**************
*** v2.2.0 ***
**************
*** Mobile Badging with IAM Features ***
WebADM includes a user badging feature with RCDevs Mobile Token. It allows local and
remote user badging and time tracking. You can activate the mobile feature by enabling
the 'Badging' option in your OpenOTP application configuration.
A new client policy option to allow access for badged-in users only.
Badging operations record check-in & check-out times with geolocation and timestamping.
User access via badging policies are available in WebADM Client Policies.
**************
*** v2.1.0 ***
**************
*** Support for external CAs and eIDAS ID Cards ***
WebADM now supports PKI operations with its internal CA and trusted external CAs.
Trusted CA certificates must be copied to /opt/webadm/pki/trusted/ to be handled.
eIDAS ID cards and in general any smartcard from external CAs are supported for:
- PKI login in all WebADM WebApps (OpenID, PwReset, SelfDesk and SelfReg).
- OpenOTP PKILogin method (custom Web integrations).
- EAP-TLS PKI login in RadiusBrige for Wifi and Ethernet access.
- Windows Credential Provider with PKI login (not yet released).
**************
*** v2.0.0 ***
**************
*** RCDevs Cloud Micro-Services ***
WebADM now relies on the new RCDevs Cloud Micro-Services' infrastructure for Mobile
Push notifications and other online services. The services are accessed via permanent
HTTP2 connections which greatly improve communication protocol overhead and also
remove the need to re-negotiate and re-authenticate TLS sessions all the time. The
HTTP2 services can be transparently accessed via HTTP proxies (in 'servers.xml').
Currently, RCDevs micro-services provide Push notifications, SMS messaging, Cloud
Licenses and a set of base services like NTP. More services will come in the future.
Note that you do not need to configure the 'LicenseServers' and 'PushServers' anymore
in 'conf/servers.xm'. Just enable the 'cloud_services' feature in 'webadm.conf' and
it simply works.
WebADM now requires a license file even in Freeware mode! This is because the Cloud
micro-services require your license metadata and authorizations in order to be used.
The Freeware license is connected to RCDevs license services and can be used on one
server only! Freeware licenses also requires an Internet connection, yet it can work
offline for a few weeks (without interacting with RCDevs license services).
You can get a WebADM freeware license at https://cloud.rcdevs.com/freeware-license/.
Note that all the previously available freeware features are maintained in WebADM v2.
*** PKCS#11 HSM Support ***
WebADM now supports low-cost USB HSMs devices like SmartContact and Nitrokeys. It will
support YubiHSMv2 and other devices a later stage. WebADM include a modular PKCS#11
engine which provides HSM load-balancing and high-availability when multiple devices
are connected.
*** Voice Biometrics ***
WebADM includes a voice biometrics' engine based on neuronal network technologies which
is able to learn human voice fingerprints and authenticate users while speaking.
OpenOTP v1.5 supports voice biometrics as additional multi-factor authentication method.
Voice can be used via Web Logins (with WebRTC) or with the RCDevs Mobile Token.
Authentication with voice biometrics is supported by all RCDevs integrations and plugins.
**************
*** v1.7.0 ***
**************
*** Performance Improvements ***
WebADM and all its applications are now using a new PHP code compiler from RCDevs which
relies on HHVM bytecode. The result is increased performances and reduced memory usage.
With previous versions, OpenOTP benchmarks reached around 100 authentication requests per
second on a 8 cores server. With the new version the same server achieves 1000 requests
per second and consumes a third of the memory.
Please note that such high performance improvements might be mitigated by the limitations
of your LDAP back-end(s) processing capabilities.
*** Access Point Devices ***
Later in 2019, RCDevs will commercialize physical access devices (access points) for
user access control, badging and geo-tracking. WebADM v1.7 includes preliminary support
for these devices. Please contact RCDevs sales or support services for more information.
**************
*** v1.6.0 ***
**************
*** License Changes ***
WebADM license check for allowed IP addresses has been changed and requests comming to
an unlicenced listener IP will be refused. This more restrictive license behavior might
break your license if it's not bound to the real service IP. WebADM works in permissive
mode and sends until 31/12/2018, in order to let you update your license file. Please
contact RCDevs SA if your system fails to validate licenses for wrong IP addresses.
*** Video Records ***
A new database table has been added for storing SpanKey video records. You need to
create the new table in the setup wizard which will be displayed at first login to the
Admin Portal. This feature will be used bu SpanKey v1.1 which will be release Q1 2018.
**************
*** v1.5.8 ***
**************
*** New Endpoint URLs ***
OpenOTP and TiQR public endpoints are now available under the WebADM HTTPS URL and not
under the Web service URL anymore. The U2F AppId and the mobile Token enpoint are now
https://yourserver/ws/appid/ and https://yourserver/ws/openotp/. The TiQR Endpoint is
now https://yourserver/ws/tiqr/. If you don't use WAproxy, you need to reconfigure the
endpoint URLs for OpenOTP and TiQR under the WebADM Applications menu.
These URL changes were required for the public enpoints to work with WebADM custom SSL
certificates. Note that WAProxy URLs are not impacted but you need WAProxy 1.1.1 with
this version of WebADM.
**************
*** v1.5.7 ***
**************
*** SSL Certificate Changes ***
WebADM now uses one single SSL certificate for both the HTTP server and Rsignd server.
Previously the HTTPs certificate files were stored in /opt/webadm.pki/httpd.crt and
/opt/webadm.pki/httpd.key. In versions >=1.5.7, the common certificate and key files
are now /opt/webadm.pki/webadm.crt and /opt/webadm.pki/webadm.key.
Note for custom SSL certificates: If you installed a custom SSL certificate for WebADM
(ie. you replaced the self-generated httpd.crt and httpd.key with a trusted certificate),
then WebADM will rename your custom certificate files to custom.crt and custom.key. The
self-generated certificate is kept in webadm.crt and webadm.key.
WebADM Admin Portal and WebApps services will run with the custom certificate whereas the
other services (ex. OpenOTP) will run with the webadm.crt certificate file.
Please look at the WebADM Amdin Guide for more information about how to use custom SSL
certiticates with WebADM.
*** Session Server Performance ***
The session servers' internal data storage format has changed: the data serialization
uses Redis igbinary for better performaces for smaller data. As a consequence, if you
upgrade only one node in your cluster, this node will not be able to exchange data with
the other nodes. You need to upgrade all your server nodes for your cluster to work.
**************
*** v1.5.0 ***
**************
*** Admin Portal and WebApps Facelift ****
The WebADM Administrator Portal and the Web Applications' user interfaces have been widely
re-designed in order to provide a better user experience.
*** SQL Datastore for User Data and Settings ***
It is now possible to choose the data storage mechanism to be used for storing user data
and settings. By default WebADM stores any user and group metadata in the LDAP objects.
By setting the data store to 'SQL', these metadata are stored in a dedicated SQL table.
LDAP data store remains the preferred option because it maximizes the system consistency.
SQL data store should be used only if you need read-only LDAP access for the proxy_user.
**************
*** v1.4.3 ***
**************
*** Better Support for Reverse-proxies ***
WebADM can be used behind a reverse-proxy server and makes the distinction between
reverse-proxies and WebADM publishing proxies (WAProxy). The reverse_proxies setting
in webadm.conf is now intended to be used for usual reverse-proxy servers whereas the
waproxy_proxies setting is reserved for WAproxy servers.
If you use WAProxy in WebADM 1.4.2, you configured reverse_proxies and waproxy_headers
in webadm.conf. You need to remove the WAProxy IP address from reverse_proxies and add
it to the waproxy_proxies. You can also remove the waproxy_headers setting.
*** Fixed MySQL Max Connection Issues ***
WebADM 1.4.x introduced watchd, a WebADM daemon which actively monitors connectors for
server failover and high-availability. Watchd tests the services with TCP socket polling
and this mechanism has an issues with MySQL and MAriaDB servers. in WebADM 1.4.2, you
had to set max_connect_errors to a high value to overcome the problem. In WebADM 1.4.3
the watchd daemon performs full MySQL/MariaDB ODBC connections.
**************
*** v1.4.2 ***
**************
*** HSMHub Support ***
WebADM supports hardware encryption with locally-connected HSM devices or by using the
RCDevs' HSM server component (HSMHub). For large clusters (ex. with 4 or more servers),
it is now recommended to use the HSMHub server in order to limit the number of HSM
devices to be attached and maintained on each server.
*** High Availability and Cluster Limitations ***
Starting from WebADM v1.4.2, connector failover and clustering features are activated
only with a RCDevs' Enterprise license. The freeware version for up to 20 users does
not include these high availability Enterprise features anymore.
Also with the freeware version all end-user features are still available but:
- Failover connectors in servers.xml are ignored (only the first connnector is used).
- WebADM health check polling service (watchd) is not used.
- All clustering capabilities and session sharing are disabled.
**************
*** v1.4.0 ***
**************
WebADM 1.4 is a major upgrade of RCDevs WebADM server. It includes big changes to the
cluster implementation and bug fixes. This upgrade is recommended for installations
running in cluter mode.
*** Enhanced Cluster and HA Mechanisms ***
WebADM now uses a Redis NoSQL back-end for its shared data and running sessions in a
clustered environment. WebADM nodes include a new deamon which permanently monitors the
Redis nodes and dynamically manages their master/slave state. This mechanism is 100%
transparent and ensures the consistency of your system and the replication of any work
data across all the nodes in your cluster.
With WebADM 1.3.x, session replication was limited to 2 nodes. In WebADM 1.4 this sizing
limitation is dropped and the system supports up to 16 replicated nodes.
IMPORTANT: The session server port number in WebADM 1.4 has been changed from 11211 to
4000. You also need to adjust your session server configurations in conf/servers.xml.
And you may need to adjust your firewall rules in on order to allow the communication
between the cluster nodes on port TCP-4000. Without these configuration changes, your
WebADM cluster will NOT WORK correctly!
WebADM includes a new deamon called watchd which is responsible for checking the server
connector statuses in real-time. Watchd permanently tests the connections for all servers
declared in conf/servers.xml and informs WebADM about the current selection(s).
With Watchd running, your high-availability WebADM cluster is more efficient than ever
for dealing with automatic connector failover and dead-peer detection.
*** Admin Roles ***
WebADM has a new way to handle other administrators. Before, the other admins group(s) had
to be configured in webadm.conf. Starting from WebADM 1.4, other administrators are any
LDAP admin user which belongs to a WebADM 'Admin Role'. Admin roles are managed under the
'Admin' menu. The admin role object configuration provides very detailed administrator
access control with permissions based on LDAP objects, databases, config objects, WebADM
features and even applications's management features.
WARNING: Other administrators must still have the necessary permissions (ACLs) on the LDAP
server. If you use RCDevs Directory, please check you AdminRole definitions have matching
ACL definitions on your LDAP server configuration.
IMPORTANT: The WebADM OptionSet object has been re-designed and many of its features have
been moved to the AdminRole object. As a general rule, restrictions and constraints on a
tree branch like root context or quotas are defined in OptionSets. And user or group based
permissions are defined on AdminRoles. If you used other administrators in WebADM 1.3 then
review your OptionSet and AadminRole configurations after the upgrade.
*** Unified Log File ***
The two log files 'soapd.log' and 'httpd.log' are merged into one single log file called
'webadm.log' for more simplicity. All WebADM events (Admin, Manager, Web applications and
Web services) are now written to the 'webadm.log' file.
The common event format (CEF) for Splunk servers is now supported and can be activated by
setting 'log_format CEF' in conf/webadm.conf. When CEF format is used, both local file and
syslog events are provided in CEF format.
*** LDAP Load-Balancing ****
For large scale deployments (with more than 5.000 users), WebADM supports balancing the
LDAP requests. The load-balancing uses an intelligent routing mechanisms which always
selects the same set of LDAP servers for a specific user ID. The ensures that consecutive
read/write operations for a user are performed on the same back-end server(s) and also
overcomes issues with LDAP replication delays. Enabling LDAP balancing is not recommended
for small deployments.
You may activate the LDAP balancing mechanism by enabling the setting 'ldap_routing' in
conf/webadm.conf.
*** Online License Updates ***
WebADM includes a new (simplified) method for installing RCDevs server licenses. WebADM
is able to check if a license update is available online (on RCDevs servers) when you
activate the 'check_license' setting in conf/webadm.conf. This online check requires a
license to be already present.
**************
*** v1.3.2 ***
**************
*** Administrator / Manager Certificate Revocation ***
Administrator certificates' revocation is now enabled by default in WebADM. Login with
certificates is enabled when you have set auth_mode to PKI in your WebADM configuration.
In WebADM, the revocation of a login certificate is done by editing the administrator
or user account and removing the unused certificate(s) from the account attributes.
In previous versions the login certificates' revocation check was disabled by default
and enabled only if you configured the 'Check Certificate Revocations' in an OptionSet.
For security purposes, revocation checks is now always enabled and cannot be disabled.
if you use PKI login mode for Administrators and for the WebADM Manager interface, check
that the certificates used to login are correctly set in the underlying LDAP accounts.
If you cannot login after the upgrade with a message telling 'Certificate is revoked',
then temporarily switch to DN auth_mode in your webadm.conf to be able to login once and
renew your administrator certificate(s). At this time you can update the certificate(s)
in your Web browser and Manager client systems (if any).
*** PKI Authentication in WebApps ***
WebADM now fully supports PKI login in WebApps. PKI login options are included in the
last Self Service updates. Password Reset and Web SSO WebApps are PKI compliant too and
provide new login possibilities with user certificate as a complement to OTP and TiQR.
*** Admin Main Menu ***
WebADM 'Infos' menu has been changed to 'Admin'. Under the 'Admin' menu, administrators
have direct access to the WebADM main configuration topics (Domains, Trusts, Option Sets,
Mount Points, Applications and client Policies).
**************
*** v1.3.0 ***
**************
*** Hardware Cryptography with Yubico YubiHSM ***
WebADM supports HSM modules (currently Yubico's YubiHSM) in order to match the strongest
Enterprise security requirements. When enabled, hardware security complements the WebADM
software encryption transparently; very sensitive user data like Token seeds are encrypted
with HSMs whereas other (less sensitive) data are encrypted using WebADM software encryption.
This double encryption method has the advantage to provide the same level of efficiency
and security as with usual expensive HSM modules for a much lower cost. Our HSMs are less
than $500!
WebADM HSM implementation supports several hardware modules in failover and load-balanced
mode. Moreover the addition or removal of a HSM module is hot-plug. Like with the software
encryption, multiple HSM key handles can be used concurrently and the rollout of a new AES
hardware master key is supported.
The user data storage format has changed in WebADM 1.3 in order to support per-data format.
- Very sensitive data are stored with hardware encryption (more secure).
- Standard data are stored with WebADM software encryption (much faster).
- Non sensitive data are stored un-encrypted (accessible by other admins).
IMPORTANT: Upgrades from WebADM versions before 1.2.2 (January 2013) are not supported.
To upgrade from an older version please proceed as follows:
- Backup your LDAP user database and WebADM installation (/opt/webadm).
- Upgrade WebADM to the latest 1.2 version (ie. v1.2.7-3).
- Re-crypt any user data with the batch encryption tool in /opt/webadm/bin/encrypt.
- Upgare WebADM to version 1.3.0.
*** 40 Users Free ***
WebADM commercial applications such as OpenOTP and TiQR Server can now be used for free with
up to 40 activated LDAP users, without any restriction of functionality.
**************
*** v1.2.7 ***
**************
*** Active Directory Without Schema Extension ***
You have now two way to setup WebADM LDAP schema for Active Directory:
1) With the WebADM schema extension (preferred).
2) Without schema addition (re-use existing object classes and attributes as replacement).
This first option is preferred and WebADM will use the RCDevs IANA-registered Active
Directory attributes to store additional LDAP data in users and groups. The WebADM schema
addition is very minimal and is composed of 3 new object classes (webadmAccount, webadmGroup
and webadmConfig) and 3 new attributes (webadmSettings, webadmData and webadmType).
With the second option, WebADM does not make any addition to the Active Directory schema.
Instead the configuration WebADM is customised to re-use some existing object classes and
attributes.
Please read the WebADM Installation Manual and section 5.4.4 for details.
Configuration templates for AD >=2008 are available under the doc/ActiveDirectory/ directory.
*** Multilingual Support ***
WebADM includes support frameworks for multilingual WebApps. This feature is for future
WebApp releases and none the the RCDevs applications is currently translated.
Web Services support a 'lang=XX' HTTP parameter in the SOAP/JSON URLs to force a language
from the API (ignoring the user language in LDAP).
**************
*** v1.2.6 ***
**************
*** 35 Users Free ***
WebADM commercial applications such as OpenOTP and TiQR Server can now be used for free with
up to 35 activated LDAP users, without any restriction of functionality.
With previous version, freeware usage was limited to 25 activated users.
Note: Activated users are the users which are enabled in WebADM.
You can activate only a subset of users in your directories.
*** New Application Design ***
With this version and the next versions, WebApps and Web Services file structure is changed.
It uses a common structure where web application files, libraries, binaries, etc, are splitted
in specific folders. You also need to update all your applicatiosn to the latest versions or
use the all-in-one WebADM package.
*** Synchronous Cluster Replications ***
When your WebADM is deployed in cluster mode for high-availability purposes, all WebADM services
are redundant. An important WebADM service is the session manager: it's a network service used
by every node of the cluster to communicate and store user sessions, transaction locks,
distributed caches etc... With this update, the session manager data are replicated in real-time
between the two master nodes of your cluster. The replication is limited to two nodes, other
nodes being considered as un-replicated slaves.
**************
*** v1.2.5 ***
**************
*** New Encryption Modes ***
WebADM provides 3 methods for user data, application settings and inventory data encryption:
- No encryption: Sensitive data are not encrypted when your set encrypt_data to 'No' in your
webadm.conf configuration file.
- Standard Encryption: This is the default encryption mode when you set encrypt_data to 'Yes'.
In this mode any sensitive data is encrypted with the WebADM encrypt key.
This encryption uses AES-256 in CBC block cipher mode and PKCS#7 padding.
- Advanced Encryption: This mode is similar to the Standard mode but the encryption works per
object. Any encrypted data can also not be copied from one LDAP object to another. Also, LDAP
objects can not be moved or renamed out of WebADM without breaking the encryption.
You can safely upgrade this version as WebADM understands the previous encryption formats and
will transparently update your LDAP objects at runtime. If you used to manually create WebADM
user data manually out of WebADM please contact RCDevs for instructions.
*** Location and Time-based Policies ***
WebADM Domain and Client Policy objects are extended with new access policy features. It is
also possible to restrict user access per countries, IP networks and even access times.
The access times can be easily configured via a simple graphical week hours' selector.
With Client policies it is now possible to distinguish Web Services (Ex. OpenOTP) settings
when the users are connecting from the trusted internal networks. Note that for VPNs, this
feature requires non-standard RADIUS client capabilities.
**************
*** v1.2.4 ***
**************
*** Application Inventories ***
WebADM includes an inventory subsystem to be used by the registered applications like OpenOTP.
The inventory is intended to ease the management of large amounts of hardware resources like
OATH-OTP Tokens. OpenOTP hardware Token's registration is also possible by simply entering the
Hardware Token's serial number provided that the Token has previously been inventoried.
The inventory is accessible through the Database WebADM menu and provides WAPI functions for
the applications' access. Note that you need newer versions of Web Service and WebApp
applications which are compliant with WebADM WAPI 15. This includes:
- OpenOTP v1.1.1
- SelfDesk v1.0.12
- SelfReg v 1.0.10
The inventory data are encrypted in the database with the same AES master key which is used to
encrypt LDAP user data. Like for user data there is a per-item encryption and the inventory
Type and Reference fields are used as part of the encryption process. Changing one item's
reference also invalidates the encrypted item's data.
**************
*** v1.2.3 ***
**************
This major WebADM release adds new features like the the source address geolocalisation.
You should update all your WebApp and Web Service applications to the latest versions to
profit the new features.
*** User Geolocalisation and Location Policies ****
WebADM includes the GeoIP database from Maxmind (www.maxmind.com). With the latest versions
of OpenOTP and TiQR, it is also able to enforce country-based location policies on WebADM
Domain and Client Policy configuration objects.
NOTE: The WebADM SQL audit tables require a new "source" field. WebADM will automatically
detect the missing fields the next time you login to the Admin Portal as an administrator
and will propose to update the database schema. Please login to the Admin Portal immediately
after the upgrade to perform the database update.
*** Enhanced User Data Encryption ***
The encryption mechanism for the user data storage in LDAP uses a DataMode attribute since
v1.2.2. This DataMode tells WebADM if the user data is encrypted or not. In this new update
the DataMode format changed and includes the encryption mode used for the data and also the
CRC of the AES key which encrypted the data. This has the advantage that WebADM is now able
to detect if the configured encrypt_key is valid for the user data. And WebADM includes a
tool to decrypt, encrypt and re-encrypt in batch all the user data with a new encrypt_key.
IMPORTANT: Of course WebADM can read the previous DataMode format and will update it at
runtime. But after being updated, a previous versions of WebADM cannot read the new format.
Also, if you have a cluster setup, be sure to upgrade all your WebADM servers.
*** Support for unicode in the login DN with PKI login ***
WebADM login certificates now support any user DN with unicode characters. In case your
login certificate(s) would not work after the upgrade, just re-create the administrator
certificates from the Admin interface. You may need to switch WebADM to DN auth_mode in
/opt/webadm/conf/webadm.conf if you can't login with your administrator certificate.
**************
*** v1.2.2 ***
**************
This minor release has noticeable performance enhancements with the use of PHP-5.4 and some
code rewrites. It includes bug fixes for the LDAP/TLS connection failover and UTF-8 unicode.
*** Better User Data Encryption ***
This version adds more flexibility to the user data encryption in LDAP. WebADM will store a
new user metadata which informs whether the other metadata are stored encrypted or not and
optionally contains the encryption mode. With this information, WebADM can determinate the
data encryption status of LDAP metadata on a per-user basis and is able to work with encrypted
and unencrypted user data at the same time. It is also possible to activate data encryption
at some point without invalidating the existing user data.
WARNING: The new metadata will not be understood by the previous versions of WebADM which
will just fail at parsing the user data. If you work with cluster, be also sure to upgrade
all your cluster nodes at the same time.
*** Posix Groups support ***
You can configure the memberUID attribute(s) with the memberuid_attrs setting in webadm.conf
This setting enable the resolution of user group membership based on user IDs (uid). WebADM
is also able to resolve Posix groups membership natively.
*** System Log Enhancements ***
The httpd.log and soapd.log display the WebADM component name in use for the Admin portal
and the Manager interface (like with the applications' events). They will also include the
user session IDs in every log event.
Be sure to consider this change if you integrated with some third-party log parsing systems.
WebADM supports syslog auditing. To activate syslog, simply set log_syslog to 'Yes'.
**************
*** v1.2.1 ***
**************
This minor release add support for the upcoming RCDevs permanent licensing. You MUST upgrade
all your installed Web Service components (OpenOTP, OpenSSO, SMSHub and TiQR) to the latest
versions if you upgrade to WebADM 1.2.1!
WebADM includes a new QRCode generation API for the WebApps and Web Services. The new API is
written in C code and is also much faster. The new API is used by latest versions of OpenOTP
and TiQR Server.
Apple OpenDirectory and newer versions of OpenLDAP are now fully supported. WebADM is fully
compatible with the dynamic runtime configuration engine in OpenLDAP 2.3. Schema extension
is done through the graphical interface like with Novell or Active Directory.
**************
*** v1.2.0 ***
**************
This major release introduces the WebADM Remote Manager Interface. The Manager provides a
simple Json-RPC interface allowing remote access to WebADM internal management features and
to the opererations provided by the registered applications. The remote functions are performed
by sending RPC commands to the Manager URL.
Please look at the WebADM Administrator Guide for details on how to use the Manager Interface.
**************
*** v1.1.5 ***
**************
The LDAP users or groups configured in the super_admins and other_admins settings in the
webadm.conf file are now check during the WebADM graphical setup and at Admin login time.
WebADM will also prompt you for the automatic creation of any entry not existing in the
LDAP and it will create the corresponding group objects. Note that WebADM assumes non-existing
object are LDAP groups by default.
To avoid warnings and having a setup link displayed in the WebADM home page, you should also
remove any unwanted user/group from the super_admins and other_admins configurations.
With ActiveDirectory, you can set the LDAP DN of existing security groups for super_admins and
other_admins.
Some optimizations have been made to the configuration change's notification system in Cluster
installations. As part of the changes, the nodes will check the WebADM version in configuration
change notifications. Please be sure to upgrade all of your clustered servers if you run WebADM
in Cluster mode.
Please read the CHANGELOG file in /opt/webadm/ for details of changes in WebADM 1.1.5.
**************
*** v1.1.4 ***
**************
The "Extended Logs" application setting is now configured in the webadm.conf file with the
log_webapps and log_websrvs settings. And the "Enable Alerts" application setting has been
removed. SQL Alerts are always enabled and you can optionally activate email and SNMP alerts.
Please look at the webadm.conf.new file after upgrade and copy the relevant configuration
blocks to your webadm.conf file. The new configurations are:
# Enable extended logging to the httpd.log and soapd.log files (enabled by default).
# Records all WebApps and Web Service events to the httpd.log and soapd.log files.
log_webapps Yes
log_websrvs Yes
# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email
# and/or alert_snmp is defined, the alerts are also sent by email or SNMP.
#alert_email "me@mydomain.com"
#alert_snmp "public@myserver"
Please log in the WebADM Admin Portal and edit the configurations for all your registered
applications. Simply click the "CONFIGURE" and then "Apply" button to let WebADM remove the
unused settings from the configurations.
**************
*** v1.1.3 ***
**************
*** Administrator Groups ***
In this version, the super_admins and other_admins settings in webadm.conf can contain
LDAP groups of administrator users or individual administrators. In both cases you need
to set one or a list of LDAP DN (users or groups). This is very useful as you can now
control the users having access to the WebADM Admin Portal from the Web interface.
You can also create an LDAP group for your Super Administrators and one for your Other
Administrators and reference them in the webadm.conf file like this:
super_admins "cn=admin,o=root", \
"cn=super_admins,dc=WebADM"
other_admins "cn=other_admins,dc=WebADM"
With Active Directory, you can use Security Groups and your settings should look like this:
super_admins "cn=Administrator,cn=Users,dc=mydomain,dc=com", \
"cn=super_admins,dc=WebADM,dc=mydomain,dc=com"
other_admins "cn=other_admins,dc=WebADM,dc=mydomain,dc=com"
In this example, you would need to adjust the LDAP tree base DN (dc=mydomain,dc=com)
according to your own Active Directory tree base.
If you use OpenLDAP, you can update your server configuration in /etc/openldap/slapd.conf
or in /opt/slapd/conf/slapd.conf and add some ACLs for your WebADM access groups like this:
access to *
by dn="cn=webadm,dc=WebADM" write
by group="cn=super_admins,dc=WebADM" write
by group="cn=other_admins,dc=WebADM" write
by self write
by users read
by anonymous auth
After having configured your LDAP server, you will need to create the groups from the WebADM
Admin Portal and add your Administrators as group members.
Note: The WebADM access group members are cached. When you add or remove access group
members, you may need to restart WebADM or clear the WebADM cache (in the Infos menu).
IMPORTANT: In previous versions, you didn't need to specify the list of other_admins when
WebADM was configured with PKI auth_mode (in webadm.conf). Now any administrator must be
set in either super_admins or other_admins to be able to log in the WebADM Admin Portal.
*** SMTP Servers ***
You can now configure one or more SMTP mail server(s) in the conf/servers.xml file. WebADM
supports authenticated SMTP connections as well as SSL and TLS. If there is no SMTP server
configured, then WebADM will use the local Mail Transfer Agent like in previous versions.
All the Web Services and WebApps will also use the configureg SMTP servers to send emails.
**************
*** v1.1.1 ***
**************
*** Performance Improvements ***
This version has a better handling of UTF8 and multibyte strings. The changes requires
that you update your applications (OpenOTP, SelfDesk, SelfReg, OpenID) to their latest
available versions. The change provides a noticable overall performance improvement.
*** Security Improvements ***
The WebApp user sessions are now fully encrypted in the session manager for additional
protection. And the sensitive configurations are now encrypted in the internal cache in
shared memory.
*** Alert SQL Log ***
WebADM includes a new SQL Log for keeping a record of alerts. The Alert log table
is specifed in the conf/database.xml file. You need to replace yout database.xml file
with the database.xml.new after upgrade.
**************
*** v1.1.0 ***
**************
This version includes major functionality additions and optimizations.
*** Client Access Control and Client Policies ***
WebADM includes a new config object type (Web Service Client). You can now create a
client object having the name of a Web Service client ID. For example, you use the
client names as disaplayed in the WebADM log viewer for the client object names.
When a client is defined, any request from the corresponding client application (ex.
a VPN server with matching client ID), will obey to the defined client policy.
For a client, you can restrict users able to use the client application with allowed
and excluded group lists. And you can define some Web Service settings which will
always be enforced for the client. For example, you want the VPN to authenticate
users with LDAP+OTP passwords and Token, whatever policy is defined for the user.
*** LDAP Optimizations ***
- LDAP attribute prefetching: When a LDAP object is accessed, some common attributes
are always read to limit the number of LDAP reads per request.
- Group setting caching: User groups and group settings are cached for 5 minutes in
order to optimize group searches and user setting resolutions.
This has the side effect that user groups and group settings' changes may be delayed
for a maximum time of 5 minutes when used by WebApps and Web Services.
IMPORTANT: After upgrade, you must update your /opt/webadm/conf/webadm.conf file.
You must add the 'clients_container' mandatory setting where the other LDAP containers
are defined. Look at the webadm.conf.new for details.
At first login, WebADM will complain about setup not beeing completed. This is because
the clients_container object does not exit. Click the 'Setup' button to let WebADM create
the necessary LDAP objects.
IMPORTANT: If you had previously defined some WebADM Domains with a Required Group setting,
you will have to re-define the required group in the new Allowed Groups setting.
***************
*** v1.0.10 ***
***************
This version includes support for RCDevs Directory Server (DS). DS is an OpenLDAP-based
LDAP server optimized, packaged and pre-configured for WebADM and its applications.
Some attribute XML definitions were added in the /opt/webadm/conf/objects.xml file.
After upgrade, replace your objects.xml file wih the new version (objects.xml.new). If
you made modifications to your objects.xml, apply them to the new file.
This version includes a new licensing which allows up to 25 WebADM users to be used
with RCDevs commercial web servces and webapps (ex. OpenOTP).
Note that there is no user limitation for WebADM itself.
**************
*** v1.0.9 ***
**************
This version has many code enhancements, provides additional WebApp framework funtions
for OpenID and some minor bug fixes.
The WebADM HTTPD and SOAPD servers are now running under the same Apache instance, with
virtual hosts.
> Shared cache is now shared between both services.
> No more conf/httpd.conf and conf/soapd.conf required.
> Listener port configuration is customizable in the bin/webadm script.
**************
*** v1.0.8 ***
**************
The version 1.0.8 of WebADM has a new PKI client/server implementation. The PKI server
has now to be configured in the conf/servers.xml file. Please check the content of the
servers.xml.new file after an upgrade and update your server.xml accordingly.
The WebApps server has been modified and the default URL for a WebAPP is now:
> https://myserver/webapps/mywebapp/
instead of the old:
> https://myserver/webapps/index.php?webapp=mywebapp
The old URLs sill works for backward compatibility.
**************
*** v1.0.7 ***
**************
*** The webadmGroup Extension ***
The version 1.0.7 of WebADM includes a new webadmGroup objectclass in the default LDAP
schema.
In previous version, group settings had to be assigned to LDAP groups by adding the
webadmAccount extension to a group. It had the disadvantage that the webadmAccount
contains some attributes such as uid, webadmData, preferedLanguage or mail which have
nothing to do with groups.
The new webadmGroup extension contains only the webadmSettings attribute. This new LDAP
extension also provides easier manipulations of LDAP group settings from the WebADM
Administrator Portal.
This new functionality requires few configuration changes at the config files and LDAP
levels. When you upgrade from a previous version proceed with the following steps:
1) Copy the /opt/webadm/conf/objects.xml.new to /opt/webadm/conf/objects.xml.
Use command: 'cp /opt/webadm/conf/objects.xml.new to /opt/webadm/conf/objects.xml'.
The new object.xml includes the webadmGroup features required by WebADM for handling
the new extension.
2) Edit your /opt/webadm/conf/webadm.conf file and add the webadm_group_oclass setting.
Look at the /opt/webadm/conf/webadm.conf.new file and copy the setting from it but do not
replace your webadm.conf file with the .new file like in step 1.
3) restart WebADM. Log in and proceed with the proposed setup wizard.
The wizard will register the webadmGroup extension in your LDAP schema in one click.
4) If you have groups extended with the webadmAccount extension (for group settings),
then extend your groups with the webadmGroup by editing the groups (exactly like you
did for extending with the webadmAccount extension).
If you want to keep using your groups with the webadmAccount extension, then edit the
webadm.conf file and add the "webadmAccount" to the webadm_group_oclasses setting.
Example: webadm_group_oclasses "webadmGroup", "webadmAccount"
Note: You can remove the webadmAccount extension from groups by entering advanced edit
mode and remove the webadmAccount objectclass.
*** ActiveDirectory 2003 Support ***
WebADM 1.0.7 supports ActiveDirectory 2003 with some limitations. Like for AD 2008,
WebADM requires SSL connection to the directory. Refer to your AD documentation to
setup SSL for Active Directory.
WebADM does not handle LDAP extension the same way with AD 2003. The main consequence
is that the OpenOTP License user counting system will count all the users existing in
the registered WebADM domains as WebADM users. With 2008, only users extended with the
webadmAccount extension are counted.
Please contact RCDevs for further details about the limitation.
*** v2.2.0 ***
**************
*** Mobile Badging with IAM Features ***
WebADM includes a user badging feature with RCDevs Mobile Token. It allows local and
remote user badging and time tracking. You can activate the mobile feature by enabling
the 'Badging' option in your OpenOTP application configuration.
A new client policy option to allow access for badged-in users only.
Badging operations record check-in & check-out times with geolocation and timestamping.
User access via badging policies are available in WebADM Client Policies.
**************
*** v2.1.0 ***
**************
*** Support for external CAs and eIDAS ID Cards ***
WebADM now supports PKI operations with its internal CA and trusted external CAs.
Trusted CA certificates must be copied to /opt/webadm/pki/trusted/ to be handled.
eIDAS ID cards and in general any smartcard from external CAs are supported for:
- PKI login in all WebADM WebApps (OpenID, PwReset, SelfDesk and SelfReg).
- OpenOTP PKILogin method (custom Web integrations).
- EAP-TLS PKI login in RadiusBrige for Wifi and Ethernet access.
- Windows Credential Provider with PKI login (not yet released).
**************
*** v2.0.0 ***
**************
*** RCDevs Cloud Micro-Services ***
WebADM now relies on the new RCDevs Cloud Micro-Services' infrastructure for Mobile
Push notifications and other online services. The services are accessed via permanent
HTTP2 connections which greatly improve communication protocol overhead and also
remove the need to re-negotiate and re-authenticate TLS sessions all the time. The
HTTP2 services can be transparently accessed via HTTP proxies (in 'servers.xml').
Currently, RCDevs micro-services provide Push notifications, SMS messaging, Cloud
Licenses and a set of base services like NTP. More services will come in the future.
Note that you do not need to configure the 'LicenseServers' and 'PushServers' anymore
in 'conf/servers.xm'. Just enable the 'cloud_services' feature in 'webadm.conf' and
it simply works.
WebADM now requires a license file even in Freeware mode! This is because the Cloud
micro-services require your license metadata and authorizations in order to be used.
The Freeware license is connected to RCDevs license services and can be used on one
server only! Freeware licenses also requires an Internet connection, yet it can work
offline for a few weeks (without interacting with RCDevs license services).
You can get a WebADM freeware license at https://cloud.rcdevs.com/freeware-license/.
Note that all the previously available freeware features are maintained in WebADM v2.
*** PKCS#11 HSM Support ***
WebADM now supports low-cost USB HSMs devices like SmartContact and Nitrokeys. It will
support YubiHSMv2 and other devices a later stage. WebADM include a modular PKCS#11
engine which provides HSM load-balancing and high-availability when multiple devices
are connected.
*** Voice Biometrics ***
WebADM includes a voice biometrics' engine based on neuronal network technologies which
is able to learn human voice fingerprints and authenticate users while speaking.
OpenOTP v1.5 supports voice biometrics as additional multi-factor authentication method.
Voice can be used via Web Logins (with WebRTC) or with the RCDevs Mobile Token.
Authentication with voice biometrics is supported by all RCDevs integrations and plugins.
**************
*** v1.7.0 ***
**************
*** Performance Improvements ***
WebADM and all its applications are now using a new PHP code compiler from RCDevs which
relies on HHVM bytecode. The result is increased performances and reduced memory usage.
With previous versions, OpenOTP benchmarks reached around 100 authentication requests per
second on a 8 cores server. With the new version the same server achieves 1000 requests
per second and consumes a third of the memory.
Please note that such high performance improvements might be mitigated by the limitations
of your LDAP back-end(s) processing capabilities.
*** Access Point Devices ***
Later in 2019, RCDevs will commercialize physical access devices (access points) for
user access control, badging and geo-tracking. WebADM v1.7 includes preliminary support
for these devices. Please contact RCDevs sales or support services for more information.
**************
*** v1.6.0 ***
**************
*** License Changes ***
WebADM license check for allowed IP addresses has been changed and requests comming to
an unlicenced listener IP will be refused. This more restrictive license behavior might
break your license if it's not bound to the real service IP. WebADM works in permissive
mode and sends until 31/12/2018, in order to let you update your license file. Please
contact RCDevs SA if your system fails to validate licenses for wrong IP addresses.
*** Video Records ***
A new database table has been added for storing SpanKey video records. You need to
create the new table in the setup wizard which will be displayed at first login to the
Admin Portal. This feature will be used bu SpanKey v1.1 which will be release Q1 2018.
**************
*** v1.5.8 ***
**************
*** New Endpoint URLs ***
OpenOTP and TiQR public endpoints are now available under the WebADM HTTPS URL and not
under the Web service URL anymore. The U2F AppId and the mobile Token enpoint are now
https://yourserver/ws/appid/ and https://yourserver/ws/openotp/. The TiQR Endpoint is
now https://yourserver/ws/tiqr/. If you don't use WAproxy, you need to reconfigure the
endpoint URLs for OpenOTP and TiQR under the WebADM Applications menu.
These URL changes were required for the public enpoints to work with WebADM custom SSL
certificates. Note that WAProxy URLs are not impacted but you need WAProxy 1.1.1 with
this version of WebADM.
**************
*** v1.5.7 ***
**************
*** SSL Certificate Changes ***
WebADM now uses one single SSL certificate for both the HTTP server and Rsignd server.
Previously the HTTPs certificate files were stored in /opt/webadm.pki/httpd.crt and
/opt/webadm.pki/httpd.key. In versions >=1.5.7, the common certificate and key files
are now /opt/webadm.pki/webadm.crt and /opt/webadm.pki/webadm.key.
Note for custom SSL certificates: If you installed a custom SSL certificate for WebADM
(ie. you replaced the self-generated httpd.crt and httpd.key with a trusted certificate),
then WebADM will rename your custom certificate files to custom.crt and custom.key. The
self-generated certificate is kept in webadm.crt and webadm.key.
WebADM Admin Portal and WebApps services will run with the custom certificate whereas the
other services (ex. OpenOTP) will run with the webadm.crt certificate file.
Please look at the WebADM Amdin Guide for more information about how to use custom SSL
certiticates with WebADM.
*** Session Server Performance ***
The session servers' internal data storage format has changed: the data serialization
uses Redis igbinary for better performaces for smaller data. As a consequence, if you
upgrade only one node in your cluster, this node will not be able to exchange data with
the other nodes. You need to upgrade all your server nodes for your cluster to work.
**************
*** v1.5.0 ***
**************
*** Admin Portal and WebApps Facelift ****
The WebADM Administrator Portal and the Web Applications' user interfaces have been widely
re-designed in order to provide a better user experience.
*** SQL Datastore for User Data and Settings ***
It is now possible to choose the data storage mechanism to be used for storing user data
and settings. By default WebADM stores any user and group metadata in the LDAP objects.
By setting the data store to 'SQL', these metadata are stored in a dedicated SQL table.
LDAP data store remains the preferred option because it maximizes the system consistency.
SQL data store should be used only if you need read-only LDAP access for the proxy_user.
**************
*** v1.4.3 ***
**************
*** Better Support for Reverse-proxies ***
WebADM can be used behind a reverse-proxy server and makes the distinction between
reverse-proxies and WebADM publishing proxies (WAProxy). The reverse_proxies setting
in webadm.conf is now intended to be used for usual reverse-proxy servers whereas the
waproxy_proxies setting is reserved for WAproxy servers.
If you use WAProxy in WebADM 1.4.2, you configured reverse_proxies and waproxy_headers
in webadm.conf. You need to remove the WAProxy IP address from reverse_proxies and add
it to the waproxy_proxies. You can also remove the waproxy_headers setting.
*** Fixed MySQL Max Connection Issues ***
WebADM 1.4.x introduced watchd, a WebADM daemon which actively monitors connectors for
server failover and high-availability. Watchd tests the services with TCP socket polling
and this mechanism has an issues with MySQL and MAriaDB servers. in WebADM 1.4.2, you
had to set max_connect_errors to a high value to overcome the problem. In WebADM 1.4.3
the watchd daemon performs full MySQL/MariaDB ODBC connections.
**************
*** v1.4.2 ***
**************
*** HSMHub Support ***
WebADM supports hardware encryption with locally-connected HSM devices or by using the
RCDevs' HSM server component (HSMHub). For large clusters (ex. with 4 or more servers),
it is now recommended to use the HSMHub server in order to limit the number of HSM
devices to be attached and maintained on each server.
*** High Availability and Cluster Limitations ***
Starting from WebADM v1.4.2, connector failover and clustering features are activated
only with a RCDevs' Enterprise license. The freeware version for up to 20 users does
not include these high availability Enterprise features anymore.
Also with the freeware version all end-user features are still available but:
- Failover connectors in servers.xml are ignored (only the first connnector is used).
- WebADM health check polling service (watchd) is not used.
- All clustering capabilities and session sharing are disabled.
**************
*** v1.4.0 ***
**************
WebADM 1.4 is a major upgrade of RCDevs WebADM server. It includes big changes to the
cluster implementation and bug fixes. This upgrade is recommended for installations
running in cluter mode.
*** Enhanced Cluster and HA Mechanisms ***
WebADM now uses a Redis NoSQL back-end for its shared data and running sessions in a
clustered environment. WebADM nodes include a new deamon which permanently monitors the
Redis nodes and dynamically manages their master/slave state. This mechanism is 100%
transparent and ensures the consistency of your system and the replication of any work
data across all the nodes in your cluster.
With WebADM 1.3.x, session replication was limited to 2 nodes. In WebADM 1.4 this sizing
limitation is dropped and the system supports up to 16 replicated nodes.
IMPORTANT: The session server port number in WebADM 1.4 has been changed from 11211 to
4000. You also need to adjust your session server configurations in conf/servers.xml.
And you may need to adjust your firewall rules in on order to allow the communication
between the cluster nodes on port TCP-4000. Without these configuration changes, your
WebADM cluster will NOT WORK correctly!
WebADM includes a new deamon called watchd which is responsible for checking the server
connector statuses in real-time. Watchd permanently tests the connections for all servers
declared in conf/servers.xml and informs WebADM about the current selection(s).
With Watchd running, your high-availability WebADM cluster is more efficient than ever
for dealing with automatic connector failover and dead-peer detection.
*** Admin Roles ***
WebADM has a new way to handle other administrators. Before, the other admins group(s) had
to be configured in webadm.conf. Starting from WebADM 1.4, other administrators are any
LDAP admin user which belongs to a WebADM 'Admin Role'. Admin roles are managed under the
'Admin' menu. The admin role object configuration provides very detailed administrator
access control with permissions based on LDAP objects, databases, config objects, WebADM
features and even applications's management features.
WARNING: Other administrators must still have the necessary permissions (ACLs) on the LDAP
server. If you use RCDevs Directory, please check you AdminRole definitions have matching
ACL definitions on your LDAP server configuration.
IMPORTANT: The WebADM OptionSet object has been re-designed and many of its features have
been moved to the AdminRole object. As a general rule, restrictions and constraints on a
tree branch like root context or quotas are defined in OptionSets. And user or group based
permissions are defined on AdminRoles. If you used other administrators in WebADM 1.3 then
review your OptionSet and AadminRole configurations after the upgrade.
*** Unified Log File ***
The two log files 'soapd.log' and 'httpd.log' are merged into one single log file called
'webadm.log' for more simplicity. All WebADM events (Admin, Manager, Web applications and
Web services) are now written to the 'webadm.log' file.
The common event format (CEF) for Splunk servers is now supported and can be activated by
setting 'log_format CEF' in conf/webadm.conf. When CEF format is used, both local file and
syslog events are provided in CEF format.
*** LDAP Load-Balancing ****
For large scale deployments (with more than 5.000 users), WebADM supports balancing the
LDAP requests. The load-balancing uses an intelligent routing mechanisms which always
selects the same set of LDAP servers for a specific user ID. The ensures that consecutive
read/write operations for a user are performed on the same back-end server(s) and also
overcomes issues with LDAP replication delays. Enabling LDAP balancing is not recommended
for small deployments.
You may activate the LDAP balancing mechanism by enabling the setting 'ldap_routing' in
conf/webadm.conf.
*** Online License Updates ***
WebADM includes a new (simplified) method for installing RCDevs server licenses. WebADM
is able to check if a license update is available online (on RCDevs servers) when you
activate the 'check_license' setting in conf/webadm.conf. This online check requires a
license to be already present.
**************
*** v1.3.2 ***
**************
*** Administrator / Manager Certificate Revocation ***
Administrator certificates' revocation is now enabled by default in WebADM. Login with
certificates is enabled when you have set auth_mode to PKI in your WebADM configuration.
In WebADM, the revocation of a login certificate is done by editing the administrator
or user account and removing the unused certificate(s) from the account attributes.
In previous versions the login certificates' revocation check was disabled by default
and enabled only if you configured the 'Check Certificate Revocations' in an OptionSet.
For security purposes, revocation checks is now always enabled and cannot be disabled.
if you use PKI login mode for Administrators and for the WebADM Manager interface, check
that the certificates used to login are correctly set in the underlying LDAP accounts.
If you cannot login after the upgrade with a message telling 'Certificate is revoked',
then temporarily switch to DN auth_mode in your webadm.conf to be able to login once and
renew your administrator certificate(s). At this time you can update the certificate(s)
in your Web browser and Manager client systems (if any).
*** PKI Authentication in WebApps ***
WebADM now fully supports PKI login in WebApps. PKI login options are included in the
last Self Service updates. Password Reset and Web SSO WebApps are PKI compliant too and
provide new login possibilities with user certificate as a complement to OTP and TiQR.
*** Admin Main Menu ***
WebADM 'Infos' menu has been changed to 'Admin'. Under the 'Admin' menu, administrators
have direct access to the WebADM main configuration topics (Domains, Trusts, Option Sets,
Mount Points, Applications and client Policies).
**************
*** v1.3.0 ***
**************
*** Hardware Cryptography with Yubico YubiHSM ***
WebADM supports HSM modules (currently Yubico's YubiHSM) in order to match the strongest
Enterprise security requirements. When enabled, hardware security complements the WebADM
software encryption transparently; very sensitive user data like Token seeds are encrypted
with HSMs whereas other (less sensitive) data are encrypted using WebADM software encryption.
This double encryption method has the advantage to provide the same level of efficiency
and security as with usual expensive HSM modules for a much lower cost. Our HSMs are less
than $500!
WebADM HSM implementation supports several hardware modules in failover and load-balanced
mode. Moreover the addition or removal of a HSM module is hot-plug. Like with the software
encryption, multiple HSM key handles can be used concurrently and the rollout of a new AES
hardware master key is supported.
The user data storage format has changed in WebADM 1.3 in order to support per-data format.
- Very sensitive data are stored with hardware encryption (more secure).
- Standard data are stored with WebADM software encryption (much faster).
- Non sensitive data are stored un-encrypted (accessible by other admins).
IMPORTANT: Upgrades from WebADM versions before 1.2.2 (January 2013) are not supported.
To upgrade from an older version please proceed as follows:
- Backup your LDAP user database and WebADM installation (/opt/webadm).
- Upgrade WebADM to the latest 1.2 version (ie. v1.2.7-3).
- Re-crypt any user data with the batch encryption tool in /opt/webadm/bin/encrypt.
- Upgare WebADM to version 1.3.0.
*** 40 Users Free ***
WebADM commercial applications such as OpenOTP and TiQR Server can now be used for free with
up to 40 activated LDAP users, without any restriction of functionality.
**************
*** v1.2.7 ***
**************
*** Active Directory Without Schema Extension ***
You have now two way to setup WebADM LDAP schema for Active Directory:
1) With the WebADM schema extension (preferred).
2) Without schema addition (re-use existing object classes and attributes as replacement).
This first option is preferred and WebADM will use the RCDevs IANA-registered Active
Directory attributes to store additional LDAP data in users and groups. The WebADM schema
addition is very minimal and is composed of 3 new object classes (webadmAccount, webadmGroup
and webadmConfig) and 3 new attributes (webadmSettings, webadmData and webadmType).
With the second option, WebADM does not make any addition to the Active Directory schema.
Instead the configuration WebADM is customised to re-use some existing object classes and
attributes.
Please read the WebADM Installation Manual and section 5.4.4 for details.
Configuration templates for AD >=2008 are available under the doc/ActiveDirectory/ directory.
*** Multilingual Support ***
WebADM includes support frameworks for multilingual WebApps. This feature is for future
WebApp releases and none the the RCDevs applications is currently translated.
Web Services support a 'lang=XX' HTTP parameter in the SOAP/JSON URLs to force a language
from the API (ignoring the user language in LDAP).
**************
*** v1.2.6 ***
**************
*** 35 Users Free ***
WebADM commercial applications such as OpenOTP and TiQR Server can now be used for free with
up to 35 activated LDAP users, without any restriction of functionality.
With previous version, freeware usage was limited to 25 activated users.
Note: Activated users are the users which are enabled in WebADM.
You can activate only a subset of users in your directories.
*** New Application Design ***
With this version and the next versions, WebApps and Web Services file structure is changed.
It uses a common structure where web application files, libraries, binaries, etc, are splitted
in specific folders. You also need to update all your applicatiosn to the latest versions or
use the all-in-one WebADM package.
*** Synchronous Cluster Replications ***
When your WebADM is deployed in cluster mode for high-availability purposes, all WebADM services
are redundant. An important WebADM service is the session manager: it's a network service used
by every node of the cluster to communicate and store user sessions, transaction locks,
distributed caches etc... With this update, the session manager data are replicated in real-time
between the two master nodes of your cluster. The replication is limited to two nodes, other
nodes being considered as un-replicated slaves.
**************
*** v1.2.5 ***
**************
*** New Encryption Modes ***
WebADM provides 3 methods for user data, application settings and inventory data encryption:
- No encryption: Sensitive data are not encrypted when your set encrypt_data to 'No' in your
webadm.conf configuration file.
- Standard Encryption: This is the default encryption mode when you set encrypt_data to 'Yes'.
In this mode any sensitive data is encrypted with the WebADM encrypt key.
This encryption uses AES-256 in CBC block cipher mode and PKCS#7 padding.
- Advanced Encryption: This mode is similar to the Standard mode but the encryption works per
object. Any encrypted data can also not be copied from one LDAP object to another. Also, LDAP
objects can not be moved or renamed out of WebADM without breaking the encryption.
You can safely upgrade this version as WebADM understands the previous encryption formats and
will transparently update your LDAP objects at runtime. If you used to manually create WebADM
user data manually out of WebADM please contact RCDevs for instructions.
*** Location and Time-based Policies ***
WebADM Domain and Client Policy objects are extended with new access policy features. It is
also possible to restrict user access per countries, IP networks and even access times.
The access times can be easily configured via a simple graphical week hours' selector.
With Client policies it is now possible to distinguish Web Services (Ex. OpenOTP) settings
when the users are connecting from the trusted internal networks. Note that for VPNs, this
feature requires non-standard RADIUS client capabilities.
**************
*** v1.2.4 ***
**************
*** Application Inventories ***
WebADM includes an inventory subsystem to be used by the registered applications like OpenOTP.
The inventory is intended to ease the management of large amounts of hardware resources like
OATH-OTP Tokens. OpenOTP hardware Token's registration is also possible by simply entering the
Hardware Token's serial number provided that the Token has previously been inventoried.
The inventory is accessible through the Database WebADM menu and provides WAPI functions for
the applications' access. Note that you need newer versions of Web Service and WebApp
applications which are compliant with WebADM WAPI 15. This includes:
- OpenOTP v1.1.1
- SelfDesk v1.0.12
- SelfReg v 1.0.10
The inventory data are encrypted in the database with the same AES master key which is used to
encrypt LDAP user data. Like for user data there is a per-item encryption and the inventory
Type and Reference fields are used as part of the encryption process. Changing one item's
reference also invalidates the encrypted item's data.
**************
*** v1.2.3 ***
**************
This major WebADM release adds new features like the the source address geolocalisation.
You should update all your WebApp and Web Service applications to the latest versions to
profit the new features.
*** User Geolocalisation and Location Policies ****
WebADM includes the GeoIP database from Maxmind (www.maxmind.com). With the latest versions
of OpenOTP and TiQR, it is also able to enforce country-based location policies on WebADM
Domain and Client Policy configuration objects.
NOTE: The WebADM SQL audit tables require a new "source" field. WebADM will automatically
detect the missing fields the next time you login to the Admin Portal as an administrator
and will propose to update the database schema. Please login to the Admin Portal immediately
after the upgrade to perform the database update.
*** Enhanced User Data Encryption ***
The encryption mechanism for the user data storage in LDAP uses a DataMode attribute since
v1.2.2. This DataMode tells WebADM if the user data is encrypted or not. In this new update
the DataMode format changed and includes the encryption mode used for the data and also the
CRC of the AES key which encrypted the data. This has the advantage that WebADM is now able
to detect if the configured encrypt_key is valid for the user data. And WebADM includes a
tool to decrypt, encrypt and re-encrypt in batch all the user data with a new encrypt_key.
IMPORTANT: Of course WebADM can read the previous DataMode format and will update it at
runtime. But after being updated, a previous versions of WebADM cannot read the new format.
Also, if you have a cluster setup, be sure to upgrade all your WebADM servers.
*** Support for unicode in the login DN with PKI login ***
WebADM login certificates now support any user DN with unicode characters. In case your
login certificate(s) would not work after the upgrade, just re-create the administrator
certificates from the Admin interface. You may need to switch WebADM to DN auth_mode in
/opt/webadm/conf/webadm.conf if you can't login with your administrator certificate.
**************
*** v1.2.2 ***
**************
This minor release has noticeable performance enhancements with the use of PHP-5.4 and some
code rewrites. It includes bug fixes for the LDAP/TLS connection failover and UTF-8 unicode.
*** Better User Data Encryption ***
This version adds more flexibility to the user data encryption in LDAP. WebADM will store a
new user metadata which informs whether the other metadata are stored encrypted or not and
optionally contains the encryption mode. With this information, WebADM can determinate the
data encryption status of LDAP metadata on a per-user basis and is able to work with encrypted
and unencrypted user data at the same time. It is also possible to activate data encryption
at some point without invalidating the existing user data.
WARNING: The new metadata will not be understood by the previous versions of WebADM which
will just fail at parsing the user data. If you work with cluster, be also sure to upgrade
all your cluster nodes at the same time.
*** Posix Groups support ***
You can configure the memberUID attribute(s) with the memberuid_attrs setting in webadm.conf
This setting enable the resolution of user group membership based on user IDs (uid). WebADM
is also able to resolve Posix groups membership natively.
*** System Log Enhancements ***
The httpd.log and soapd.log display the WebADM component name in use for the Admin portal
and the Manager interface (like with the applications' events). They will also include the
user session IDs in every log event.
Be sure to consider this change if you integrated with some third-party log parsing systems.
WebADM supports syslog auditing. To activate syslog, simply set log_syslog to 'Yes'.
**************
*** v1.2.1 ***
**************
This minor release add support for the upcoming RCDevs permanent licensing. You MUST upgrade
all your installed Web Service components (OpenOTP, OpenSSO, SMSHub and TiQR) to the latest
versions if you upgrade to WebADM 1.2.1!
WebADM includes a new QRCode generation API for the WebApps and Web Services. The new API is
written in C code and is also much faster. The new API is used by latest versions of OpenOTP
and TiQR Server.
Apple OpenDirectory and newer versions of OpenLDAP are now fully supported. WebADM is fully
compatible with the dynamic runtime configuration engine in OpenLDAP 2.3. Schema extension
is done through the graphical interface like with Novell or Active Directory.
**************
*** v1.2.0 ***
**************
This major release introduces the WebADM Remote Manager Interface. The Manager provides a
simple Json-RPC interface allowing remote access to WebADM internal management features and
to the opererations provided by the registered applications. The remote functions are performed
by sending RPC commands to the Manager URL.
Please look at the WebADM Administrator Guide for details on how to use the Manager Interface.
**************
*** v1.1.5 ***
**************
The LDAP users or groups configured in the super_admins and other_admins settings in the
webadm.conf file are now check during the WebADM graphical setup and at Admin login time.
WebADM will also prompt you for the automatic creation of any entry not existing in the
LDAP and it will create the corresponding group objects. Note that WebADM assumes non-existing
object are LDAP groups by default.
To avoid warnings and having a setup link displayed in the WebADM home page, you should also
remove any unwanted user/group from the super_admins and other_admins configurations.
With ActiveDirectory, you can set the LDAP DN of existing security groups for super_admins and
other_admins.
Some optimizations have been made to the configuration change's notification system in Cluster
installations. As part of the changes, the nodes will check the WebADM version in configuration
change notifications. Please be sure to upgrade all of your clustered servers if you run WebADM
in Cluster mode.
Please read the CHANGELOG file in /opt/webadm/ for details of changes in WebADM 1.1.5.
**************
*** v1.1.4 ***
**************
The "Extended Logs" application setting is now configured in the webadm.conf file with the
log_webapps and log_websrvs settings. And the "Enable Alerts" application setting has been
removed. SQL Alerts are always enabled and you can optionally activate email and SNMP alerts.
Please look at the webadm.conf.new file after upgrade and copy the relevant configuration
blocks to your webadm.conf file. The new configurations are:
# Enable extended logging to the httpd.log and soapd.log files (enabled by default).
# Records all WebApps and Web Service events to the httpd.log and soapd.log files.
log_webapps Yes
log_websrvs Yes
# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email
# and/or alert_snmp is defined, the alerts are also sent by email or SNMP.
#alert_email "me@mydomain.com"
#alert_snmp "public@myserver"
Please log in the WebADM Admin Portal and edit the configurations for all your registered
applications. Simply click the "CONFIGURE" and then "Apply" button to let WebADM remove the
unused settings from the configurations.
**************
*** v1.1.3 ***
**************
*** Administrator Groups ***
In this version, the super_admins and other_admins settings in webadm.conf can contain
LDAP groups of administrator users or individual administrators. In both cases you need
to set one or a list of LDAP DN (users or groups). This is very useful as you can now
control the users having access to the WebADM Admin Portal from the Web interface.
You can also create an LDAP group for your Super Administrators and one for your Other
Administrators and reference them in the webadm.conf file like this:
super_admins "cn=admin,o=root", \
"cn=super_admins,dc=WebADM"
other_admins "cn=other_admins,dc=WebADM"
With Active Directory, you can use Security Groups and your settings should look like this:
super_admins "cn=Administrator,cn=Users,dc=mydomain,dc=com", \
"cn=super_admins,dc=WebADM,dc=mydomain,dc=com"
other_admins "cn=other_admins,dc=WebADM,dc=mydomain,dc=com"
In this example, you would need to adjust the LDAP tree base DN (dc=mydomain,dc=com)
according to your own Active Directory tree base.
If you use OpenLDAP, you can update your server configuration in /etc/openldap/slapd.conf
or in /opt/slapd/conf/slapd.conf and add some ACLs for your WebADM access groups like this:
access to *
by dn="cn=webadm,dc=WebADM" write
by group="cn=super_admins,dc=WebADM" write
by group="cn=other_admins,dc=WebADM" write
by self write
by users read
by anonymous auth
After having configured your LDAP server, you will need to create the groups from the WebADM
Admin Portal and add your Administrators as group members.
Note: The WebADM access group members are cached. When you add or remove access group
members, you may need to restart WebADM or clear the WebADM cache (in the Infos menu).
IMPORTANT: In previous versions, you didn't need to specify the list of other_admins when
WebADM was configured with PKI auth_mode (in webadm.conf). Now any administrator must be
set in either super_admins or other_admins to be able to log in the WebADM Admin Portal.
*** SMTP Servers ***
You can now configure one or more SMTP mail server(s) in the conf/servers.xml file. WebADM
supports authenticated SMTP connections as well as SSL and TLS. If there is no SMTP server
configured, then WebADM will use the local Mail Transfer Agent like in previous versions.
All the Web Services and WebApps will also use the configureg SMTP servers to send emails.
**************
*** v1.1.1 ***
**************
*** Performance Improvements ***
This version has a better handling of UTF8 and multibyte strings. The changes requires
that you update your applications (OpenOTP, SelfDesk, SelfReg, OpenID) to their latest
available versions. The change provides a noticable overall performance improvement.
*** Security Improvements ***
The WebApp user sessions are now fully encrypted in the session manager for additional
protection. And the sensitive configurations are now encrypted in the internal cache in
shared memory.
*** Alert SQL Log ***
WebADM includes a new SQL Log for keeping a record of alerts. The Alert log table
is specifed in the conf/database.xml file. You need to replace yout database.xml file
with the database.xml.new after upgrade.
**************
*** v1.1.0 ***
**************
This version includes major functionality additions and optimizations.
*** Client Access Control and Client Policies ***
WebADM includes a new config object type (Web Service Client). You can now create a
client object having the name of a Web Service client ID. For example, you use the
client names as disaplayed in the WebADM log viewer for the client object names.
When a client is defined, any request from the corresponding client application (ex.
a VPN server with matching client ID), will obey to the defined client policy.
For a client, you can restrict users able to use the client application with allowed
and excluded group lists. And you can define some Web Service settings which will
always be enforced for the client. For example, you want the VPN to authenticate
users with LDAP+OTP passwords and Token, whatever policy is defined for the user.
*** LDAP Optimizations ***
- LDAP attribute prefetching: When a LDAP object is accessed, some common attributes
are always read to limit the number of LDAP reads per request.
- Group setting caching: User groups and group settings are cached for 5 minutes in
order to optimize group searches and user setting resolutions.
This has the side effect that user groups and group settings' changes may be delayed
for a maximum time of 5 minutes when used by WebApps and Web Services.
IMPORTANT: After upgrade, you must update your /opt/webadm/conf/webadm.conf file.
You must add the 'clients_container' mandatory setting where the other LDAP containers
are defined. Look at the webadm.conf.new for details.
At first login, WebADM will complain about setup not beeing completed. This is because
the clients_container object does not exit. Click the 'Setup' button to let WebADM create
the necessary LDAP objects.
IMPORTANT: If you had previously defined some WebADM Domains with a Required Group setting,
you will have to re-define the required group in the new Allowed Groups setting.
***************
*** v1.0.10 ***
***************
This version includes support for RCDevs Directory Server (DS). DS is an OpenLDAP-based
LDAP server optimized, packaged and pre-configured for WebADM and its applications.
Some attribute XML definitions were added in the /opt/webadm/conf/objects.xml file.
After upgrade, replace your objects.xml file wih the new version (objects.xml.new). If
you made modifications to your objects.xml, apply them to the new file.
This version includes a new licensing which allows up to 25 WebADM users to be used
with RCDevs commercial web servces and webapps (ex. OpenOTP).
Note that there is no user limitation for WebADM itself.
**************
*** v1.0.9 ***
**************
This version has many code enhancements, provides additional WebApp framework funtions
for OpenID and some minor bug fixes.
The WebADM HTTPD and SOAPD servers are now running under the same Apache instance, with
virtual hosts.
> Shared cache is now shared between both services.
> No more conf/httpd.conf and conf/soapd.conf required.
> Listener port configuration is customizable in the bin/webadm script.
**************
*** v1.0.8 ***
**************
The version 1.0.8 of WebADM has a new PKI client/server implementation. The PKI server
has now to be configured in the conf/servers.xml file. Please check the content of the
servers.xml.new file after an upgrade and update your server.xml accordingly.
The WebApps server has been modified and the default URL for a WebAPP is now:
> https://myserver/webapps/mywebapp/
instead of the old:
> https://myserver/webapps/index.php?webapp=mywebapp
The old URLs sill works for backward compatibility.
**************
*** v1.0.7 ***
**************
*** The webadmGroup Extension ***
The version 1.0.7 of WebADM includes a new webadmGroup objectclass in the default LDAP
schema.
In previous version, group settings had to be assigned to LDAP groups by adding the
webadmAccount extension to a group. It had the disadvantage that the webadmAccount
contains some attributes such as uid, webadmData, preferedLanguage or mail which have
nothing to do with groups.
The new webadmGroup extension contains only the webadmSettings attribute. This new LDAP
extension also provides easier manipulations of LDAP group settings from the WebADM
Administrator Portal.
This new functionality requires few configuration changes at the config files and LDAP
levels. When you upgrade from a previous version proceed with the following steps:
1) Copy the /opt/webadm/conf/objects.xml.new to /opt/webadm/conf/objects.xml.
Use command: 'cp /opt/webadm/conf/objects.xml.new to /opt/webadm/conf/objects.xml'.
The new object.xml includes the webadmGroup features required by WebADM for handling
the new extension.
2) Edit your /opt/webadm/conf/webadm.conf file and add the webadm_group_oclass setting.
Look at the /opt/webadm/conf/webadm.conf.new file and copy the setting from it but do not
replace your webadm.conf file with the .new file like in step 1.
3) restart WebADM. Log in and proceed with the proposed setup wizard.
The wizard will register the webadmGroup extension in your LDAP schema in one click.
4) If you have groups extended with the webadmAccount extension (for group settings),
then extend your groups with the webadmGroup by editing the groups (exactly like you
did for extending with the webadmAccount extension).
If you want to keep using your groups with the webadmAccount extension, then edit the
webadm.conf file and add the "webadmAccount" to the webadm_group_oclasses setting.
Example: webadm_group_oclasses "webadmGroup", "webadmAccount"
Note: You can remove the webadmAccount extension from groups by entering advanced edit
mode and remove the webadmAccount objectclass.
*** ActiveDirectory 2003 Support ***
WebADM 1.0.7 supports ActiveDirectory 2003 with some limitations. Like for AD 2008,
WebADM requires SSL connection to the directory. Refer to your AD documentation to
setup SSL for Active Directory.
WebADM does not handle LDAP extension the same way with AD 2003. The main consequence
is that the OpenOTP License user counting system will count all the users existing in
the registered WebADM domains as WebADM users. With 2008, only users extended with the
webadmAccount extension are counted.
Please contact RCDevs for further details about the limitation.
