2016 CalNet Releases

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University.  Below are CalNet releases from previous calendar years. Records of releases have been maintained on this website since March 2016. 

You can sign up to receive timely notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases and click JOIN.

Or, see current year CalNet Releases.


December 2, 2018, 8:00am

The nds.berkeley.edu certificate is expiring on December 6th, 2018.  Though this is now considered to be our legacy LDAP system we have several customers still using the cluster.  This may impact their applications if they are manually importing certificates into their application's key store. CMR: CHG0032146

Services Affected

  • nds.berkeley.edu
  • Any application still using nds.berkeley.edu

November 30, 2018, 7:00am

This release is an upgrade of the the test/qa instance of CAS to version 5.3.6.  This will enable customers to test the latest version of CAS on auth-test.berkeley.edu.  New features and improvements can be found  at https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-53-upgrade. CMR: CHG0032155

Services Affected

  • CAS auth-test

November 1, 2018, 7:30am

This release includes a variety of bug fixes; updates to system software; improvements to Registry Provisioning, SOR-Gateway Service, Active Directory, and CalNet Account Manager; and development on UC Path and the Cirrus guest app replacement. CMR: CHG0032080

Notable changes include

  • Users in grace can use CalNet Account Manager
  • Users in grace will be disabled but not deleted in Active Directory
  • Users with a lapsed but not terminated HCM record will receive regular grace period notifications
  • Guests will be able to use CalNet Account Manager to recover passphrase and change passphrase (new Guests will need to wait 24 hours after account creation before they can use this feature)

Services Affected

  • Registry Service
  • Registry Provisioning
  • SOR Gateway Service
  • CS Delegates
  • SOR Gateway
  • UC Path
  • Cirrus Guest App
  • CalNet Account Manager
  • CalNet Guest Accounts
  • Active Directory
  • Special Purpose Accounts


Tickets Resolved

Ticket Comment
CNR-1744 registry-service java.lang.IllegalArgumentException: null exception
CNR-1743 registry-service principal cannot be null exception
CNR-1748 CS delegate quartz job is running but doesn't appear to be doing anything in production
CNR-1737 UC Path: Get test env hooked up to ddodsdpt ucpath DDODS
CNR-1738 UC Path: Gain access to I-371 integration team's api-central REST endpoint
CNR-1753 UC Path: real time messages need to go through the match engine
CNR-1751 UC Path: Get test env hooked up to i-280 ihub endpoint
CNR-1731 UC Path: Add mock i280 SORObjects to registry-mock
CNR-1662 UC Path: Develop JMS consumer for expected format of real-time iHub messages for I-280 data
CNR-1752 UC Path: Write a script to invoke I-371 (request I-280) for a list of EMPLIDs
CNR-1750 UC Path: Send a UID message to uc path uid endpoint
CNR-1740 UC Path: Add PS_PER_POI_TRANS to DDODS query
CNR-1732 UC Path: Modify reg-prov-scripts to treat the i280 SOR as primary uc path SOR
CNR-1749 UC Path: IHub real-time messages currently contain " " (quotespacequote) for empty values. Need to convert these to nulls.
CNR-1665 UC Path: Modify BPR views to replace HCM with UC Path or augment views with UC Path data
CNR-1758 sor-gateway hash and query quartz jobs should not be executing service methods within log.info() call
CNR-1759 In sor-gateway incorrect calnetSorHashAndQuery.enabled check logic in hash and query quartz jobs
CNR-1761 UC Path: Improve the UcPath?AppointmentsJson.getUcPathAppointmentEffectiveStatus logic for future effective appointments
CNR-1725 UC Path: Mechanism for detecting desynchronization between DDODS and last i280 received
CNR-1762 Create mechanism in SGS to call the IHub UCPath I-371 (request msg) interface
CNR-1771

Cirrus: Create LDAP DownstreamObject for Cirrus guests and add GUEST-TYPE-SOCIAL to berkeleyEduAffiliations (this has changed to GUEST-TYPE-SPONSORED as of March 2019).

CNR-1776 Cirrus: Add sponsorUid to LDAP
CNR-1774 Cirrus: Need to pay attention to the guest end date in the Cirrus JSON
CNR-1763 Cirrus: Add Cirrus SORObject processing to registry-provisioning-scripts
CNR-1766 Cirrus: Add an Identifier type for the Cirrus primary key
CNR-1767 Cirrus: Add an IdentifierType for the Cirrus accepted invitation ID
CNR-1765 Cirrus: Add an IdentifierType for Cirrus Guest Sponsor UID
CNR-1718 Cirrus can't provide sponsorUid, only sponsorEppn (calnetId), in the messages they pass back -- convert eppn to uid as early as possible on our end
CNR-1768 Cirrus: Add an IdentifierType for Cirrus Guest Sponsor EPPN
CNR-1769 Cirrus: Add a cirrusGuest role
CNR-1770 Cirrus: Set primaryOU to ou=Guests
CNR-1772 Cirrus: Add person name from Cirrus JSON to PersonName table
CNR-1773 Cirrus: Add personal (social) email address to Email table
CNR-1722 Latest Apache HttpClient versions, included in recent Grails/SpringBoot apps, break REST HTTP Digest authentication
CNR-1622 Remove commas from the calnet sor person identifier in the CalNet SOR Person tool for a better copy and paste experience
CNR-1782 Create a batch job to reprovision people where current date > ASGN_END_DT
CNR-1784 AD: In-grace people should be disabled in AD, not deleted
CNR-1781 Upgrade SGS to Atomikos 4.0.6
CNR-1780 Upgrade to Camel 2.21.2 and ActiveMQ 5.15.5 within Grails plugins for BIDMS
CNR-1727 Create spa registry account/credentials and grant role to sorObjects endpoint for SPA SOR
CNR-1786 UC Path: Add support to SGS for querying multiple DDODS instances
CNR-1787 UC Path: Add support to SGS to listen on multiple UC Path real time message queues
CNR-1788 Make best effort in determining if person has employee or student in-grace roles during IdentifierBuilder phase and mark identifier as active if so
CNR-1790 In registry-provisioning-scripts legacy SIS role builder, remove anything looking at stale legacy SIS term data
CNR-1791 Confirm a legacy guest can use CAM to change or reset passphrase once legacy system has provisioned Guest to LDAP
CNR-1792 Get CAM forgot passphrase working for legacy guests
CNR-1793 Remove Change Personal Email Address functionality for legacy guests in CAM
CNR-1794 Remove Change CalnetId functionality in CAM for legacy guests
CNR-1783 registry-provisioning needs Spring Security authn/authz added for url protection

October 31, 2018, 6:00am

This release is a migration of the ldap.berkeley.edu LDAP service to DS 6.0.  This is a major upgrade to the LDAP server software and will complete our migration to the latest version.  In addition to this upgrade the LDAP SSL public certificate will change.  It will be important for developers whose applications do not trust the Comodo root CA to update their applications manually.  We will post the new certificate ahead of the upgrade. CMR: CHG0032027

Services Affected

  • LDAP

October 24, 2018, 6:00am

This release is a migration of the dir.calnet.berkeley.edu LDAP service to DS 6.0.  This is a prerequisite step to change CHG0032027.  This upgrade will allow us to implement the updated certificate and test the latest LDAP server software upgrade on the cluster that will become ldap.berkeley.edu on October 31. CMR: CHG0032031

Services Affected

  • LDAP

October 18, 2018, 9:30pm

Users going in to grace starting will continue to be required to 2-Step until they expire or move to ADVCON. Users in ADVCON who are currently doing the 2-Step will no longer be required. CMR: CHG0032049

Services Affected

  • CalGroups
  • 2-Step

October 1, 2018, 10:00am

The Access Control Instruction (ACI) for the anonymous bind account will be changing starting on October 1, 2018. Currently the ACI permits access to many attributes [1] anonymously, but starting October 1, 2018, access to the berkeleyEduAffiliations attribute will be removed. After further review by various campus security and functional units, further access restrictions are likely to happen at a later date. See Changes to LDAP Binds for more information. CMR: CHG0031961

Services Affected

  • LDAP

September 30, 2018, 8:00am

This release is to upgrade the nodes behind the dir-auth LDAP cluster to DS 6.0, apply OS security patches, and apply a new SSL certificate.  These nodes support CAS and Shibboleth. CMR: CHG0032023

Services Affected

  • LDAP
  • CAS
  • Shibboleth

September 28, 2018, 7:30am

This release fixes a bug that is causing accounts in grace to be deleted in AD. This will require a Tomcat restart, which will result in an outage of appox. 30 seconds. CMR: CHG0032030

Services Affected

  • Active Directory
  • Registry-p1
  • SOR Gateway Service
  • Berkeley Person Registry

September 26, 2018, 9:oopm

This release is a routine patch of the OS/JVM on the CalNet Grouper and Shibboleth VMs. CMR: CHG0032009

Services Affected

  • CalGroups
  • Shibboleth

September 25, 2018, 7:00am

This release is a change to the CAS screen for students not enrolled in 2-Step, and changes to CalGroups to support the last step of the Student 2-Step project. CMR: CHG0032016

Services Affected

  • CalGroups
  • CAS

September 20, 2018, 6:30am

This release is an upgrade to the nodes behind the dir-bpr LDAP and application of OS security patches. CMR: CHG0032001

Services Affected

  • LDAP
  • Berkeley Person Registry

September 19, 2018, 8:30am

This release is a routine OS patching for RHEL for dir-os-p* VMs at SDSC. CMR: CHG0032007

Services Affected

  • LDAP

September 5, 2018, 6:00pm

This release is a reboot of calnet-p2/net-auth-p2 to install a new OS kernel. It will primarily impact users of the krbsync pw sync to AD tool. A brief (< 5 min) outage will occur. Any adverse risk is low since the change can be reverted quickly if needed. CMR: CHG0031976

Services Affected

  • Active Directory

August 30, 2018, 8:30pm

We will apply OS patches and also apply a required certificate update on the Apache ActiveMQ server used by CalGroups and the Berkeley Person Registry. - Changes made to CalGroups during this maintenance window may be slightly delayed to downstream systems (eg AD, Google).  Changes will resume after AMQ is back up. CMR: CHG0031963

Services Affected

  • CalGroups
  • Berkeley Person Registry
  • Downstream systems

August 26, 2018, 9:00pm

This release updates  2-Step notification CAS UI for students not enrolled in 2-Step. CMR: CHG0031967

Services Affected

  • CAS Login Screen

August 24, 2018, 3:30pm

This emergency release includes security patches for the OS as well as a revised krbsync app. CMR: CHG0031962

Services Affected

  • Active Directory

August 9, 2018, 6:30am

This substantial release includes updates and bug fixes to many CalNet services, as well as updates to CalNet's UC Path development. CMR: CHG0031910

Services Affected

  • Active Directory
  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry
  • Registry Service
  • SOR Gateway Service
  • UC Path

Tickets Resolved

Ticket Comment
CNR-1515 Modify registry-service to call bidms-downstream AD change password REST endpoint at the same time it calls krbservice to set Kerberos password
CNR-1591 Resolve all duplicate calnetIds in our systems
CNR-1598 There may be reg-serv, CAM or CAT Quartz jobs that need to be disabled on bpr-t2
CNR-1623 Upgrade everything to Grails 3.3.x
CNR-1631 merge delete SORObject cascade exception
CNR-1647 Sync BPR display name changes to AD
CNR-1653 no more ou=students, send students to fsa
CNR-1654 ActiveMQ Derby transaction log is growing beyond what it should
CNR-1658 For ActiveMQ, get embedded Derby listening on a network port so we can connect to it externally with the Derby client
CNR-1659 delete expired people out of AD
CNR-1660 UC Path: Build UC Path DDODS queries
CNR-1661 UC Path: Add UC Path DDODS queries to Sor Gateway Service
CNR-1668 UC Path: Once HCM identifier name becomes known in external_identifiers, modify sor-key-data-extractor to parse out
CNR-1670 UC Path: Create IdentifierTypes for different UCPath environment EMPLIDs
CNR-1671 UC Path: Add berkeleyEduUCPathID and berkeleyEduUCPathDevID to dev LDAP schema
CNR-1672 UC Path: Add UCPath EMPLID to identifiers (crosswalk) service for different UCPath environments
CNR-1673 UC Path: Modify registry-prov-scripts to provision UCPath EMPLID to Identifiers table
CNR-1674 UC Path: Modify reg-prov-scripts to add berkeleyEduUCPath<ENV>ID to the LDAP DownstreamObject JSON
CNR-1675 UC Path: Investigate which HCM table has values that end up in employee berkeleyEduAffiliations in LDAP
CNR-1678 UC Path: Add mock UCPath DDODS SORObjects to registry-mock
CNR-1679 UC Path: Need to add DDODS "source" to DDODS SORObjects
CNR-1680 UC Path: Find out how HCM APPT_TYPE and ORG_NODE are going to be converted in UC Path
CNR-1681 UC Path: Modify reg-prov-scripts to add ucPathIds to Identifiers table
CNR-1682 UC Path: Figure out overall isActive logic for the UC Path Identifier
CNR-1683 UC Path: Figure out primary job logic
CNR-1684 UC Path: Add PS_UC_LL_EMPL_DTL to query for UC_HOME_DEPT_CD
CNR-1685 UC Path: Add PS_UC_JOB_CODES to query for UC_FACULTY_INDC
CNR-1686 UC Path: Replicate the EDW CUR_REC_FLAG for UC Path JOBS by adding an IS_EFFECTIVE flag
CNR-1687 UC Path: Need to figure out how future-dated appointments are presented in UC Path: EFF_DT/EFFSEQ?
CNR-1688 UC Path: Possibly add PS_PRIMARY_JOBS to query for PRIMARY_FLAG
CNR-1689 UC Path: The methods in reg-prov-scripts UcPathUtil need to be extensively tested with UC Path sample data
CNR-1690 UC Path: Add a CAMPUS_SOLUTIONS_STUDENT_ID identifier to Identifiers table and to identifiers service
CNR-1693 Start-of-grace email that goes out is showing the start of grace date to be one day earlier than it should
CNR-1694 UC Path: Need to enable the isActive logic in registry-sor-key-data
CNR-1695 UC Path: Build list of tables being queried so that service acct access can be requested for these tables
CNR-1697 UC Path: rps DOB builder
CNR-1698 UC Path: rps job builder
CNR-1699 UC Path: rps role builder
CNR-1700 UC Path: Add employee class roles based on the EMPL_CLASS codes and descriptions
CNR-1701 UC Path: Logic to turn UC Path state into LDAP berkeleyEduAffiliations and part of masterAccountStatus calculation
CNR-1702 AD renaming errors on certain type of entries
CNR-1703 change log message when receiving a CS EMPLID change message and the SORObject remains unchanged
CNR-1704 UC Path: reg-prov-scripts UcPathTypeMapper needs to gain awareness of UCPath POI/CWR affiliate types
CNR-1705 UC Path: Add documenting comments to top of the UcPathRoleBuilder.build() method
CNR-1706 UC Path: reg-prov-scripts needs to set title code and deptartment attributes in LDAP sourced from UCPath
CNR-1708 UC Path: In reg-prov-scripts PersonRoleExecutorSpec there are some commented out ucpath test cases that need to be looked at
CNR-1715 bidms-downstream AD CANT_ON_RDN error
CNR-1716 reg-prov-scripts: Set samAccountName to uidUID# for anybody with "system" as calnetId as this is not an allowed samAccountName
CNR-1720

Suppress noisy "Purging orphaned entry" messages in sor-gateway-service log


August 8, 2018, 9am

Unneeded Access Control Instructions (ACIs) have a negative impact on performance, so we are removing several from the OpenDJ production LDAP tier. This requires no downtime for the affected hosts.

Services Affected

  • CalNet systems such as CAS and Shibboleth,and BPR

August 1, 2018, 7:00am

We will be removing access to affiliations from anonymous LDAP binds on August 1, 2018. This will improve the security of anonymous searches. Click here to find out how this impacts your service. CMR: CHG0031713

Services Affected

  • All campus applications that use an anonymous LDAP bind

Tickets Resolved

TicketComment

LDAP-3

Update ACI for anonymous binds


Jul 24, 2018, 4:30pm

This release is a patch to CalGroups. The service will remain up while the patching happens, since the servers are redundant. Potential affected users are campus employees. CMR: CHG0031888

Services Affected

  • CalGroups

Tickets Resolved

Ticket Comment
CG-168 Install CalGroups Patch

May 29, 2018, 6am

This release will update the OS and JVM for the BPR stack (registry-p1, amq-p1, bpr-p1). This will result in a brief 5-min outage for public CalNet applications such as  CalNet Account Manager (CAM). CMR: CHG0031688

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

May 23, 2018, 5:30pm

This release includes updates to language in account lock/unlock and new account/change ID screens in CalNet Admin Tool and CalNet Account Manager. CMR: CHG0031701

Services Affected

  • CalNet Admin Tool
  • CalNet Account Manager

TicketComment

CM-427

Update language in account lock/unlock messages

CM-424

Update account language in Create ID and Change ID screens to reflect auto bMail provisioning


May 21, 2018, 5:15pm

This release changes the way affiliations are filtered in CalNet Account Manager. CMR: CHG0031704

Services Affected

  • CalNet Account Manager

Tickets Resolved

TicketComment

CNR-1692

Filter affiliations list in CalNet Account Manager


April 4, 2018, 7am

This release includes bug fixes and upgrades to the CalNet stack and changes to AD provisioning scripts. CMR: CHG0031553

Services Affected

  • Berkeley Person Registry
  • Active Directory

Tickets Resolved

TicketComment

CNR-1650

Turn off ActiveMQ journal

CNR-1611

Fix regression on the performance of an individual ldapSync queue message consumption

CNR-1595

Fix bidms-downstream provision changed identities quartz job exception

CNR-1651

A registry-model uniqueness exception is now getting thrown

CNR-1644

Stop BPR provisioning of SPAs to AD


March 26, 2018, 5am

During the 5 to 5:15 am window a 5-min outage of all CalNet services (CAS, Shib, LDAP, etc.) will occur as firewall services are migrated. CMR: CHG0031513

Services Affected

  • CAS
  • Shibboleth
  • LDAP
  • Berkeley Person Registry

Tickets Resolved

Ticket Comment

OPS-401

Move CalNet networks from ASA to Palo Alto firewall service.


March 16, 2018, 6am

This release updates the target date on the 2-Step notification CAS UI. CMR: CHG0031507

Services Affected

  • CAS Login Screen

March 14, 2018, 5pm

This release was completed on March 15, at 7am. It included updates and new functionality to CalNet Account Manager and CalNet Admin Tool. CMR: CHG0031508.

Services Affected

  • CalNet Admin Tool
  • CalNet Account Manager
  • Berkeley Person Registry
  • bConnected

Tickets Resolved

Ticket Comment
CNR-1641 Add database constraint to enforce that CREDMGMT (and LDAP/AD) sorObjKeys must match the uid
CNR-1620 Modify CalNet SOR Person tool to trigger a provision for newly created or updated accounts
CAT-163 Call bConnected API to lock Google account when CalNet account is locked
CAT-165

Create new CAT User Role


March 7, 2018, 5pm

This release is a patch to the Active Directory provisioning code.  CMR: CHG0031506.

Services Affected

  • Active Directory

Tickets Resolved

Ticket Comment
CNR - 1640

AD provisioning change


March 4, 2018, 6am

This release contains regular updates for the nds-p* nodes in the ldap.b.e cluster, including patches for OpenDJ, OpenJDK, and RHEL. CMR: CHG0031454

Services Affected

  • Users of the ldap.b.e cluster

February 24, 2018, 6pm

This release resolves a known issue in which new AD accounts are not getting enabled when CalNet account is claimed. CMR: CHG0031477

Services Affected

  • Active Directory

Tickets Resolved

Ticket Comment
CNR - 1634 Reports of userAccountControl in AD not going active when account goes active

February 21, 2018, 6am

This release updates the URL for the sign-up link on the 2-Step notification CAS UI. CMR: CHG0031464

Services Affected

  • CAS Login Screen

February 15, 2018, 6am

This CAS release updates the notification message displayed by the auth.b.e cluster for 2-Step Cohort 1 not yet in CalNet 2-Step. CMR: CHG0031451

Services Affected

  • CAS Login Screen

February 13, 2018, 7am

A Tomcat restart is required to change configuration to enable Two-Step during account claim for anyone in the RequiredMinusExemptFromReq group. CMR: CHG0031456

Services Affected

  • CalNet Account Manager

February 06, 2018, 7am

In this release, Berkeley Person Registry will start provisioning records to CalNet Active Directory. CMR: CHG0031380

Services Affected

  • Berkeley Person Registry
  • All services that use CalNet Active Directory (AD)

February 03, 2018, 7pm

This release includes updates to CalNet Account Manager and Registry Service in support of the 2-Step project. CMR: CHG0031410

Services Affected

  • account-manager
  • bidms-downstream
  • calnet-admin-tool
  • calnet-people
  • registry-match-service
  • registry-provisioning
  • registry-service
  • registry-sor-gateway
  • ucb-match

Tickets Resolved

Ticket Comment
CM-403 Modify 2-Step page in CAM to remove opt-out
CM-404 Create workflow for requiring 2-Step of new employees during account claim process
CM-406 For a non-mandatory two-step enroller, the get backup passcodes button remains greyed out (disabled) even after adding a device
CM-408 Modify BPR QA environment to use group-test instead of production grouper
CM-409 Modify CAM to also consider HCM affiliations along with Allow2StepUserTest membership
CM-410 CAM two-step needs more complete audit logging
CM-411 CAM two-step needs to show end user decent error messages when duo or grouper services fail
CM-412 Unable to type in "Create your CalNet ID" field
CM-413 Ability in CAM to mock Grouper for test environments by bypassing it and going directly to LDAP
CM-415 Make requiring employees to two-step during claim configurable and turn it off for now
CNR-1369 Convert to using central Tomcat JNDI database connection pool to stay under our PostgreSQL connection limits
CNR-1589 bypass-the-match-engine queue is throwing exception in reg-prov
CNR-1629 Every project needs its version and group put into gradle.properties
CNR-1630 Publish WAR files to Maven repo for all BIDMS web applications
WA-55 Create a calnetSwitch to replace buggy bootstrapSwitch


February 1, 2018, 6am

The legacy auth-key.berkeley.edu (Second-level) CAS server will be turned off. This legacy server has been replaced by CalNet 2-Step Verification. CMR: CHG0031248.

Known Services Affected

  • OSCAR II

February 01, 2018, 6am

This release will be an upgrade to the CAS server cluster (auth.b.e) to the Apereo CAS release (5.0.10) with some custom UC Berkeley mods. This affects all CAS- and Shibboleth-integrated apps.

Update: The new version of CAS is now up in auth-test. It is a minor change that should not affect any existing integrations, but we recommend testing your applications well before February 1 to be certain it functions as anticipated. CMR: CHG0031216

Services Affected

  • CAS
  • Shibboleth

January 9, 2018, 9pm

This release is a patch of CalGroups servers. Since the servers are redundant, there will be no user level outage on CalGroups, however, there will be a brief lag in syncing updates to LDAP, AD, and Google. Affected user base will be employees. Affected systems are SPA Admin app and MyCalNet, related to CalNet 2-Step. CMR: CHG0031223

Services Affected

  • CalNet Account Manager
  • SPA Admin App
  • CalGroups

January 04, 2018, 7am

On 1/4/18, the reset passphrase token app will require CalNet 2-Step to log in. CMR: CHG0031275

Services Affected

  • Token app

December 13, 2017, 8am

In this release, the option to automatically send a push to a phone will be disabled since it prevents users from enabling the Remember Me option. CMR: CHG0031246

Services Affected

  • CalNet Account Manager
  • SPA Admin App
  • CalGroups

November 27, 2017, 6am

Apply security and other updates to the OS and JVM for the BPR prod tier (amq-p1, registry-p1, and bpr-p1). A brief outage while systems are restarted will be required during the maintenance window. CMR: CHG0031177

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

November 15, 2017, 5am

The Berkeley Person Registry postgres database will be upgraded on 11/15/17, 5am.  Outage expected from 5am-6am. Additional details forthcoming. CMR: CHG0031129

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool
  • CalNet Crosswalk

November 6, 2017, 9pm

We will be upgrading the OS and the Shib-Cas plugin. It will be a rolling upgrade, so no downtime is expected. The Shibboleth IDP service is used by the entire campus for access to apps like Google, Box, and CalTime. CMR: CHG0031116.

Services Affected

  • Shibboleth

Tickets Resolved

TicketComment
OPS-385

Upgrade Production Shibboleth IDP


November 1, 2017, 7am

CalNet 2-Step required for all IST employees and users of CAT effective November 1, 2017. CMR: CHG0031128

Services Affected

  • CAS
  • CalNet Admin Tool

October 29, 2017, 6am

Perform a rolling patch and upgrade to the RHEL 7.x OS, OpenJDK JVM, and OpenDJ LDAP servers dedicated for use by CAS and Shibboleth. CMR: CHG0031096

Services Affected

  • CAS
  • Shibboleth

Tickets Resolved

TicketComment
OPS-384

Upgrade OS, JVM, and OpenDJ for dir-auth.calnet.1918.b.e cluster


October 25, 2017, 7am

This release includes upgrades to how CalNet sets passphrases, CalNet Account Manager, Grails 3.2.11, registry provisioning, work in support of a new AD structure, and changes to how records are consolidated. Changes released to QA 10/9/17.CMR: CHG0031112

Services Affected

  • CAS
  • CalNet Admin Tool
  • CalNet Account Manager
  • LDAP
  • Berkeley Person Registry
  • SOR Gateway Service
  • Registry Service

Tickets Resolved

Ticket Comment
CM-386 Passphrase work
CM-387 Modify CAM to use the new bidms-credential-policy plugin that centralizes passphrase validation
CM-389 Passphrase related to CAM
CM-391 CAM is giving generic "system error" 
CM-394 Change CAM Menu text
CM-395 CAM Lib update
CNR-1367 Provision from BPR to Active Directory
CNR-1415 SGS needs to set uid on LDAP and AD SORObjects rather than waiting until LdapSync does it
CNR-1497 Add a configuration item to enable/disable AD provisioning in bidms-downstream
CNR-1498 Add a configuration item to enable/disable creation of AD DownstreamObjects in registry-provisioning-scripts
CNR-1504 immediate entryUUID retrieval is not working in prod after an insert or rename
CNR-1518 Create "dynamic attribute" feature for bidms-connectors
CNR-1532 Bug in reg-prov-scripts for AD where dn.ONCREATE has "CN=null" in it for uids with no name
CNR-1536 bidms-downstream provision changed identities quartz job is throwing an exception
CNR-1537 Need ability in reg-prov to create AD downstreamobjects but not send messages to downstream AD queue
CNR-1538 When setting AD DownstreamObject userAccountControl DISABLE, TrackStatus lock flag is being checked, but what about Person.isLocked?
CNR-1540 Access to bidms-downstream quartz/list web page is being denied
CNR-1541 AD userAccountControl has to be 546, not 512, on CREATE for active users
CNR-1542 Check for invalid characters in AD CN since it's part of the DN
CNR-1544 Remove primaryGroupID from AD DownstreamObject
CNR-1545 Remove guests from list of users provisioned to AD
CNR-1546 Set AD CN to Display Name (UID)
CNR-1547 CS SORObjects have some badly-structured JSON in them
CNR-1548 CAT and CAM can no longer download Bower assets
CNR-1549 Improve the performance of CredentialTokenService
CNR-1551 CAT and CAM are trying to use same Greenmail ports in dev and test environments
CNR-1564 SGS REST endpoint that serves same purpose as JMS SORObjectJSONQueue
CNR-1569 Add audit logging support to registry-provisioning NewUidController and ProvisionController
CNR-1573 SGS endpoints need to be protected with spring security
CNR-1575 mleefers requesting AD street address go into a different attribute
CNR-1576 mleefers requesting two-letter instead of three-letter country code
CNR-1577 Modify registry-match-service triggerMatch endpoint to return uid if it's assigned
CNR-1578 need to proxy SGS sorConsume REST calls through registry-service for networking security reasons
CNR-1579 When deleting entries, bidms-connectors LDAP needs to check for and delete "subordinate" entries
CNR-1580 match-service triggerMatch endpoint needs to recognize synchronousDownstream=false
CNR-1581 Support sending uid in the JSON payload in the sorObjects controller to match new sorObjects with existing uids
n/a upgrade to Grails 3.2.11
n/a Passphrase work
CM-400 Updates to change ID email language

October 6, 2017, 7:30am

This release prevents enablement of CalNet 2-Step with a smart phone until after the Duo Mobile App has been verified to have been installed on the smart phone. CMR: CHG0031064

Services Affected

  • CalNet Account Manager
  • Duo 2-Step

Tickets Resolved

TicketComment
CM-399

Update hasDevices logic to make sure Duo account is active.


September 19, 2017, 6:00pm

This release updates the merge function in CalNet Admin Tool. CMR: CHG0031005

Services Affected

  • CalNet Account Manager
  • Registry Service

Tickets Resolved

TicketComment
CAT-169

During merges, don't copy delete.credmgmt.calnetId if keep.ldap.beKerbPrincStr is present


September 14, 2017, 6:00pm

This release fixes a bug and updates the CalNet Admin Tool. CMR: CHG0030992

Services Affected

  • CalNet Account Manager

Tickets Resolved

TicketComment
CAT-154

Enable X-FORWARDED-FOR header for auth.calnet.b.e

CAT-157

CAT needs modifications to work with latest ucb-spring-security-cas-ldap

CAT-158

Error when consolidating records in CAT


September 9, 2017, 9:00am

We will be changing our SLB config to allow HTTP templates for the Auth.b.e VIP. We will give ourselves a 30 min window to do the work, and there will be a few seconds downtime as the SLB saves and responds to the new configuration. The change will happen Saturday morning, September 9, from 9 - 9:30 am. This affects any server using the campus SSO and the entire campus population. This change was tested successfully with the SDSC DR and BR CAS cluster. CMR: CHG0030879

Services Affected

  • CAS

Tickets Resolved

TicketComment
CAS-5

Enable X-FORWARDED-FOR header for auth.calnet.b.e


August 26, 2017, 6:00am

To support new CalNet 2-Step users starting Monday, a new CAS server build with help text for Duo 2-Step is deployed. CMR: CHG0030956

Services Affected

  • This affects all CAS users, but the change is only additional help text show at the Duo 2-Step prompt.

August 10, 2017, 7:00pm

This release includes fixes and updates to CalNet Account Manager and CalNet Admin Tool as well as an upgrade to Grails 3.2.11. CMR: CHG0030913

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

Tickets Resolved

TicketComment
CAT-154

CAT is displaying a "null" in the list of affiliations for all records.

CM-384

Update 2-Step Email notification to stop Google Phishing warning.

CNR-1454

New employee can't claim CalNet ID

N/A

Upgrade to Grails 3.2.11


July 28, 2017, 3:00pm

This release replaces the CalNet OpenIDM. OpenIDM will be turned off and Downstream Provisioner will write directly to LDAP. CMR: CHG0030864

Services Affected

  • SOR Gateway Service
  • Registry Provisioning
  • Registry Provisioning Scripts
  • Downstream Provisioner
  • OpenIDM
  • LDAP

Tickets Resolved

TicketComment
CNR-1419

Replace OpenIDM with a new downstream provisioning system

CNR-1490

If in grace but affiliations are unknown, set primaryOu to existing LDAP ou 

CNR-1493

DownstreamProvisioningRESTClientService.provisionUid is throwing exceptions 

CNR-1494

sor-gateway DailyHashAndQueryJob is throwing exception 

CNR-1492

bidms-downstream LDAP schema violation exceptions 

CNR-1495

Registry-d1 sor-gateway is throwing a start-up exception related to oracle db connection 

CNR-1489

Removal of calnetId is causing an exception in registry-provisioning-scripts 

CNR-1476

bidms-downstream is reporting bad avg batch time values in the timing statistics 

CNR-1477

bidms-downstream sometimes can't find uid in LDAP but when a LDAP write is attempted, NameAlreadyBoundException is seen 

CNR-1484

bidms-downstream seeing OpenDJ errors sometimes with namespace changes 

CNR-1464

Change capitalization to berkeleyEduUnitHRDeptName in DownstreamObject JSON 

CNR-1465

Don't send audit log entries to the app log, as it's already logged in audit log file 

 CNR-1466

Create DownstreamObjects for LDAP namespace entries 


July 26, 2017, 6:00am

This release will patch the production MIT Kerberos cluster. A brief outage of about 1 minute per node will occur. Some Kerberos clients will automatically fail over to the slave KDC when this happens. CMR: CHG0030836

Services Affected

  • CAS

July 19, 2017, 6:00am

This release will update OS to RHEL 7.x and latest application libraries on the calnet.b.e web server, which includes the Directory Update Application. CMR: CHG0030822

Services Affected

  • Directory Update Application

July 18, 2017, 7:00am

This release fixes an error in the CalNet Admin Tool and also changes what information is displayed in the tool. CMR: CHG0030863

Services Affected

  • CalNet Admin Tool

Tickets Resolved

TicketComment
CAT-133  Delete "Empl ID" field from basic info
CAT-150 Remove OU from CAT
CAT-152 CAT Throwing a MissingProperty Error

July 12, 2017, 6:00am

This release will patch RHEL 6.x and the JVM for the idc.b.e application cluster. CMR: CHG0030818

Services Affected

  • CalNet self-service applications on the idc.b.edu cluster, such as Guests, SPAs, and Access Keys

June 28, 2017, 6:00am

This release reconfigures the CAS auth.b.e servers to not do SSO for the base /cas/login URL if no service parameter is provided. This change is considered a security best practice. CMR: CHG0030793

Services Affected

  • All campus CAS users, especially those using 2-Step Verification

June 21, 2017, 6:00am

This release is a rolling upgrade of the production CAS Server to fix intermittent degradation of service due to load and a known bug in the 5.0.4 server. CMR: CHG0030785

Services Affected

  • CAS

June 15, 2017, 6:00am

This release is a rolling upgrade of the production CAS Server cluster to release 5.0.6 with bug fixes and some additional custom UI fixes. CMR: CHG0030749

Services Affected

  • CAS
  • Shibboleth

June 12, 2017, 6:00am

In this release, CalNet will migrate net-auth.berkeley.edu to RHEL 7.x from 5.x. 15-min planned outage affecting campus customers of the Berkeley Person Registry identity management applications CalNet Admin Tool and CalNet Account Manager. CMR: CHG0030742

Services Affected

  • net-auth.berkeley.edu
  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

June 8, 2017, 2:00am

This release includes updates to CalNet Account Manager. Changes to CAM will be visible only to users who have been granted access to CalNet Two-Step beta testing. CHG0030750.

Services Affected

  • CalNet Account Manager

Tickets Resolved

Ticket Comment
CM-344 2FA Login
CM-345 Pilot implementation of 2FA admin iFrame
CM-351 Add page headers to CAM pages
CM-352 2FA documentation
CM-353 Restrict who can see 2-Step Verf in the menu
CM-354 2-Step form edits for the instructions
CM-356 Changes to 2-Step Form Based on User Feedback
CM-357 Turn on 2-Step Switch Automatically
CM-358 Do not ask for pw on the 2-Step Switch
CM-359 Don't ask for pw on the Get Backup Passcodes request
CM-360 Get Backup Passcodes Screen Changes
CM-361 2FA Form Format and Color Changes
CM-362 Changes to New Enrollment Instructions
CM-363 Change 2-Step Switch Title
CM-364 Changes to Manage Your Devices - Help Text
CM-367 Send email when generating backup codes
CM-368 Add link to privacy statement in the footer
CM-370 Change language on passphrase reset screen
CM-371 reduce UC Berkeley logo
CM-372 Delete numbers on the items in the Help Section
CM-373 2 Step Switch Format Change
CM-374 Backup Passcodes Format Change
CM-375 Reduce Duo iFrame height
CM-376 Add line spaces
CM-377 2 Step Switch Confirmation Messages
CM-378 Changes to Get Backup Passcodes Page
CM-379 cross-site request forgery protection?
CM-381 Change font-size and weight in help headers
CM-382 Move on/off + passcode button closer to text

June 6, 2017, 9:00pm

This release is a minor upgrade of the Shibboleth IDP to version 3.3.1 and the Shibcas connector. There is no expected downtime, though we have an hour window to complete the work. Affected systems include any using the Shibboleth IDP for authentication. Students, staff, and faculty could potentially be affected. Site examples include most off-campus services like Google, ServiceNow, Learning Center, Salesforce, and Box.

The Shibcas connector upgrade will fix the error messages displayed to a user readable message rather than the current code dump. CMR CHG0030731.

Services Affected

  • Shibboleth
  • Any using the Shibboleth IDP for authentication

Tickets Resolved

TicketComment

SHIB-1

Minor Shibboleth IDP upgrade - 3.3.1, Shibcas

May 18, 2017, 10:00pm

This emergency CAS Server release fixes the regression affecting some campus applications using SPAs. No outage is expected as we will do a rolling restart of the cluster nodes. CMR: CHG0030704

Services Affected

  • CAS
  • Special Purpose Accounts

May 16, 2017, 10:00am

This release is a rolling restart for CAS, no outage expected. CMR: CHG0030697

Services Affected

  • CAS

May 15, 2017, 6:00am

Begin testing on April 7, 2017

This release is the final step in migration to CAS Server 5.0.4. We are upgrading the Apereo CAS servers at UC Berkeley from version 4.1.x to 5.0.4 with some additional features deployed, with the help of Unicon, one of the major contributors to the CAS project. CMR: CHG0030513

The QA tier will be updated on April 7 to allow for testing. To test, point your QA CAS client application at the auth-test.berkeley.edu DNS name. The previous QA nodes (cas-t1/t2) will remain available for a transition period as individual nodes. Please be sure to test your application before May 15.

Find additional details about this upgrade on our website: Migration to CAS Server 5.0.4

Services Affected

  • CAS

May 10, 2017, 6:00pm

This release provides improved audit logging of account events for integration with Security Operations monitoring. CMR CHG0030673.

Services Affected

  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

Tickets Resolved

TicketComment

CNR-1416

CAM/CAT/reg-service events log


May 5, 2017, 4:15pm

This release fixes a condition that is causing SGS LDAP imports to fail and removes case-sensativity from email address field in CalNet Account Manager.

Services Affected

  • Berkeley Person Registry

Tickets Resolved

Ticket Comment

CNR-1462

OpenDJ objects that start with entryuuid= are causing SGS LDAP imports to fail

CM-342

Reset passphrase recovery case insensitive email lookup

May 5, 2017, 10:00am

This release changes the logic CalNet uses to determine expiration dates and fixes a condition that causes provisioning exceptions. CMR: CHG0030628

Services Affected

  • Berkeley Person Registry

Tickets Resolved

Ticket Comment
CNR-1451 Update expiry logic
CNR-1460 Provisioning exceptions

May 4, 2017, 5:00pm

This release fixed a bug in which stale cache was preventing new employees from claiming a CalNet account.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager

Tickets Resolved

Ticket Comment
CNR-1454 Stale cache - production restart required

April 26, 2017, 5:15am

In this release a number of CalNet applications are being upgraded to use the Grails 3 framework. This release will be deployed to QA on April 10, 2017. CMR CHG0030578.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • SOR Gateway Service
  • Registry Provisioning
  • Registry Rest Service

Tickets Resolved

See April 19, 2017 release for complete list of ticket resolved.


April 19, 2017, 7am

In this release CalNet Admin Tool is being upgraded to use the Grails 3 framework. This release will be deployed to QA on April 10, 2017. A second release on April 25 will upgrade Berkeley Person Registry and CalNet Account Manager to use the Grails 3 framework. CMR CHG0030548.

Services Affected

  • CalNet Admin Tool

Tickets Resolved

Ticket Comment
CAT-134 Convert to Grails 3.x
CM-161             Upgrade CAM to Grails 3.x
CNR-1275 Migrate grails-external-groovy-plugin to Grails 3.x
CNR-1276 Regression: Between Groovy 2.4.4 and Groovy 2.4.5 (Grails 3 uses .7) a change was made that as reintroduced a memory leak to external-groovy
CNR-1277 Migrate sor-key-data plugin to Grails 3.x
CNR-1278 Migrate registry-provisioning-scripts to Grails 3.x
CNR-1280 Migrate registry-model plugin to Grails 3.x
CNR-1281 Migrate grails-gorm-util-plugin to Grails 3.x
CNR-1282 Migrate registry-commons to Grails 3.x
CNR-1283 Migrate grails-domain-utils-plugin to Grails 3.x
CNR-1286 Migrate groovy-hashchode-ast to Groovy 2.4.7
CNR-1296 Migrate grails-render-json-plugin to Grails 3.x
CNR-1316 Migrate groovy-sql-util to Grails 3
CNR-1347 Update sorQuery script to accept a SORObjectKey (Grails 3 branch)
CNR-1353 Migrate mock-registry to Grails 3
CNR-1360 Migrate ucb-messaging plugin to Grails 3.x
CNR-1361 Migrate the UCB fork of the grails-routing plugin to Grails 3.x
CNR-1363 Grails 3 registry-model jobAppointments collection not being persisted when person is saved and not being retrieved when person is loaded
CNR-1365 For registry-model Grails 3 branch, type: JSONBType, sqlType: 'jsonb' in mapping is not working
CNR-1368 Property injection into Provision object is not working on Grails 3 branch
CNR-1372 Migrate registry-provisioning to Grails 3.x
CNR-1373 Migrate rest-client-builder-digest-auth to Grails 3.x
CNR-1374 Grails 3 Spring Boot in conjunction with registry-settings is complaining of multiple jms connection factories
CNR-1375 Grails 3 registry-settings doesn't seem to be merging config correctly
CNR-1378 Grails 3 reg-prov: no log output is being produced
CNR-1382 Figure out why grails 3 reg-prov wiped out the database at start-up
CNR-1383 Grails 3 reg-settings needs to set dbCreate to not delete by default
CNR-1384 Migrate sor-gateway-service to Grails 3.x
CNR-1385 Migrate ucb-match to Grails 3.x
CNR-1386 Migrate registry-match service to Grails 3.x
CNR-1391 Migrate registry-rest-client to Grails 3.x
CNR-1393 Migrate registry-service to Grails 3.x
CNR-1394 Migrate rest-queryfilter-plugin to Grails 3.x
CNR-1397 Integration Hub is changing the development AMQ host
CNR-1399 Grails 3 reg-service is having odd transaction management problems
CNR-1401 Grails 3 reg-service doesn't need jmsTransactionManager/ChainedTransactionManager because it only produces JMS and JMS producers aren't transactional
CNR-1402 Grails 3 reg-settings: Add option to create JMS beans but skip the jmsTransactionManager if the app is only using JMS for producing messages
CNR-1403 Grails 3 reg-service still is using ChainedTransactionManager even after removing jmsTransactionManager
CNR-1404 Grails 3 reg-settings: Add an "enable multiple data source" option to reg-settings to work around a Grails 3 bug
CNR-1405 Grails 3 reg-prov's BootStrap.groovy isn't running
CNR-1407 Some Grails 3 registry-service integration tests aren't passing and have been @Ignored
CNR-1408 In order to get Grails 3 reg-service integration tests to pass, had to move setupSpec to setup, but this makes running tests very slow
CNR-1409 SorPeopleAssignmentServiceIntegrationSpec passing locally but is failing on Bamboo
CNR-1417 Grails 3 match-service isn't consuming the newUid queue
CNR-1420 Deadlock between match-service and call out to registry-provisioning's provisionUid in Grails 3 (but probably Grails 2 too)
WA-46 Move ucb-webapp-foundation to Grails 3.1.x
WA-49 Migrate ucb-twitter-bootstrap and ucb-twitter-bootstrap-fields plugins to Grails 3

April 4, 2017, 4:30pm

This release provides a fix so that alumni already in OU = ADVCON do not get grace notification emails. CMR: CHG0030512

Services Affected

  • Berkeley Person Registry
  • LDAP Provisioning

Tickets Resolved

Ticket

Comment

CNR-1412

Users in ADVCON receiving grace notification emails


March 15, 2017, 3:00am

This release resumes the CalNet account expiration process and implements grace period email notifications. This release requires a second restart at 6pm on March 16. CMR: CHG0030441.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

March 14, 2017, 9:00pm

Upgrade production shibboleth IDP (shib.berkeley.edu) to version 3.3.0. The upgrade will bring us to the current release and allow us to use the consent model. The change will take place during a change window on Tuesday, March 14, from 9 - 11 pm. The actual change will be within that time and will be a brief, approximate 15 sec delay. The service affects most campus users. CMR: CHG0030422

Services Affected

  • Shibboleth IDP
  • Any system using the Shibboleth IDP for attribute release / authentication

March 9, 2017, 3:00am

This release includes work in support of the CalNet account expiration process, fixes a bug in CalNet consolidation and refines logic for changing CalNet IDs. This release was originally scheduled for March 8, 2017. CMR: CHG0030440

Services Affected

  • Berkeley Person Registry
  • LDAP Provisioning
  • CalNet Account Manager
  • CalNet Admin Tool

Tickets Resolved

Ticket

Comment

CNR-1371

Berkeley.edu email address should key of alternateIdEmailAddress

CNR-1366

Do not use BPR LDAP Display Name for full name

CNR-1364

Check hql in findPeopleExitingExpiry

CNR-1362

If a person does not have an @berkeley.edu account don't try to send additional emails.

CNR-1359

Registry Service gets wrong values from config in GraceServiceJob

CNR-1358

Refine logic for changing CalNet ID

CNR-1357

Grace Period Notify email still using calnet@berkeley.edu FROM address

CNR-1356

Cannot format given Object as a Date Error

CNR-1349

CNR-1169 Filter out people who does not have a calnetId

CNR-1325      

Disallow future-dated startOfRoleGraceTimes in PersonRoleArchive table
Update provisioning code to set start grace time to current time when source data has a future end date but goes inactive

CNR-1322

CNR-1167 Make adjustments to Grace period jobs

CNR-1308

UIDold and Consolidation date not being written during CAT consolidations

CNR-1302

Send email notification for expired accounts that have been activated again

CNR-1293

CNR-1167 Check if person has berkeley email address before sending email


March 1, 2017, 1:00am

This release includes minor edits and bug fixes for CalNet Account Manager and CalNet Admin Tool. Also introduces new features to CalNet Account Manager that display user's names and affiliations.  CMR: CHG0030408

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

Tickets Resolved

Ticket

Comment

CM-334 

Edit CAM Footer

CM-333 

Edit CAM Account Info page

CM-331 

Re-enable change in CM-311

CM-311 

Show more info after user logs into CAM

CAT-118 

An Error Has Occurred message after consolidation in CAT

CAT-117 

Assigning someone SIS View privilege doesn't appear to work

CAT-44 

CAT-37 Make simple / advanced search

CAT-127 

Show more info for user

CAT-122 

CAT-118 Consolidation error bug


February 28, 2017, 5:30pm

A restart of the PostgreSQL DB behind the prod Berkeley Person Registry (BPR) to allow more active connections will result in a brief outage to allow reconfiguration. Outage anticipated from 5:30pm-5:35pm on Tuesday, February 28. CMR: CHG0030418

Services Affected

  • Berkeley Person Registry

February 27, 2017, 1:00am

Refining logic for CalNet ID change. Release is in support of new alumni email program.  CMR: CHG0030411

Services Affected

  • CalNet Account Manager

Tickets Resolved

Ticket

Comment

CNR-1358

Refine logic for changing CalNet ID


February 21, 2017, 6:00am

This release is to patch the OS and JVM for the four servers comprising the CalNet Berkeley Person Registry (BPR) prod tier (registry-p1, bpr-p1, amq-p1, and idm-p2). CMR: CHG0030335

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry

February 14, 2017, 8:00pm

This release updates the production Grouper servers, which service calgroups.berkeley.edu, from version 2.2 to 2.3. The upgrade is a precursor to using a new provisioning UI.  CalGroups will be down during the upgrade due to a database upgrade.  CMR: CHG0030385

Services Affected

  • CalGroups
  • CalNet SPAs
  • LDAP Groups

Tickets Resolved

Ticket

Comment

CG-156

Upgrade production Grouper


February 1, 2017, 3:00pm

This release includes fixes to improve memory usage and upgrading of dependencies. CMR: CHG0030348

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • LDAP

Tickets Resolved

Ticket                         

Comment

CAT-118

 An Error Has Occurred message after consolidation in CAT

CNR-1311

Convert bad HCM job-end dates that are set to 9999-12-31 to be null, which causes the Registry to write the current date as the start-of-grace-time when it encounters such a bad end date. 

CNR-1291

Don't write legacy guest system accounts to LDAP

CNR-1262

New ou determination logic based on roles (but back-port the "don't move to a lesser OU" work-around that was in the old code into the new code)

CNR-1197

Don't provision (IGNORE) to LDAP any new uid missing at least one-LDAP affiliation

CNR-1262

Fixes CNR-1193 and CNR-1256 (dupe of CNR-1193): Records in presir when they should be in ADVCON

CNR-1197

Fixes CNR-1184: Employee Only CS Record provisioned to presir ou because of partial HCM record

CNR-1262

Rewrite OU determination logic to key off of roles instead of identifiers


January 25, 2017, 5:00am

This release was completed on January 26, 2017, and made additional changes to CalNet ID changing logic and enabled account expiration processes. CHG0030323

Services Affected

  • CalNet Account Manager
  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket

Comment

CNR-1285

Changing recoveryEmailAddress after changing calnetId should not rewrite calnetId

CNR-1267

When setting recovery email address, the oldCalnetId is overwritten with current calnetId in CREDMGMT SOR Object

CNR-1265

Prevent claiming CalNet IDs only defined in KDC

CNR-1239

Send a message to people who are in grace but never received an email

CNR-1217, CNR-1167 

Make cron job to send grace emails

CNR-1213

Track status object must have metadata field to store extra info

CNR-1191, CNR-1167

Create rest endpoint to send email

CNR-1169

Disable account when an account has expired

CNR-1298

LdapInformation endpoint

CNR-1304

Password error in account locking

CM-319

Users not able to claim CalNet IDs they already own in namespace

CM-323

Add custom link in full text to passphrase reset button

CM-327

Fix CalNet ID change screen

January 25, 2017, 3:00pm

This release implements new Campus Solutions update code to accept real time messages via JMS queue and make database queries on demand for individual student records. It should allow new CalNet accounts to be created in near real time once all the appropriate record creation has been completed in Campus Solutions. Release also includes updates to Registry provisioning logic to support en- of-life account handling. CMR: CHG0030328

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • LDAP

Tickets Resolved

Ticket

Comment

(no CNR)

Fix setting a proper grace start date for the aggregate roles: masterAccountActive and ldapNoExpDate.

CNR-1287

Fix no students in Dev marked as registered

CNR-1292

Close out new Sql instances in an attempt to fix connection pool leak in SGS

CNR-1273

Upgrade SOR Gateway Service to Grails 2.5.5 

CNR-1272

Convert the Camel routes in SGS to use reliable-tx-camel 

CNR-1031

Convert sor-gateway-service to use JTA Transaction Manager 

CNR-1266

Consume CS "person basic sync" messages from IHub to trigger 'real-time' SGS EMPLID querying 

CNR-1297

Replace special 07/28/16 CS affiliation end dates with 01/01/1901 so real dates used instead from other SOR data 

CNR-1289

Create an expirationNotify role

January 8, 2017, 11:45am

This release fixes a bug in the CalNet Account Manager, in which a CalNet ID change reverts if the user sets their recovery email address in the same session. CHG0030266. (This release rescheduled from 1/6/17, 5:00am).

Services Affected

  • CalNet Account Manager
  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket

Comment

CM-321

Change CalNet ID bug


January 6, 2017, 6:40am

This Emergency SOR Gateway Service patch deploys a one-liner patch that adds 14 days to the calculation of last semester end date because Campus Solutions indicates the spring semester has started but they have not yet updated the registration service indicators to show spring instead of fall. This affects the berkeleyEduAffiliation: STUDENT-TYPE-REGISTERED value in LDAP.  Tomcat restart on registry-p1 is required. CMR: CHG0030268. (This relesase rescheduled from 1/6/16, 5pm).

Services Affected

  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket

Comment

CNR-1287

No students in Dev marked as registered

 


December 19, 2016, 5:00pm

This release includes functionality to support upcoming term changes, backend registry handling of grace periods, service indicators that prevent students from being unregistered, improvements to how HCM employees and alumni are provisioned, and clearing of stale berkeleyEduExpDates. CMR: CHG0030233

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • LDAP

Tickets Resolved

Ticket

Comment

CNR-917

CNR-860 Determine current or future CS terms

CNR-970

CNR-860 Logic for determining start of next Fall or Spring term for -REGISTERED grace period

CNR-1016

Once CNR-970 taken care of, uncomment the commented code for SERVICE_INDICATOR term checks in CsPersonRoleBuilder

CNR-1189

Provisioning HCM accounts with appointment dates later than the entry date

CNR-1225

Add "is active" logic to HRMS and ADVCON key extractors

CNR-1226

Use "is active" key extractor logic to send HRMS and AVCON SORObjects to match queue if they lack UID and key extractor says they're now active

CNR-1227

Try to get the sor-key-data-extractor to load certain external reg-prov-script classes to execute "is active" logic on the raw SORObject data

CNR-1228

Clear berkeleyEduExpDate when active

CNR-1240

Add support for a numeric sync marker, instead of just a timestamp, to SorObjectChecksum and SorObjectChecksumQuery tables

CNR-1243

Tweaks to registry provisioning scripts for CalNet SOR Person

CNR-1244

Calculate grace delta upon immediately adding a personRoleArchive entry

CNR-1246

berkeleyEduStuID should remain in LDAP after student has gone into grace or expired

CNR-1247

Modify SGS to include new service indicator view for CS query


December 16, 2016, 5:00am

This release improves the Change CalNet ID function in CalNet Account Manager, and fixes a bug related to alumni accounts. It also includes an update to the instructions regarding claiming accounts and changing accounts. CMR: CHG0030232

Services Affected

  • CalNet Account Manager
  • Registry Service

Tickets Resolved

Ticket Comment
CNR-1265 Prevent claiming CalNet IDs only defined in KDC
CM-314 Allow alums to change CalNet ID without a recovery email address
CM-313 Change CalNet ID failure bug
CM-312 When user changes CalNet ID and does not have an ext email address do not show error
CM-310 Edit confirmation message when an alum changes CalNet ID
CM-308 Account Manager throwing javax.management.MalformedObjectNameException
CM-305 Stack trace appears on Change CalNet ID page
CM-316 When changing recovery email without previous recovery email address, system reports an error

December 1, 2016, 9:30pm

To support updating of certain AdvCon (mostly Alumni) CAS customers, a check for CalNetIDs starting with "cads" is now done. The popup dialog triggered then redirects the browser to the Change CalNetID page. Released to QA (auth-test.b.e) November 30, 2016.  CMR: CHG0030193.

Services Affected

  • CAS

Tickets Resolved

Ticket

Comment

OPS-350

Trap CalNetIDs starting with "cads" and redirect to Change ID app


November 18, 2016, 5:00am

This release added the ability for alumni to set a bConnected key.

Services Affected
  • CalNet Admin Tool
  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket

Comment

CS-26

MMK should allow ou=ADVCON to be able to set a bConn key so that alumni can create bConn accounts.


November 3, 2016, 11 am

This release is to provision FORMER employee, affiliate and student statuses , test and guest accounts to LDAP and BPR fixes. It also includes CAM and CAT text and content changes. See CMR: 30120

Services Affected
  • Berkeley Person Registry
  • LDAP
  • CalNet Admin Tool
  • CalNet Account Manager

Tickets Resolved

CNR-1029 Provision FORMER affiliation when an active affiliation is removed
CNR-1163 Modify DownstreamLdapBuilder to add FORMER affiliations
CNR-1171 Modify LdapDownstreamBuilder to add current LDAP affiliation roles based on calculated berkeleyEduAffiliation values
CNR-1174 Report of invalid date format for bECalNetIDUpdatedDate
CNR-1190 Change SGS HRMS Oracle hash query to hash(firstname||lastname) rather than hash(firstname) + hash(lastname)
CNR-1194 Don't provision (IGNORE) TEST accounts to LDAP
CNR-1195 Add a test account role for TEST accounts
CNR-1200 Provision GUEST LDAP affiliation for guest accounts
CNR-1206 Refactor archived role builders to use a builder context to avoid Hibernate exceptions
CNR-1207 Modify registry-model Person to disallow same roles both in assignedRoles and archivedRoles
CNR-1213 Track status object must have metadata field to store extra info
CM-304 Update language in notification when users can't claim an account
CAT-113 Edit email message when account is locked
CAT-112 For locked accounts, allow option to not send email
CAT-111 Show more info for locked accounts lists


October 24, 2016, 6am

Available in QA: October 14th

Update: war built from qa-to-prod-delegation branch is now deployed to cas-p2/p3/p7 (auth) with default theme set to "default" the OS and JVMs also patched on those hosts, the CAS prod tier.

A feature release of Apereo CAS Server 4.1.9 will be deployed to auth-test on 10/14/16 at 6 am and, assuming no regression is found, to auth on 10/24/16 at 6 am. OS and JVM patches will also be applied. The new features include improved performance when showing lists of SPAs, and a delegated authentication option for apps using the test/qa CAS server environments. CMR: CHG0030053.

Services Affected
  • CAS
  • SPA users

October 20, 2016, 12:00am

This release improves CalNet Admin Tool and adds the ability for an admin to set a CalNet ID on behalf of a user directly from the CalNet Admin Tool. CMR: CHG0030077

Services Affected
  • CalNet Admin Tool
  • Berkeley Person Registry

Tickets Resolved

Ticket

Comment

CNR - 1188

Add rest endpoint to set calnetId

CAT-107

Ability for admin to set a record's CalNet ID

CAT-109 

Update role mapping wiki page 

CAT-110 

Create new role for SIS in QA


October 13, 2016, 4:30pm

This release fixes a provisioning bug that is picking up inactive records. CMR: CHG0030054

Services Affected
  • Berkeley Person Registry

Tickets Resolved

Ticket

Comment

CNR - 1186

Stop provisioning employee-onlys without a CAMPUS_ID


October 13, 2016, 6am

Updated description: This release updates the CalNet Admin Tool, including adding affiliations, better scrolling, and cache manager naming issue. It also clears up an error when attempting to match records and automates some consolidation functions. CMR: CHG0030051.

Services Affected
  • CalNet Admin Tool
  • Registry Service

Tickets Resolved

Ticket

Comment

CAT-105

Error when attempting to match records

CAT-104

Show a record's current affiliations

CAT-101

Cache manager naming issue on production

CAT-99

Better scrolling for partial match view

CNR-1149

After merge, wrong CalNet ID marked as active

CNR-1178

When merging two records, an error is thrown

October 12, 2016, 3:05pm

This critical patch will fix a bug that prevented some new employees and affiliates from claiming CalNet accounts. CMR: CHG0030050.

Services Affected
  • Registry Provisioning
  • LDAP
  • OpenIDM

Tickets Resolved

Ticket Comment
CNR-1176 Add empty-string check for CAMPUS_ID in the SGS CS "employee-only" detection logic
CNR-1182 Rename isNotProd config param in LdapSync to isProd and adjust the code accordingly 
CNR-1183 Fix LdapSync bug where cleanUpMismatchedAssignments() is being called in prod instead of dev/qa 
none Add some hibernate session clearing  calls to try and eliminate a memory leak 

October 4, 2016, 6am

Update to October 4 CalNet Release:

This release has progressed as planned. The legacy Sync Code has been turned off. The new LDAP schema is in place. Approximately 70,000 active accounts are being updated by the Berkeley Person Registry. We anticipate all records to be done updating within one or two days. Additional status updates will be provided as needed.
----------------

On October 4, 2016, the CalNet team will retire the legacy LDAP Sync Code and hand control of LDAP provisioning to the Berkeley Person Registry. This step modernizes campus identity data management. CMR: 4816.

Find detailed information about LDAP Schema changes at: https://calnetweb.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization

See additional information about impacts of the Sync Code Retirement, here: https://calnetweb.berkeley.edu/news/calnet-sync-code-retiring

Services Affected

  • LDAP Provisioning
  • LDAP Sync Code
  • Berkeley Person Registry
  • CalNet Deputy UAS Portal
  • CalNet Deputy Issue Initial Token Application

Tickets Resolved

Ticket

Comment

CAT-38                       

Replace registry-p1 and idm-p2 scripts with CAT buttons

CAT-62

ability for admin to allow someone to change CalNet ID

CAT-81

Improve view of list of records to be matched

CAT-82

generate an notification email when account is locked / unlocked

CAT-83

edits to account locking/unlocking email content

CAT-93

Missing link to submit all records for rematch

CM-293

switch to berkeleyEduIsMemberOf

CNR-1000

Provision affiliation roles to LDAP

CNR-1007

Provisioning to ADVCON OU

CNR-1013

Remove isLegacy / isOwned / definitiveAttributes from LdapDownstreamBuilder

CNR-1018

Provision berkeleyEduAffID (ucbaffid)

CNR-1021

Rename IdentifierType hrmsEmployeeId to hcmId to avoid future confusion

CNR-1022

Develop API for ADVCON to replace account claiming API to kerb service

CNR-1023

Make REST endpoints for reprovisioning and sorHash/sorQuery

CNR-1024

Add a PersonJob table to the registry schema and add it to the model

CNR-1025

Modify registry-provisioning-scripts to provision to PersonJob table

CNR-1039

Remove hrmsPrimaryApptRcdNo role now that we have PersonAppointment table with an isPrimary flag

CNR-1040

Primary job determination logic needs to be moved to a PostBuilder so there's one one primary job if multiple HRMS SORObjects

CNR-1043

Create endpoint for advcon to use passphrase reset

CNR-1044

Endpoint for ADVCON to set recovery Email address

CNR-1045

Endpoint for ADVCON to set passphrase

CNR-1046

Don't set berkeleyEduUnitHRDeptName because sync code has stopped setting it

CNR-1047

Change berkeleyEduEmpDeptUnitTitleCode to be single-value pointing to primary appointment

CNR-1050

Investigate which HRMS records get an AffId

CNR-1052

Implement Audit in registry-service

CNR-1053

Create an "Archived Identifier" table to store old identifiers

CNR-1056

Add new HCM identifier types to distinguish between employee-specific and affilite-specific HCM identifiers.

CNR-1057

Change prov-script affiliateId and employeeNumber logic to use new hcm IdentifierTypes

CNR-1061

Implement pagination and showing rejected records for PartialMatch service

CNR-1065

Provision HCM employee and affiliate berkeleyEduAffiliations

CNR-1066

Provision ADVCON berkeleyEduAffiliations

CNR-1070

Provision UAS Identifier from LDAP_AFFILIATESOURCE data

CNR-1071

Provision uas affiliate id as part of LDAP berkeleyEduAffID array

CNR-1072

Provision uasAffiliateId as LDAP berkeleyEduCalNetAffID

CNR-1074

changes to NameTypeEnum[] priorityList

CNR-1075

SGS registry-p1 still occasionally throwing deadlock exceptions

CNR-1078

Provision birthday info to LDAP

CNR-1080

Provision berkeleyEduCalNetIDUpdatedDate

CNR-1081

Provision berkeleyEduCalNetUIDConsolidationDate

CNR-1082

Provision berkeleyEduCalNetUIDOld

CNR-1084

prov-scripts needs refactoring for LDAPDownstream to use person objects directly instead of as JSON or a Map

CNR-1085

Provision berkeleyEduUnitHrDeptName

CNR-1086

Registry service should write, when a record is consolidated.

CNR-1090

Disable legacy SIS SOR

CNR-1092

Change legacy SIS isActive logic to always return false now

CNR-1093

Modify LdapSync logic to account for Registry being responsible for provisioning HRMS and ADVCON to LDAP now

CNR-1097

Why is ADVCON cads2986 not matching up to Expired uid 563834 in prod?

CNR-1100

Will need to create ArchiveIdentifier records for any current LDAP identifiers not matched up to a SORObject so they don't get overwritten

CNR-1103

crosswalk service occasionally throws LinkedHashMap exception

CNR-1105

ldapSyncQueue is hanging/crashing/notworking

CNR-1106

Add an "unknown affiliate id" identifier type

CNR-1108

Replace LdapPersonIdentifier json with IdentifierArchive json in PersonSorObjectsJson

CNR-1109

Create dummy web service to trick OpenIDM into resetting its sync key for testing purposes

CNR-1110

Fix deleteTrackStatus, throws an exception

CNR-1111

Write a general LDIF "diff" script to compare two LDIF files for differences

CNR-1114

Don't provision berkeleyEduBirthYear to LDAP

CNR-1115

berkeleyEduBirthDay and berkeleyEduBirthMonth should always be formatted with two digits (leading '0' if necessary)

CNR-687

Add hcmEmployee role(s)

CNR-791

Provision SORObject(SOREnum.CALNET_CREDMGMT) oldCalnetId

CNR-799

Upgrade match-service and match engine to Grails 2.5.4

CNR-988

Provision primary job title code to LDAP

CNR-989

Provision primary department to LDAP

CNR-990

Provision department code to LDAP

CNR-991

Provision employee number to LDAP

CNR-992

Provision employee type to LDAP

CNR-993

Provision person's affiliations to LDAP

CNR-994

Provision person names to LDAP

CNR-995

Provision unique identifiers for a person to LDAP

CNR-996

Provision old CalNet ID to LDAP

CNR-997

Provision ou to LDAP

CNR-999

Refactor LdapDownstreamBuilder

CNR-1116

OpenIDM on registry-d1 isn't moving people from ou=people to ou=advcon people

CNR-1122

Prevent OpenIDM from reprovisioning SPAs to LDAP

CNR-1121

Provision AFFILIATE-TYPE for HCM affiliates into LDAP berkeleyEduAffiliations

CNR-1124

Clear out all berkeleyEduAffiliationsDetailed values now

CNR-1104

Quartz job to observe CsCampusIdMismatchView and set PersonIHub.timeresendrequested and trigger to service to resend those

CNR-1059

After all new apps deployed using hcmId IdentifierType, remove deprecated hrmsEmployeeId from IdentifierTypeEnum and prov-scripts and the table


September 21, 2016

This is a release to deploy endpoints for ADVCON to use Account Manager.  In addition, this release includes new features and improvements to the CalNet Admin tool and a necessary change in the CalNet Account Manager required by the CalGroups service. CMR: 4817.

Services Affected

  • Berkeley Person Registry Services
  • CalNet Admin Tool
  • CalNet Account Manager

Tickets Resolved
Ticket Comment
CNR-996 Provision old CalNet ID to LDAP
CNR-1022 Develop API for ADVCON to replace account claiming API to herb service
CNR-1023 Make REST endpoints for reprovisioning and sorHash/sorQuery
CNR-1043 Create endpoint for advcon to use passphrase reset
CNR-1044 Endpoint for ADVCON to set recovery Email address
CNR-1045 Endpoint for ADVCON to set passphrase
CNR-1061 Implement pagination and showing rejected records for PartialMatch service
CAT-38 Replace registry-p1 and idm-p2 scripts with CAT buttons
CAT-81 Improve view of list of records to be matched
CAT-82 Generate an notification email when account is locked / unlocked
CAT-83 Edits to account locking/unlocking email content
CM-293 Switch to berkeleyEduIsMemberOf

September 14, 2016, 6am

For this release, we will point the production CAS cluster to a new, more powerful OpenDJ LDAP cluster for back-end directory services. This change will be transparent to both CAS client applications as well as users; it is an internal change for the service with no external impact other than better performance. See CMR: 4787

Services Affected
  • CAS

August 18, 2016, 10pm

This emergency patch is an update to CalNet import code deployed to fix changes to SOR Gateway Service. It should reduce or eliminate the frequent exceptions currently being seen when a data import job is attempted due to Spring JDBC pooling bug. Crosswalk service should not be impacted.

Registry-p1Tomcat restart required. CMR: 4752.

Note: this change during the No Fly Zone has been approved by SIS project team.

Services Affected
  • Berkeley Person Registry
  • LDAP

August 10, 2016

This release is in response to a security advisory by OpenIDM. It contains a patch to OpenIDM 3.1.0 which will be applied to registry-d1 and prevents exposure of vulnerable encryption keys. CMR: 4734

A separate release issues changes to LDAP production. 

Services Affected
  • Registry Provisioning
  • LDAP
  • OpenIDM

Tickets Resolved

Ticket Comment
CNR-1008 Seed displayName in LDAP to an initial value if not set
Added csRegisteredStudent role and set -REGISTERED affiliation in LDAP

August 9, 2016

This new SOR Gateway service release will fix a bug in the the programming logic that determines employee affiliation as well as implementing newly developed logic for determining terms for registered students. It also deploys a fix for database production errors. CMR: 4729.

Services Affected
  • Berkeley Person Registry
  • LDAP
Tickets Resolved
Ticket Comment
CNR-987 CS Employees with both an Employee AND Instructor affiliation are still getting into the partial match queue
CNR-917 Determine current or future CS terms
CNR-970 Logic for determining start of next Fall or Spring term for -REGISTERED period
CNR-982 Tweak "employee-only-without-a-CAMPUSID" logic to ignore "APPLICANT/Applied" affiliations when calculating if employee-only or not
CNR-1001    Try to find another way to get a Postgres BaseConnection object in the SGS other than by using custom SafeNativeConnectionExecutor, which may be contributing to SGS exceptions.
CNR-1003 Fix PostgreSQL SGS refreshPersonSorObjectsJson deadlock scenario
CNR-1005 "Already value for key" connection pool exceptions in SGS

August 7, 2016, 6am

The campus CAS server cluster behind auth.berkeley.edu will have the OS patched, the CAS server upgraded to release 4.1.9 and an improved Spring LDAP pooling configuration. These changes are currently in place for the auth-test.berkeley.edu service. No new TLS certificate is involved and no service outage is planned. CMR 4679.

Services Affected
  • CAS
  • LDAP
Tickets Resolved
Ticket Comment
CM-4679 CAS server upgrade and patching


August 3, 2016

This patch to the SOR Gateway Service changes the validation query on connections in the database connection pool to see if it helps get rid of prematurely closed exceptions that are causing exceptions to be thrown when re-hashing and re-querying. CMR: 4720.

Requires a registry-p1 Tomcat restart.

Services Affected
  • CalNet Admin Tool

August 2, 2016

All CalNet services including CAS (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), LDAP Directory (ldap.berkeley.edu) will be unavailable for a 10 to 15 min window - between 4 and 4:30 am - while new network load balancer equipment is enabled. CMR 4685. 

Services Affected
  • CAS
  • LDAP
  • Shibboleth

August 1, 2016

This releases added account locking and unlocking features within CalNet Admin Tool for CalNet staff. It also contained minor UI edits and created access for additional roles. CMR: 4714.

Services Affected
  • CalNet Admin Tool
  • CalNet Account Manager
  • Berkeley Person Registry

Tickets Resolved

Ticket Comment
CAT-71 Outgoing email on lock/unlock do not show HTML correctly
CAT-5 Ability for CalNet Staff to lock accounts
CAT-6 Ability for CalNet Staff to unlock accounts
CAT-39 Person must have "locked" flag
CAT-64 Check wording for email sent to user when account is locked
CAT-65 Check wording for email sent to department when account is locked
CAT-66 Check wording for email sent to user when account is unlocked
CAT-68 Create a role and view for Limited View group
CAT-69 Add Recovery Email Address to basic Info
CAT-70 Create role for security
CAT-73 In QA, no form on the CAT home page
CAT-74 CAT does not reflect recovery email address entered in CAM
CAT-75 Ability to update recovery email address for a user with no CalNet ID
CAT-76 Added a way to bump logging levels on server
CAT-78 Testing in QA: unclear error message when searching
CM-289 Change order of menu links
CNR-980: Prevent locked accounts from doing Account Manager service call
CNR-947 Endpoint to lock and unlock account
CNR-980 Make creation of CredManangerSor able to take only recovery email without CalNet ID

July 19, 2016

This release deployed a change that prevents pulling Campus Solutions employee-only records into Berkeley Person Registry/CalNet unless they have a UID already set in CS. This is so we can reliably match CS employees with HCM records.

This release does require a Tomcat restart. CMR: 4682

Services Affected
  • SOR Gateway Service
  • Berkeley Person Registry
  • LDAP

July 9, 2016, 12am

Hotfix: Use csDelegateProxyEmailAddress directly when sending out proxy delegate emails (with a fallback to calnetCredentialRecoveryEmailAddressCalculated). CMR: 4668.

 
Services Affected
  • CalNet Account Manager
  • Berkeley Person Registry

July 8, 2016, 4pm

This patch fixes a bug in the "CalNet SOR Person" tool (used in the creation of test accounts).  CMR 4666.
 
Services Affected
  • SOR Gateway Service
  • CalNet SOR Person Creation Tool

July 5, 2016

This patch issues a fix to the SGS nightly LdapSync process that queries for unmatched CS objects to send to the match queue.

Services Affected
  • Berkeley Person Registry
  • LDAP

July 5, 2016

This release deploys fixes for registry-provisioning and registry-service and changes the way Recovery Email Addresses are calculated.

Services Affected
  • Berkeley Person Registry
  • LDAP
Tickets Resolved
Ticket Resolved

CNR-952

Reset "STU-" affiliations in LDAP, not just "STUDENT-", for CS people.

CNR-953

Modify registry-service PeopleToProvision to include all changed DownstreamObjects in the OpenIDM query, not just for CS people.
(In support of CNR-952 fix)

CNR-957

When person has no SORObject other than LDAP, set DownstreamObject DN to whatever the existing LDAP DN is.
(In support of CNR-952 fix)

CNR-966

Reject all email addresses that end in berkeley.edu for calnetCredentialRecoveryEmailAddressCalculated email type.

July 1, 2016

This release features enhancements recommended by security assessments as well as instructional additions. An additional release at 4pm includes a patch to Registry SOR Gateway Service to assign new CS employees a UID based on the UID they send us instead of fuzzy matching.

Services Affected
  • Berkeley Person Registry
  • CalNet Account Manager
  • LDAP
Tickets Resolved
Ticket Resolved
CM-284 ASTP Report Action Item: return response header with name "X-Frame-Opt"
CM-286 Refactor rest client calls out of CAM and into plugin to also be used in CAT
CM-287 Added instructions online for users claiming an account but have no recovery email address
CM-288 Added "Affiliate ID" to instructions
CNR-961 Modify SGS to assign SORObject a UID if UID exists in the source key data
CNR-945 ASTP Report Action Item: increase token length to 16 characters

June 29, 2016

Deployment of new code to the CalNet Registry Stack. It also includes a minor bug fix for the registry-service as well as registry upgrades.  New logic to prevent the creation a new UID for employee records from Campus Solutions. UID creation should only happen when a record comes from HCM. CMR 4641.

Services Affected
  • Berkeley Person Registry
    • Provisioning
    • SOR Gateway Service
    • Match Service
  • LDAP
Tickets Resolved
Ticket Comment
CNR-799 Upgrade match-service and match engine to Grails 2.5.4
CNR-886 Modify SGS and to send CS people that don't have an admit/sircompleted/student affiliation to match queue with matchOnly indicator set to true
CNR-904 The displayName parser may not be parsing lastName, firstName correctly (is this different than normal displayName format?)
CNR-912 @LogicalEqualsAndHashCode refactor for domain classes to improve provisioning performance
CNR-913 Add sysadm.PS_UC_SRVC_IND_VW1 (Service Indicators) to SGS CS query
CNR-919 Prevent circular reference loop in @DomainEqualsAndHashCode hashCode() generator
CNR-924 LDAP DownstreamObject bug when LDAP fields have JSON characters in them
CNR-930 Add a "matchOnly" indicator for match queue messages for registry-match-service
CNR-932 add a sql statement timeout in SGS to avoid deadlocks in the consumer of the SORObject JSON queue
CNR-933 Modify LdapSync to call rematch service on CS SORObjects that haven't yet matched up to a UID
CNR-934 Modify registry-match-service to remove sorObject from PartialMatch when uid assigned
CNR-935 CsPersonRoleBuilder not assigning csEmployee role to all people with active CS jobs
CNR-937 If LdapSync assigns an uid to a SORObject, remove that SORObject from PartialMatch table if it exists
CNR-939 Assign csEmployee role to anyone with a CS EMPLOYEE affiliation

June 28, 2016

This release is an enhancement to the Change CalNet ID form. It improves error handling, updates CalNet ID requirements and includes some minor text changes. It also includes improved search function and enhanced admin capability to update a user's recovery email address. CMR 4640.

Services Affected
  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry
Tickets Resolved
Ticket Comment
CAT-4 Ability for CalNet admins and deputies to change recovery email address for user
CAT-50 Simple Search functions not working for certain attributes
CM-281 Refactor PersonUtil out of Account-Manager into registry-commons
CM-280 Format change in Change CalNet ID form
CM-279 Allow CalNet IDs not created by Acct Mgr to be changed
CM-274 Remove SIS links from Acct Mgr Admin Home page
CM-273 Reformat Change CalNet ID form
CM-272 Update CalNet ID requirement
CM-267 Need to check if an account is locked before allowing access
CM-262 When changing calnetId, and the passphrase is wrong, the shown message is not reflecting this.
CM-261 Change instruction text in Change CalNet ID form

June 23, 2016

CalNet ran a job to correct 454 student records that had been incorrectly set to expired status which was affecting email access. A check of impacted records has confirmed that the job was successful.

Services Affected

  • LDAP

June 22, 2016

The auth.berkeley.edu CAS cluster [1] will begin using as primary its current failover dedicated OpenDJ LDAP cluster (dir-auth.calnet.1918.berkeley.edu) [2] beginning Wednesday, June 22 at 6 am.

There is no planned outage for this migration, which will be over at 6:15 am. At that time, the current primary cluster (nds-auth.calnet.1918.berkeley.edu) will become the failover target. See CMR 4577.

The new OpenDJ cluster provides a 50% increase in vCPU capacity (6 vs. 4) and twice the JVM RAM available (14 vs. 7 GB) compared to the current OpenDJ cluster it replaces. The new nodes are running RHEL 7.2 vs. 6.7 for the OS.

[1] auth.berkeley.edu consists of cas-p2.calnet.berkeley.edu, cas-p3.calnet.berkeley.edu, and cas-p7.calnet.berkeley.edu
[2] dir-auth.calnet.1918.berkeley.edu consists of dir-p4.calnet.1918.berkeley.edu, dir-p5.calnet.1918.berkeley.edu, dir-p10.calnet.1918.berkeley.edu.
These new OpenDJ VMs are running OpenDJ 2.6.4 with 6 vCPUs and 24 GB RAM each using tuned 14 GB OpenJDK 8 JVMs on RHEL 7.2 servers.

Services Affected
  • CAS
  • LDAP
  • Shibboleth
Tickets Resolved
Ticket Comment
OPS-332 Convert auth.berkeley.edu cluster to use dir-auth.calnet.1918.b.e OpenDJ cluster

June 17, 2016

Hotfix being deployed to production to fix bug causing large "cn" values, leading to problems in LDAP. No Tomcat restarts anticipated due to change happening in external provisioning scripts. See CMR 4623.

Services Affected
  • LDAP
  • Berkeley Person Registry
Tickets Resolved
Ticket Comment
CNR-924 LDAP DownstreamObject bug when LDAP fields have JSON characters

June 14, 2016

Fixes bug in which users with numeric values for CalNet IDs encounter errors in ID creation. 

Separate release enhances CalNet Account Manager to allow use by people not associated with CS. CMR: 4631.

Services Affected

  • CalNet Account Manager
  • LDAP
  • Berkeley Person Registry
Ticket Resolved
Ticket Comment
CM-265 MAP@Berkeley users with all numeric CalNet IDs can't create a CalNet ID
CNR-915 Need to always write beKerberosPrincipalString to LDAP when someone has a CREDMGMT SORObject

June 10, 2016

This release includes a bug fix to correct matches and show claim token. Feature enhancement includes showing LDAP record, search function improvements and revamped UI.

Services Affected
  • CalNet Admin Tool

Tickets Resolved

Ticket Comment
CAT-58 Match fails in prouction CAT
CAT-3 Reconciliation Manager stops displaying new partial matches
CAT-8 Ability to see LDAP record
CAT-12 Make login interval longer
CAT-25 Whan app times out, require user to log in
CAT-26 Display search result in list format
CAT-31 Create another access role for view only with raw data
CAT-42 CAT master is failing Bamboo tests, preventing deployment to prod
CAT-45 Reconcile mis a button to click when matching records
CAT-47 Hide SSN in SR
CAT-48 CAT does not show tokens - this is needed for support


June 3, 2016

Update: This release is complete. Known issues with CAT search results are being investigated.

This release improves LDAP provisioning performance and CalNet Admin Tool and Account Manager, as well as fixes various bugs. Fixes include changes to permissions and processes for those using the Account Manager to change their CalNet IDs and addressing inconsistency in CalNet Admin tool searches to yield improved search results. Due to changes in this release, reprovisions will be required within the registry stack. See CMR 4613.

Services Affected
  • Berkeley Person Registry
    • Provisioning
  • CalNet Admin Tool
  • Account Manager
  • LDAP

Tickets Resolved

Ticket Comment
CAT-22 Inconsistent search results
CM-255 Change email address for Change CalNet ID notices
CM-256 Allow CalNet ID change to existing name if UID owns it
CM-257 Only allow CalNet ID change with CM tool for IDs created through CM
CM-260 Update "from" email in prod.
CM-271 Delegate email changes - critical changes requested
CNR-779 registry-service endpoint to allow calnetID change
CNR-822 Add newCalnetId to change calnet id track status
CNR-824 REST endpoint to check if a calnet id was created by account-manager
CNR-826 Registry Service Endpoint URL changes for checkForExistingCalnetId now with UID
CNR-827 Endpoint for checkForExistingCalnetId must take into account uid
CNR-828 Inconsistent search result - interim solution
CNR-841 Move LDAP attr-determination scripts from OpenIDM to registry-provisioning-scripts and write JSON to DownstreamObject table
CNR-844 Add LDAP attributes to SGS LDAP querying that are used in LdapDownstreamBuilder
CNR-849 Have the SGS pull in all LDAP attributes except metadata like timestamps and modifiedBy etc
CNR-850 Modify peopleToProvision service to read from DownstreamObject table
CNR-862 Set OpenIDM to "own" CS people with CS Student affiliation
CNR-863 Endpoint to disable and enable password reset request
CNR-864 Reset passphrase should be prevented if flag is set in registry
CNR-866 A provisionUid bug somewhere in the SOR Gateway Service processing chain
CNR-867 Create a second provisionUidBuild queue for "bulk" operations like from queueChangedIdentities.sh
CNR-876 Don't write berkeleyEduOfficialEmail and mail back to LDAP
CNR-877 Improve CollectionUtil.sync performance

May 27, 2016

Emergency patch to OpenIDM in production to not write to berkeleyEduOfficialEmail and mail attributes. This will require an OpenIDM restart.

When: Approx 11:10am.

See CMR 4606. 

Services Affected
  • LDAP Provisioning

May 25, 2016

Available for testing on auth-test: May 19, 2016

The CAS service for the auth.berkeley.edu cluster will use Spring LDAP pooling for SPA lookups. This improves the efficiency of those searches so that CAS queries to populate the SPA pick list occur more quickly.

See CMR 4591. 

Services Affected
  • CAS
  • LDAP
  • CalGroups
Tickets Resolved
Ticket Comment
OPS-334 Spring LDAP pooling for CAS SPA lookups

May 22, 2016

RHEL 6.x OS patching for production MIT Kerberos KDC cluster completed.

See CMR 4558.

Services Affected

  • Campus MIT Kerberos

Tickets Resolved

Ticket Comment
  OS patching MIT Kerberos KDCs.

May 21, 2016

Edits made to delegate email to make claiming a delegate account more user friendly. 

Services Affected

  • CalNet Account Manager

Tickets Resolved

Ticket Comment
 CM-271 Delegate email changes - critical changes requested


May 18, 2016

People in CS with only student affiliation and not admit or SIRCompleted affiliations are now getting "berkeleyEduAffiliations: STUDENT-TYPE-NOT REGISTERED" set in LDAP.

Services Affected

  • Berkeley Person Registry
  • LDAP Provisioning

Tickets Resolved

Ticket Comment
CNR-862 Set OpenIDM to "own" CS people with CS Student affiliation.


May 16, 2016

The obsolete DNS CNAME records for auth2.berkeley.edu and ncas.berkeley.edu were removed from DNS today.

See CMR 4579.

Services Affected

  • CAS

May 13, 2016

Edited logic to deal with duplicates in Berkeley Person Registry. Implemented redirect for idc.berkeley.edu to calnetweb.berkeley.edu. 

Services Affected

  • Berekely Person Registry
  • LDAP Provisioning
  • idc.berkeley.edu

Tickets Resolved

Ticket Comment
CNR-848 Move CS SORObjects between dupe uids according to some logic
OPS-333

Redirect idc.berkeley.edu to calnetweb


May 10, 2016

Bug fixes and URL update for Calnet Admin Tool. Redirect for mycalnet.berkeley.edu implemented.

Services Affected

  • Account Manager

May 3, 2016

Data import enhancements to recognize additional role types in the Berkeley Person Registry for students in Campus Solutions and employees in HCM.  
Updated LDAP provisioning logic to allow CalNet ID changes for all account types via the Account Manager. See CMR 4553.

Services Affected
  • Berkeley Person Registry
  • Account Manager
  • LDAP Provisioning

Tickets Resolved

Ticket Comment
CNR-687 Add HCM roles.
CNR-790 Re-enable assigning csUndergraduate/csGraduate/csStudent roles in Registry and also add csExtension and csAdvisor roles.
CNR-794 Upgrade to Grails 2.5.4.
CNR-795 Upgrade to Grails 2.5.4.
CNR-805 Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_verif_v view.
CNR-806 Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_verif_v view.
CNR-807 Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_di_v view. (Partially complete. Next release will have further mods).
CNR-832 Always write berkeleyEduKerberosPrincipalString and berkeleyEduCalNetIDUpdatedFlag.

May 1, 2016

As part of the SIS 5.3 Release, CalNet will be coordinating with bCourses, CalCentral and MAP@Berkeley to update the CAS URLs their clients are using from auth2.berkeley.edu to auth.berkeley.edu. See CMR 4547.

Services Affected

April 27, 2016 

Update feature in CalNet Account Manager.

Services Affected
  • CalNet Account Manager

Tickets Resolved

Ticket Comment
CM-255 Change email address for Change CalNet ID notices

April 24, 2016 

A CAS 4.1.7 security patch is scheduled for deployment on Sunday 4/24/16 at 6am. This version is already deployed to auth-test.b.e. There will be a 1 minute outage during the restart of all CAS nodes. See CMR 4529.

Services Affected
  • CAS

April 21, 2016

Minor updates CalNet Account Manager.
Services Affected
  • CalNet Account Manager

Tickets Resolved

Ticket Comment
CM-249 Text Corrections
CM-250 Disallow SPA's to make any changes

April 20, 2016

New features to the CalNet Account Manager and Berkeley Person Registry allow users to change CalNet ID. Minor updates to menu and message language.
Services Affected
  • CalNet Account Manager
  • Berkeley Person Registry

Tickets Resolved

Ticket Comment
CM-234 Ability for emps/students to change calnet ID
CM-236 Change menu item label
CM-244 Edit message for those claiming an account but who already have one
CM-246 Error message for people who can't reset password via CM
CNR-779 Registry-service endpoint to allow calnetID change

April 17, 2016 - deferred

Delayed, to be rescheduled.
CAS URL updated to auth.berkeley.edu for Account Manager and MAP@Berkeley delegated authentication.
Services Affected
  • CAS delegated authentication
  • CalNet Account Manager

April 11, 2016

Summary

  • Added new features to the CalNet Account Manager application to allow users to reset their passphrase and change their recovery email address. 
  • Added error reporting to calnet-systems@berkeley.edu.
  • Added filter to disallow undergraduate admits who have not SIR'ed from creating a CalNet ID. 
  • Revised code to allow users with CalNet ID's that are all-numeric or begins with "CADS" to be able to create a new CalNet ID. 
  • Revised code to check the namespace before granting a CalNet ID.
  • Revised code to check that a delegate does not have CalNet ID before allowing them to create one.
  • Minor webpage and email content edits.

Services Affected

  • CalNet Account Manager
  • Berkeley Person Registry
  • LDAP Provisioning

Known Bugs with this Release

This issues are being addressed and will be resolved as soon as possible.

  • Requesting an update to an empty external email address currently isn't working.
  • When a requestor submits their recovery email address to reset their passphrase, CalNet Account Manager is erroneously showing the requestor's non-employee and non-student accounts, if they exist, to be reset. This functionality doesn't work and will be addressed in a later version.

Tickets Resolved

Ticket Comment
CM-123 Ability for emps/students/delegates to reset forgotten passphrase
CM-169 Of the admitted undergrads, only those who accepted their offers can claim CalNet ID
CM-187 NPE in DelegateService.bindDelegateCommands
CM-188 If a delegate account already has a CalNet ID don't let them claim
CM-192 Change polling delegates timing
CM-197 Delegate account email "I already have a CalNet ID" doesn't work.
CM-206 Check namespace for CalNet ID availability
CM-213 Update Account Manager Main Menu
CM-214 Allow people with all numeric or cads calnet ids to create a new calnet id
CM-223 PW reset Email Invite Format changes
CM-224 Add contact info in CalNet Account Manager
CM-225 Send Error log entries to calnet-systems@berkeley.edu
CM-227 Testing Findings Using QA Stack
CM-228 Revise Reset Passphrase form
CM-230 Testing Reset Passphrase Using Dev
CM-231 Testing Reset Passphrase Using QA
CM-232 Username and Email address are Null for slate student
CM-235 Update to account creation page
CM-236 Change menu item label
CM-237 Edit email confirmation to delegates - SIS request
CM-238 Account manager CAS configuration needs updating

April 8, 2016 - deferred

Deferred until we determine how to support LDAPS via the SLB/VIP for ldap.berkeley.edu.

Update and patch the OS and JVM for the nds-auth LDAP directory cluster nds-p4/-p5/-p10 (used by the auth.b.e CAS cluster) and perform a rolling upgrade of the OpenDJ servers to the 2.6.4 release.

Services Affected

  • CAS and LDAP

April 7, 2016

Registry Provisioning and OpenIDM bug fixes and preparations for new account manager functionality.

Services Affected

  • LDAP Provisioning

Tickets Resolved

Ticket Comment
CNR-754 provisionUid is removing and re-adding the same identifiers every time it reprovisions
CNR-765 Create csDelegate role in Registry
CNR-766 Make it so none of the provisioning-scripts builders run if the SORObject is isDeleted=true
CNR-767 Distinguish between active (future) and inactive (ex) STUDENT-TYPE-NOT-REGISTEREDs.
CNR-768 Don't set STUDENT-TYPE-NOT REGISTERED if STUDENT-TYPE-REGISTERED is set.
CNR-770 OpenIDM throwing exceptions trying to rename namespace entries
CNR-771 OpenIDM needs to refire recon-by-id somehow after LINK and UNLINK operations
CNR-775 Probable bug where the CS IdentifierBuilder is not detecting properly when there is only one job and its active
CNR-776 isActive on HRMS identifier possibly set incorrectly.
CNR-785 Remove LDAP Student expiration dates when adding an active CS affiliation


March 29, 2016

Three releases scheduled. Upgrade to production ActiveMQ 5.13.2 on amq-p1. Bug fix for CalAccess that repaired the service that checks on FERPA requirements for a user.

Scheduled CAS upgrade in which default CAS Authorization was pushed into production at auth.berkeley.edu was disabled because of a bug in LDAP. We are investigating the issue and will update you with our plans going forward as we are able to.

Services Affected

  • Berkeley Person Registry
  • LDAP Provisioning
  • CalAccess
  • CAS

Tickets Resolved

Ticket Comment
CNR-758 Upgrade to ActiveMQ

CA-299

FerpaService fails to authenticate


March 28, 2016

Emergency fix to remove blocker for LDAP provisioning.

Services Affected

  • OpenIDM
  • LDAP Provisioning
Ticket Comment
CNR-770

OpenIDM throwing exceptions trying to rename namespace entries


March 20, 2016

Bug fix to handle account creation issues reported by users.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • LDAP Provisioning
  • Kerberos Provisioning

Tickets Resolved

Ticket

Comment

CM-220

Account Creation is failing

CM-218

Production Account Manager is throwing locking exceptions


March 18, 2016

Feature enhancements for the following:

  • ability for delegates to create their CalNet ID accounts

  • ability for CalNet ID account holders to change their external email addresses

Code fixes for the following:

  • error handling when an expired token is used to claim an account

  • changes to confirmation email content and format

  • checking that a user’s requested CalNet ID is not already in namespace

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • LDAP Provisioning

Tickets Resolved

Ticket

Comment

CM-147

ability for emps/students/delegates to change recovery email

CM-179

Delegates can claim account directly

CM-180

When user tries to use an expired token, they see a CAS login

CM-183

edit delegate email invitation to create CalNet ID

CM-198

edit confirmation email message when a CalNet ID is activated

CM-199

format changes for confirmation message when a delegate's CalNet ID is created

CM-200

Confirmation page for undergrads is broken

CM-201

send email to existing accounts about the change request for recovery email address

CM-202

content for email to continue process for recovery email address creation

CM-207

account-manager must verify calnetId on new checkForExistingCalnetId endpoint in registry-service

CM-209

send email to new account to confirm completed recovery email address process

CM-211

New wording change for delegate invite mail

CM-217

Edit email confirmation message for delegates again!

CNR-717

Registry-service endpoint to store and verify recovery email address

CNR-723

Write CalNet ID to namespace upon creation


March 17, 2016

This was a fix for bug that was allowing new users to create CalNet IDs that had already been reserved by some other system.  Usually an email alias or mail list name.  42 affected CalNet IDs were changed to resolve the conflict and new code was deployed to improve namespace updates when new CalNet IDs are created.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • LDAP Provisioning

Tickets Resolved 

Ticket Comment
CN-723    Write CalNet ID to namespace upon creation


March 16, 2016

Bug fix release to improve logging and to deploy updates to the account creation process to do more thorough namespace checking.
Services Affected

  • CalNet Account Manager
  • Berkeley Person Registry
  • LDAP Provisioning

Tickets Resolved

Ticket Comment
CM-207 account-manager must verify calnetId on new checkForExistingCalnetId endpoint in registry-service
CNR-537 Remove the SOR Sql objects from SGS resources.groovy
CNR-682 Make CS_DELEGATE hash/query timestamp-aware
CNR-692 SisStudentIdentifierBuilder.isActive is not handling multiple terms nor disregarding past terms
CNR-709 in registry-provisioning-scripts, use parseFullName() as an additional way to try to parse out individual name components from displayName
CNR-718 Don't make "sorObject not found" a "fatal" error in NewUidService
CNR-719 Add INFO log statement when oprId, security key, or email changes for CS_DELEGATE