebApp in installed.
- Fixed Manager service URL not working without the trailing slash.
- Fixed Rsignd not listening on the right TCP port when 'port' is set in rsignd.conf.
- Fixed direct group membership references not working cross mount point with AD.
- Fixed Watchd issues with MySQL and MariaDB servers where max_connect_errors had to
be set to the max value in WebDAM 1.4.x.
1.4.2
- Fixed WebADM (32 bit version only) not starting on older RHEL 5.x.
- Fixed HSM key handle consistency checks for all servers in WebADM clusters.
- Added configurations and localizations for application unlocking messages.
> The WebApp access unlock subject and message body can be customized in webadm.conf.
> Multilingual unlock messages can be configured in the localized message editor.
- Added final features and support for RCDevs HSMHub Server.
- Major code rewrites for the HSM cryptographic framework.
- Added RCDevs partner branding capabilities.
- Fixed Manager's LDAP searches failing when returning userCertificate binary data.
- WebADM can optionally authenticate any secure connections in servers.xml.
> The XML attribute 'ca_file' can be added for LDAP, Mail, HSM and Proxy connectors.
- Alerts are displayed in real-time at the bottom of the screen in the Admin sessions.
- The most sensitive user data (ex. Token seeds) cannot be accessed anymore in cleartext
even by super admins. The un-encrypted LDIF export option has been removed too.
- High availability and cluster functionalities now require an Enterprise license.
> All the WebADM features remain enabled in the limit of 40 activated users.
> Please check the WebADM Release Notes for more information.
- Minor bug fixes.
1.4.1
- Added support for RCDevs HSMHub Server (network HSM server with YubiHSM).
- Fixed session server not starting under rare circumstances.
- Fixed WebADM asking for object settings when creating an object form the create menu.
- Added support for systemd startup with RedHat and CentOS 7.
- Empty LDAP tree root (Novell / OpenLDAP) can be selected for domain search bases.
- The LDAP tree object selector only shows selectable items.
- Added several YubiHSM performance patches.
- Fixed MS-SQL Server database not working.
1.4.0
- Clusters now supports an unlimited number of servers with master-slave replication.
> Session server now relies on an embedded Redis v3.0 (replaced Memcached).
> Session data are not dropped anymore after a WebADM server restart.
> Please read the release notes for adjusting your servers.xml configuration file.
- Added a Watchd daemon which permanently monitors the connector statuses and Redis.
> Watchd monitors LDAP, SQL, Session, SMTP, Proxy, PKI services.
> Watchd severs provides real-time connector failover for the whole WebADM cluster.
> Watchd is responsible for managing session server replication and master election.
- Added optional LDAP requests' load-balancing when WebADM is used with many users.
- Changed PHP runtime to version 5.6 (stable).
- Added an AdminRoles configuration objects to define allowed features for other admins.
> By default now, other admins not part of an AdminRole do not have any right.
> other_admin setting in webadm.conf is now obsolete and replaced by AdminRole members.
- OptionSets configurations have bed deeply changed and many features have been moved
the to AdminRole objects. Please check the WebADM Admin documentation for AdminRoles.
- Added a 'temp' directory for PID file and temporary data.
- Optimised LDAP back-end replication delays (now handled by WebADM-watchd).
- httpd.log and soapd.log are replaced by one single log file 'webadm.log'.
- Fixed license server hostname check failing with IPv6 hosts.
- Added support for event logs in CEF format for webadm.log file and syslog audit.
- Force the AD password to be set when creating a new AD user (this is required by AD).
- Added a manager method to send an email with attachments to a recipient address.
- Manager API works in UID mode without providing the domain when default domain is set.
- Fixed geolocation popup windows not hiding on Safari in the log viewer.
- Fixed segmentation faults with PostgreSQL databases.
- Better support of UCS LDAP (configuration templates are available in /docs/Univention).
- Fixed a license import bug displaying "Invalid licence creation date" error.
- Fixed a problem when multiple LDAP naming contexts are defined in OpenLDAP.
- Fixed YubiHSM module not working on RHEL7 and variants.
> The updated YubiHSM module requires libudev to be installed on your system.
- The setting name 'case_sensitive' in webadm.conf has been replace by 'ldap_uidcase'.
- Added an online license check and new update mechanism.
> You need to add the setting "check_licenses Yes' to enable the online license checks.
- Customizable environment variables SESSION_MEMSIZE and SESSION_NOSYNC are renamed to
REDIS_MEMSIZE and REDIS_NOSYNC in conf/webadm.env.
- Customizable environment variables CACHE_THREADS and SESSION_THREAD have been removed.
- Memory optimisations (working processes consume 1/3 less memory than in WebADM 1.3).
- Performance optimisations (WebADM 1.4 is about 2 times faster than WebADM 1.3).
- Fixed inventory import issues with PostgreSQL databases.
- Added support for HSM locking / unlocking mechanisms with YubiHSM devices.
> The bin/yubitool command can be used to unlock HSM devices.
- Windows Server 2003 is not supported anymore by WebADM.
1.3.3
- Added support for Oracle Directory Server (or SUN Directory).
- Enhanced the mount point framework to be less sensitive to errors.
- Added the possibility to update the customer licenses from the Admin Portal.
> The RCDevs software license can be updated via file upload or license copy/paste.
- Fixed missing dependencies with RHEL5 on the new multi-architecture builds.
- Added application actions for LDAP group members (accessible in the group editor).
- Added support for WebADM Reverse Proxy (WAProxy) when a reverse-proxy is configured.
> By default no application nor Web service is accessible via reverse-proxies.
> Proxied applications to be published by setting the 'Proxied' setting.
- Added support for WebADM Domain name aliases (for both LDAP domains and trusts).
- Added support for WebADM Client Policy name aliases.
- Updated mod_ssl cipher suite to the current secure recommendation.
- Disabled SSLv3 to prevent the POODLE vulnerability.
- Fixed log viewer geolocation maps not displayed on Google Chrome browser.
- Fixed rsignd PKI message structure alignment for 64Bits architecture.
- Fixed startup crash with rsignd PKI server occurring very rarely.
- Fixed startup error displaying message 'local server is offline'.
- Enhanced user session encryption (in session server) and cookie management.
- Removed the Web services' setting 'Enable Request Setting' (now enabled by default).
- Added support for Univention Corporate Server LDAP.
1.3.2
- Fixed a compatibility issue with Client Policies and TiQR server v1.1.
- WebApp unlock system can optionally send user email notifications.
- Fixed license alerts displaying incorrect remaining license time.
- WebADM checks the LDAP/SQL/SMTP/PKI user connections at startup.
- Back and Cancel navigation controls in Admin Portal have been enhanced.
- Added a new XML setting scope 'client' for OpenOTP Application Passwords.
- Application-based password changes (ex. PwReset) respect AD password history.
- Added PKI login features in WebApps without always prompting for user certificates.
- Big enhancements to the PKI internal frameworks and certificate revocation system.
> The environment variable USER_CERT in webadm.env is not necessary anymore.
- Fixed a LDAP user read error occurring under very rare conditions.
- Fixed 'close' buttons not always working in WebApps.
- Fixed Self-Services' menu line wrap on mobile devices.
- Fixed an ODBC varchar issue with PostgreSQL (bug introduced since WebADM v1.3.0-3).
- Added a configuration setting 'encrypt_hsm' to enable HSM encryption in webadm.conf.
> By setting 'encrypt_hsm' to No, you can migrate the user data back to software
encryption when hardware encryption was previously used.
- Minor fixes in the cluster communications API for configuration updates.
- Added support for displaying the OpenLDAP 'memberOf' operational attribute.
- The setting 'Check Certificate Revocations' in LDAP OptionSets has been removed.
> The certificate revocation check is now always enabled and cannot be disabled.
1.3.1
- OpenOTP/TiQR Freeware license is extended to 20 users (all features included)!
- Fixed Web Services not accessible over SSL APIs.
- Added compatibility with older user data encoding for upgrades from WebADM v1.1.
> If needed change WA_MISSING_ENCRYPT_TYPE to 1 in /opt/webadm/lib/hidef/encrypt.ini.
- Startup checks validate HSM AES key(s) consistency over a WebADM cluster.
- Session replication is automatically disabled with more that 2 clustered nodes.
- Fixed a bug where user data encrypted with old versions of WebADM cannot be read.
- Added a 'default_domain' setting in webadm.conf when 'auth_mode' is set to UID.
- Fixed user certificate revocation not working on WebApps with PKI login mode.
- Fixed user certificate revocation not working for admin accounts in MountPoints.
- Admin certificate prompt now occurs only when auth_mode is set to PKI.
- User certificate login support for WebApps is now disabled by default.
> You can enable full PKI by setting USER_CERT=Optional in conf/webadm.env.
- Updated OpenSSL library to 1.0.1i with vulnerability fixe CVE-2014-3508.
- Fixed WebADM not working when LDAP server has several naming contexts defined.
- Fixed WebADM Domains not working when containing space characters.
- Added possibility to do a recursive LDIF export from the tree root.
- The 'Infos' main menu item in WebADM Admin Portal is renamed to 'Admin'.
> Added buttons for direct-access to WebADM configuration objects from Admin menu.
- The tree view now displays a maximum of 1500 children per container node.
> This max children value is configurable in webadm.conf by setting treeview_items.
> Over this limit, an inline search input appears for displaying filtered results.
- Optimized YubiHSM encryption by caching opened device handlers (4x faster).
- Added support for per-group forced settings in Client Policy configurations.
- Added auto-adjustment of memory and threads depending on the license user count.
- Fixed database table setup check failing with SQLite databases.
1.3.0
- HSM support with hardware encryption for sensitive data, settings and inventories.
> YubiHSM is currently supported for AES encryption and random number generation.
- Major enhancements to the user data storage encoding.
> Per-data encoding with support for software / hardware AES and cleartext data.
- Improved remote service connections' failover mechanisms.
- Improved Session server communication with compression for large data.
- Added a Manager method to retrieve server status information.
- Added transaction unlock delay to deal with LDAP replication time.
- Fixed broken PDF generation framework.
- Added support for mail with attachments and HTML contents.
- Added treeview node expand limitation to deal with large amounts of child nodes.
- Fixed a login issue where WebADM prompts for admin login twice.
- Fixed a minor issue with message localizations in multilingual WebApps.
- Fixed incompatibility with JSON message files contain UTF8 BOM headers.
- Fixed CSRF session protection not working when WebADM is used behind a port forward.
- Added startup checks for cluster consistency (AES keys, versions, configs, license).
- Added a configuration setting to handle LDAP user IDs in case-sensitive mode.
- Added the possibility to batch de-activate users with the bin/extend tool.
- Fixed WebApp session cookies now working across all cluster nodes.
- Better support for very large scale installations.
- Updated OpenSSL library to 1.0.1h with fixes CVE-2014-0160, CVE-2014-0224.
- Added a listener on port 80 (HTTP) with a redirection to HTTPS.
> The HTTP_PORT variable (if defined in conf/webadm.env) is replaced by HTTP_PORT_SSL.
> The HTTP_PORT_STD variable has been added for the HTTP redirection listener.
- Fixed an issue with some user groups sometimes not being resolved correctly in AD.
- Fixed display issues with failed LDAP MountPoints.
- Fixed an issue with session closed after redirections in the OpenID/SAML WebApp.
- Fixed issues with paged LDAP results on ActiveDirectory 2003.
- Fixed upgrade issues on few distributions which required using the --force parameter.
1.2.7
- Added support for cumulative application setting values (ex. OpenOTP ReplyData).
- Added 'Remove' buttons under the Applications menu to un-configure applications.
- Tabs corresponding to un-configured applications are ignored in self-services.
- Added support for session manager synchronous replication with WebADM Clusters.
> Please read HA documentation for clusters as additional TCP ports must be opened.
- Fixed a minor startup issue with permissions on log files.
- Aligned Rsignd log time format to the other WebADM log files.
- Added support for per-application WebApp session timeouts (used in SAML WebApp).
- Fixed an issue with OpenID/SAML and the CSRF session protection mechanisms.
- Fixed an issue with OpenID/SAML and HTTP URL redirections.
- WebADM supports OpenLDAP dynamic schema extension in 'cn=config'.
- Variable USER_CERT can be define in webadm.env to override Apache SSLVerifyClient.
- Enhancements to the SQL framework and Oracle databases are now fully supported!
> Optionally the servers.xml can contain tnsname="<TNS>" with Oracle databases.
In this case a 'tnsnames.ora' file must exist under conf/ directory.
- Fixed WebApp inline mode dropped after a WebApp HTTP redirect or error/success page.
- Admin, Manager and WebApps session timeouts are configurable independently.
By default the Manager Interface's cookie-based sessions are disabled.
- Bulk user activation script bin/extend supports user selection based on LDAP groups.
- Added support for custom WebApps' stylesheets (none of the WebApp is compatible yet).
- Added support for localized WebApps (none of the WebApp is compatible yet).
- Added support for 'lang=XX' parameter in WebApps and Web Services' URLs to force a
language and bypass user's LDAP language attribute(s).
- WebADM supports to be installed on an ActiveDirectory without the schema extension.
> Please read the updated WebADM Installation Manual for details.
- Better support for older Internet Explorer versions (IE7).
- WebADM uses the PHP 5.5 runtime.
- Added support for HTML emails.
- The WebApp logos are used as favicon under the WebApp URLs.
- Fixed issues with MountPoints and the Manager Interface.
- Added support for LDAP paged results (required with AD with large amount of users).
- Minor HTTP caching performance enhancements.
1.2.6
- Commercial applications (OpenOTP/TiQR) are limited to 35 active users instead of 25!
- License does not block requests immediately when the user limits are reached.
> Running services send email alerts and continue working until next restart.
- Added support for vendor-encrypted inventory files and transparent import decryption.
- Fixed the Manager function Rename_LDAP_Object not working correctly.
- Added an optional Client Policy Friendly Name setting.
- Added password expired detection to the LDAP password checks.
- More debug messages during the LDAP schema setup with Active Directory.
- Added conditional application settings (WAPI 18) Unsupported settings are greyed.
- Fixed unuseful warnings displayed in applications' command-line tools.
- Added --force flag to the upgrader to force an upgrade process having errors.
- Daily license alerts when subscription licenses expire in less than one month.
- Fixed application's admin pages sending mail alerts when logged to the Admin Portal.
- Added the possibility to specify the syslog facility when syslog is enabled.
- Fixed a Mail Server connection issue with SMTP authentication.
- Direct groups (AD groups) located outside LDAP Domain group search base are ignored.
- The OptionSet quota feature now counts only the number of activated accounts.
- Better W3C HTML compliance and browser support.
- Rewritten stylesheets and WebApps' default theme.
- Added detection and support of mobile devices in WebApps.
- Many minor changes to the admin interface.
- Fixed an Admin issue with the creation of users having passwords with ';' character.
- Fixed proxy user and admin groups creation in the graphical setup wizard.
- Added support for passwords with up to 256 characters.
- Added a configuration setting to disable DN and group settings cache when necessary.
- Big memory usage and performance enhancements.
- Fixed a bug with multi-selection application settings.
- Session manager and shared cache memory/threads are configurable in conf/webadm.env.
- Moved from Apache 2.2 back-end to the Apache 2.4 branch.
- WebADM internal constants can be modified and are stored in .ini files in lib/hidef.
- Uniformed the WebApps' authentication framework (SelfDesk uses its own login page).
- WebApp PKI login mode is replaced by the new 'Require User Certificate' setting.
- Any WebApp support PKI login mode with WebADM user certificates.
- New version check tool 'bin/update' is replaced with the 'bin/webadm update' command.
- Fixed several issues when WebADM is accessed from behind a reverse-proxy.
- Added per-method helps to the Manager interface methods under the Infos menu.
- Added support for encrypted CA and Rsignd private keys (with startup password prompt).
- Major coding enhancements to the Web applications and Web services' frameworks.
1.2.5
- Added support for network-based Client policies.
> With Client policies it is now possible to distinguish application settings when the
users are connecting from the trusted internal networks.
- Added time-based access policies to the Domain and Client policies.
- Added a graphical week calendar editor for time-based policies.
- Fixed an issue with SMTP sender address not working properly with OpenOTP.
- Added the 'pwcrypt' tool to encrypt sensitive settings of WebADM configuration files.
> This feature requires a valid (and newer) license file.
- Major performance enhancements to the cryptographic subsystem.
- New default data encryption method and new setting to configure the encryption mode.
> Encrypted data will be automatically updated at runtime.
- Optimized the server IP address checking in the WebADM licensing subsystem.
> If you have a hostname-based license file, please ensure your DNS is resolving your
license hostname correctly.
- Corrected a MountPoint issue introduced in WebADM v1.2.4.
- Fixed a password change issue with Samba accounts.
- Fixed an update issue with groups having more than 500 members.
1.2.4
- Added WebADM Inventory database and WAPI-15 (with Inventory framework).
> Inventory is used by applications like OpenOTP to store large amounts of Tokens.
You so OpenOTP v1.1.1 to use the inventory with Hardware Tokens.
- Added localized messages and inventory items import in the 'Import' menu.
- Enhancements to the log viewer with large databases.
- Added a 'select all' checkbox in log, messages and inventory viewers.
- Optional encrypt_mode level '2' for stronger encryption of LDAP and DB data.
> Be aware that changing the encryption mode will invalidate any password stored in
your application settings (ex. SMSC connection passwords).
You can add "encrypt_mode 2" in webadm.conf to enable level 2 data encryption.
- Better detection of ActiveDirectory 2003 directories.
- Hardened authenticated sessions to with protections against XSS and CSRF attacks.
- Fixed an issue with HTTP output buffering preventing some users to log in WebApps.
- Fixed an issue where WebADM shows primary connectors (LDAP/SQL/Session) as secondary.
- Fixed database verification issues with PostgreSQL.
- Added the /opt/webadm/bin/verify script for batch LDAP object checks.
- HTTP optimizations with stream compression.
- Dropped script timeout limit for long LDIF imports.
- Upgraded to OpenSSL 1.1.0e (security update).
- Added new XML application configuration features (WAPI 14).
- Fixed account de-activation in Active Directory.
- Minor fixes to the user settings' edit pages.
- Minor fixes for scripts in the applications' bin/ folders.
- Added the 'reverse_proxies' configuration in webadm.conf to be used when WebADM Web
Services or WebApps are accessed through a reverse-proxy or load-balancer server.
1.2.3
- Added support for country-based policies in WebADM Domain and Client objects.
You need to update your Web Service applications to use this feature.
- Added geolocations and IP-based filtering in the log viewer.
- Added map view of source IP addresses (per-IP and for the log selection).
- Enhanced the user data encryption system.
> WebADM can supports multiple encryption keys for key rollout. The first key is the
actual key and the other keys (if any) are still supported. WebADM will always
re-encrypt user data on-the-fly with the actual key.
> WebADM now checks if the user data were encrypted with the configured encrypt_key.
It is also able to detect if encrypt_key has changed and cannot decrypt user data.
> The bin/encrypt script can re-encrypt user data in batch with a new encrypt_key.
- Added SQLite database support for SQL-based audit tables and localized messages.
> The WebADM XML specification of an SQLite database (in servers.xml) should contain
the full path of the sqlite .db file in the "database" XML attribute.
- Fixed long timeouts occurring with LDAP server failover mechanism.
- Better logfile logging and log session IDs enhancements.
- Increased performances of Session Manager encryption.
- Added an option to force decryption of user data on the user data editor.
- Added source IP addresses to the SQL logs (Admin, Manag, WebApp, WebSrv).
- Added WAPI functions data encryption and IP address geo localization.
- Fixed issues with XML log statistics' exports.
- Fixed a bug with user data corruption when managed by other admins.
- Added 'smbpasswd' (for Samba passwords) and 'adspasswd' encodings in objects.xml.
> Please copy objects.xml.new to objects.xml to enable Samba password management.
- Fixed some AD password change issues with unicode characters.
- Updated the HTTP, Memcached and PHP components.
- Fixed admin login with certificates and admin DN containing unicode characters.
- Fixed error message 'Could not get WebADM user options' at login.
- Added XML-RPC support for Web services.
- Added basic support for 389 Directory Server.
- Fixed LDAP password not working after import/copy.
- Web Services' WSDL binding address now defaults to the SSL service.
- Web services' URLs not ending with the trailing '/' are now supported.
- Added an action in the user edit view to deactivate an account.
- Added a tool to test alert emails under the 'Infos' menu.
- Application's IP restrictions support IP/netmask format.
- Enhancements to the WebADM PKI server (client hostnames and command-line options).
- Added IPv6 support.
- New RCDevs Logo.
1.2.2
- Fixed a LDAP failover problem with LDAP-TLS connections.
- Enhanced the LDAP user data encryption system.
- Several email addresses can be set for alert_email in webadm.conf.
- Added a helper tool to manage user data encryption (bin/encrypt).
- HTTPd log events are now prefixed with the component name and session ID for Admin
and Manager logs (like for WebApp logs).
- Added optional misc settings to configure the treeview width and the default portal.
- Fixed an issue with unicode characters introduced with WebADM v1.2.1-1 and PHP 5.4.
- Fixed an issue with group settings priority ordering with multiple groups per-user.
- The Manager Interface supports batch JSON-RPC requests.
- Fixed Manager Interface function 'Get_QRCode' not working.
- Added Manager Interface function 'Get_Random_Bytes' to generate pseudo-random bytes.
- Added support for PNG and JPEG formats in the QRCode framework.
- Manager Interface function 'Set_User_Attr' supports ldap_mod_add operations.
- Added Manager Interface function 'Del_User_Attrs' to delete attributes or values.
- Added optional syslog reporting.
> You need to add the configuration directive "log_syslog Yes/No" in webadm.conf.
- Added PDF generation support.
- Added XML export format for SQL logs and localized messages.
- Fixed a log statistics export issue in the log viewer.
- Added resolution of user groups with memberUID attributes on posixGroups.
- Fixed issues with the 'Allowed Applications' in OptionSets.
- Added application configuration details in support tickets.
- Added group_mode 'Disabled' to disable LDAP groups in WebADM and applications.
- Performance improvements.
- Added support for Oracle/Sun Directory.
- WebADM uses the PHP 5.4 runtime.
1.2.1
- Added support for upcoming RCDevs permanent licenses.
- Fixed an issue with mount points having spaces in the Mount DN.
- Fixed Manager Interface responses sometimes returning JSON arrays instead of objects.
- Added an email alert notification when activated user count is near the license limit.
- Fixed a bug causing a failure with OpenOTP HOTP Token resync in some situations.
- Disabled SSLv2 protocol and SSL weak ciphers for PCI compliance.
- Optionset quotas are handled by the Manager Interface.
- Enhanced remote services' connection failover system.
- Much faster QRCode calculations.
- Added LDAP schema extension support for OpenLDAP versions with dynamic configurations
and Apple OpenDirectory.
- Fixed an issue when editing user settings containing double-quote characters.
- Fixed an issue with mails when the sender address is not a fully-formed address.
- Fixed some WebApps buttons not working when the default theme is not used.
1.2.0
- WebADM includes a JSON-RPC Manager API for Admin and Application functions.
The API is accessible through the manag/ URL and requires user authentication.
Please look at the the 1.2 documentation for details on the Manager interface.
- Added a SQL table for the Manager logs.
- All WebApps support the access locking mechanism.
- Session Manager uses a per-stored-object encryption.
- Interface enhancements and bug fixes.
- New WebApp layout and style.
- Fixed several display problems with some browsers.
1.1.5
- Added an optionset option to allow other admins to access user data unencrypted.
- License check will not count users for domains where the application is not allowed.
- Enhanced failure detection of the connected remote services (in servers.xml).
- Removed internal component versions from HTTP headers.
- Corrected a bug in the bin/setup script in slave mode.
- Fixed ODBC database setup issues with newer version of PostgreSQL.
- Added direct log viewer links on the user edit page for WebADM Accounts.
- The WebADM setup creates the admin groups and group presence is checked at login.
- Fixed a database log access issue when an optionset exists and has a Tree Base defined.
- Fixed a copy/import issue for objects with a password with RCDevs Directory Server.
- Enhancements in the PKI authentication subsystem.
- Fixed an issue with PKI login mode when optionset certificate revocations is enabled.
- Added a menu entry to jump between servers when WebADM is installed in cluster mode.
- Licenses emergency extension (for Enterprise licenses excluding trials and temporary).
When a license expires, it will auto-extend for one month and send an alert every day.
If not renewed within the auto-extension period, the license expires completely.
- Optimizations in the cluster node's configuration change notification system.
- Several Admin Portal interface enhancements.
1.1.4
- The 'Extended Logs' application setting is now configured in the webadm.conf file
with the log_webapps and log_websrvs settings.
- The 'Enable Alerts' application setting is removed (SQL Alerts are always enabled).
- An alert cache prevents the same alert email to be sent twice in a 10min interval.
And a maximum of one alert email is sent per minute.
- Included the Suhosin hardened PHP patches from http://www.hardened-php.net/suhosin/.
- Corrected a deadlock problem occurring with some Web services.
- Added a debugging console for licensed versions.
- Improved the license caching system.
- Improved automatic connectors failover for LDAP/SQL/SMTP/PKI/Session servers.
- Added a graphical editor for the Client objects' Priority Application Settings.
- Added a button to activate users with WebADM functionalities.
- Added the Require Client setting for Web services.
- Added default domain support for all WebApps.
1.1.3
- Settings super_admins and other_admins can contain a list of LDAP group of users.
- LDAP MountPoints can be setup with multiple LDAP servers for redundancy.
- SMTP mail server(s) can now be configured in conf/servers.xml.
> When no SMTP server is configured, WebADM uses the local mail transfer agent.
- Fixed a tree browser problem with Internet Explorer.
- Added SSHA encoding support for LDAP passwords.
- SQL Database schema has been removed from the conf directory.
- WebADM displays warnings when licensed products are near expiration.
- Fixed LDAP connections problems with SSL.
- Fixed webadmAccount object class removal not working with Active Directory.
- Added a script (in bin/extend) to extend LDAP users with webadmAccount in batch.
- Added a search result batch action to remove webadmAccount object class from users.
- Fixed a pre-2008 AD Domain detection issue.
- Fixed pre-2008 AD user counting limitations.
- Fixed error messages not correctly displayed on license error.
- Better support for special characters in LDAP objects' DN.
- Fixed a schema extension issue with mounted LDAP.
1.1.2
- Added API functionalities required for the TiQR service.
- Added new admin pages for starting WebApps and Web Services user actions in WebADM.
- Enhanced certificate management for WebApps.
- Fixed an OptionSet problem where SQL restrictions were applied to super admins.
- Fixed a problem preventing LDAP modifications on eDirectory tree roots.
1.1.1
- Fixed an issue with LDAP DN containing special characters.
- Fixed a display bug in the user application settings editor.
- Added Alert SQL log.
> Please update your conf/database.conf file.
- Removed PHP multibyte functions overloading.
> Please update all applications to the latest versions.
- Added support for web services setting scope 'config' required by OpenOTP.
- Added PHP socket support.
- WebApp user sessions are now fully encrypted in the session manager.
- Sensitive configurations are now encrypted in the local shared memory cache.
- Added status of LDAP configurations in the home page.
- Corrected few minor problems of the new 1.1.0 release.
- Added logfile viewer for HTTPd and SOAPd logs (in the Database menu).
- Added WebADM Client objects support for Trust Domains.
- Ordered display WebApps and Web Services.
1.1.0
- Group-based client access control and application policies.
WebADM includes a new config object type (Client) which allows:
> Defining client application access rules based on allowed and excluded group
lists. For example, a VPN client can be restricted to some group of users.
> Defining client policies with Web Services settings which will always be
enforced for the client. For example, you want the VPN to authenticate users
with LDAP+OTP passwords and Token, whatever policy is defined for the user.
- Extended Domain settings with allowed groups and excluded groups capabilities
like for WebADM clients.
- LDAP attribute prefetch mechanism of common attributes for LDAP optimizations.
- User groups and group settings caching for LDAP optimizations.
- Added a group_mode settings in the webadm.conf config file to force using only
direct or indirect LDAP groups.
- PKI server enhancements.
- Many minor enhancements and fixes requested by the users.
1.0.10
- Freeware license is now limited to 25 users instead of 15.
- Added support for RCDevs Directory Server (OpenLDAP-based LDAP server).
- Enhanced server automatic failover system.
- Added setup in slave node mode (for cluster setup).
- Fixed few minor bugs of 1.0.9.
- Fixed session corrupted message appearing when blocking timer is pending.
- Added SSL certificates update scripts in docs/scripts/.
- Minor display enhancements.
- Upgraded to PHP 5.3.5.
- With DN and UID auth_mode, non super-administrators must be registered in the
other_admins in conf/webadm.conf to be able to enter the Admin Portal.
With PKI auth_mode, this setting is ignored as as access is granted based on
the user certificates.
- Fixed default setting value for user/group settings when the application
setting does not have a default value.
- Corrected login pages layout.
- Caching improvements.
- Internal security enhancements.
1.0.9
- HTTPD and SOAPD servers are now running under the same Apache instance.
> Shared cache is now shared between both services.
> Port configuration is customizable in the bin/webadm script.
> No more conf/httpd.conf and conf/soapd.conf required.
- Added LDAP DN cache system.
- Many code improvements.
- Fixed LDAP object caching issues in WebApps.
- Better error handling for WebApps and Web Services.
- Added WebApp API functions required for OpenID.
- Cleaned HTTP and SOAP logs.
- Added GD graphic library support.
- Fixed an OpenLDAP schema file problem.
- Fixed OpenLDAP setup problems.
- Fixed OpenLDAP password encodings.
- Localized message editor enhancements.
- Group settings enhancements.
- User settings default values are now the application values.
- LDAP framework enhancements.
- Fixed a bug with Rsignd when signing certificates.
1.0.8
- WebApp and WebSrv API updated to version 3.
- WebApp direct access URL changed.
> Direct WebApps access is now possible with URL /webapps/mywebapp/
- WebADM base URL redirects to /webapps/ when Admin is disabled.
- Javascript corrections.
- Added new UI framework to support WebApps themes.
> Add 'webapps_theme "default"' to your webadm.conf to activate default theme.
- Extended WebSrvs API with request setting handling functions.
- Mutex enhancements.
- Added WebApp access locking system.
- Rsignd PKI server is now configured in servers.xml.
- Rsignd PKI client is now implemented in a PHP extension.
- Updated all libraries to latest versions.
1.0.7
- Added webadmGroup object class to the LDAP schema for simpler group settings
management.
- Added ActiveDirectory 2003 support (with restrictions).
- Fixed PostgreSQL database initialization problems.
- Fixed WSDL download URL from WebADM Application menu.
- Enhanced setup script.
- Added web services functions required by OpenSSO.
- Added other_admins setting in webadm.conf.
- Added search batch action to add webadmAccount object class to users.
- Fixed webapp header problems.
1.0.6
- Enhanced license caching system.
- Fixed Web services config cache reload when Web service configurations are
modified.
- Added Oracle ODBC driver.
- Fixed minor display problems.
- Fixed a bug in the update checker binary 'bin/update'.
- Session Manager enhancements.
- WebApp sessions now use Session Manager instead of shared memory.
- WebApps work behind load-balancers.
- General code enhancements.
- Admin portal is now located under '/admin' URL.
- Updated memcached version.
- Added Setting to enable mail alerts per applications.
- Fixed mount point problems.
- Added AllowedClients and AllowedAddresses settings for web services.
- Added cache_timeout setting in webadm.conf.
- Remove max cluster requests setting for web services.
1.0.5
- Added Trust Domain support.
- Added Session Manager CRC checks.
- Enhancements in the Web Services requests limit handling.
- Fixed a problem with the Domain group search base setting.
- Added RequiredGroup Domain setting.
- Domains can be hidden from the login portals when using UID login mode.
- Added a setting in webadm.conf to list or not the domains with UID login mode.
- Added support for WebApps with Admin pages.
- Extended WebApp API with SessionManager data storage and message localizations.
- Added RCDevs commercial software license support.
- Added email alerts system.
- Code corrections and optimizations.
1.0.4
- New logo.
- Languages are now configured in conf/webadm.conf.
> Update your webadm.conf file.
- HTTP proxy support (multiple HTTP proxies configurable in conf/servers.xml).
> You can set a HTTP proxy in the servers.xml file.
- Added support and maintenance features for RCDevs customers (members):
> Maintenance Ticket issuing system.
> SSH remote maintenance system.
- Fixed a checkbox problem in the localized messages viewer.
- Fixed a problem with Domain LDAP group search bases.
1.0.3
- Code reorganizations.
- Web services user locks use the distributed session manager.
- Webapps use the user locking system for user data and user settings updates.
- Web services have per-host and per-cluster max concurrent requests settings.
Cluster means all the servers using the same session manager.
- Updated backend component versions.
- Fixed conf/object.xml definitions to allow domain object creation on OpenLDAP.
- Domains can be disabled.
- Domain can be restricted to a list of clients (NAS Identifiers).
- Minor bug fixes.
1.0.2
- WebADM supports application-specific admin pages.
> The admin pages are available when editing a WebADM user account.
- User edit page displays the application names in the WebADM data list.
- Application settings can have a LDAP-only scope that makes them usable
only on LDAP objects.
1.0.1
- Home page displays applications status.
- Minor bug fix in webadmData LDAP updates.
- Added WebApp PKI API for user user certificates management.
- Added automatic user certificate provisioning by email.
- Version checking is configurable in conf/webadm.conf.
- Added timezone configuration in conf/webadm.conf.
1.0.0
First official release.
