Historical CalNet Releases

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University. Below are CalNet releases from previous calendar years. Records of releases have been maintained on this website since March 2016.

You can sign up to receive timely notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases(link is external) and click JOIN.Or, see current year CalNet Releases.

November 13, 2022, 8:00 am

This release completed the upgrade of the EWH CalNet LDAP infrastructure to DS 7.2. This impacted LDAP services use by CAS, WiFi, and various other services across campus. No impact to applications or customers is expected. CMR: CHG0036096

Services Affected:

LDAP
CAS
Wifi Services

November 6, 2022, 8:00 pm

This release included an upgrade of the SDSC CalNet LDAP infrastructure to DS 7.2. This impacted the dir-auth-os.calnet.berkeley.edu VIP which is used by CAS services hosted at SDSC primarily for failover. No impact to applications or customers expected. CMR: CHG0036095

Services Affected:

LDAP
CAS
Berkeley Person Registry

October 20, 2022, 7:00 pm

This release included enhancements and bug fixes to Berkeley Person Registry and SPA provisioning. There may be a brief outage to Berkeley Person Registry and associated applications while the server restarts. CMR: CHG0036067

Services Affected:

Berkeley Person Registry
Special Purpose Accounts (SPAs)
Active Directory (AD)

October 3, 2022, 5:00 pm

This release changed the ways that Special Purpose Accounts were provisioned to Berkeley Person Registry. No outage or impact to SPA users. Users of the CalNet Admin Tool noticed that SPAs have accurate status after this release. CMR: CHG0035986

Services Affected:

Berkeley Person Registry
CalNet Admin Tool

September 7, 2022, 7:00 pm

This release contained enhancements and bug fixes for CalNet identity management applications. CHG0035940

Services Affected:

CalNet Account Manager
LDAP
Provisioning

August 12, 2022, 11:00 am

This release was a debug for the recaptcha for account claiming. CHG0035872

Services Affected:

CalNet Account Manager
CHG0035940

August 10, 2022, 7:30 pm

This release was a minor configuration change to the Shibboleth IDP that requires a restart of the servers. There was no outage. CHG0035859

Services Affected:

Shibboleth

August 10, 2022, 7:00 pm

This release contained enhancements, bug fixes and dependency upgrades. Also with this release, expired Cirrus guests were moved to ou=Expired. CHG0035821

Services Affected:

Cirrus Sponsored Guests
CalNet Account Manager
CalNet Admin Tool
Berkeley Person Registry
Account provisioning

July 1, 2022, 3:00 pm

In this release, we patched CAS from the current version (6.5.4) to the latest version (6.5.6) to address a potential security vulnerability.CMR: CHG0035722

Services Affected:

July 1, 2022, 12:00 pm

On July 2, new department numbers will begin to flow from UCPath to Berkeley Person Registry to CalGroups and LDAP. CalGroups admins will need to make changes to their authorization / communication groups after July 2 to use the new groups. We will remove the old groups after July 15. CMR: CHG0035712

June 30, 2022, 9:00 am

We enabled the device management portal in the "new" Duo Prompt for applications using CalNet SSO. This allows users to add/remove 2-Step devices directly from the CAS/Duo prompt rather than having to use the legacy portal from https://mycalnet.berkeley.edu(link is external). The legacy portal will continue to work. This change added a menu item to the "Other Devices" option when the user is going through the 2-step process. The documentation here was updated: https://calnet.berkeley.edu/calnet-2-step/2-step-devices. There was no planned outage associated with this release. CMR: CHG0035675

Services Affected:

CalNet 2-Step Authentication
CAS

June 7, 2022, 5:30 am

We patched CAS from the current version (6.5.2) to the latest version (6.5.4) to apply a bug-fix required to implement new functionality. There was no planned outage associated with this release. CMR: CHG0035622

Services Affected:

May 24, 2022, 7:00 pm

We upgraded the production Shib IDP servers from 4.0.x to 4.1.x. There was no planned outage associated with this release. CMR: CHG0035500

Services Affected:

Shibboleth

April 5, 2022, 8:00 pm

In this release, we enabled the Duo Universal Prompt which changed how Duo looks and behaves. https://calnet.berkeley.edu/news/new-changes-duo-browser-workflow. In addition, we upgraded CAS on the production auth.berkeley.edu cluster to 6.5. CMR: CHG0035435

Services Affected:

CalNet 2-Step Authentication

April 1, 2022, 1:00 pm

This release was patching for our production Shib clusters and upgrading Tomcat to the latest version. All other Shib environments were patched with latest versions. CMR: CHG0035451

Services Affected:

Shibboleth

March 31, 2022, 11:45 am

This release included patching our production CAS clusters. All other CAS environments were patched with latest versions. CMR: CHG0035449

Services Affected:

March 31, 2022, 8:00 am

This release included patching for our backend services with the latest version of Spring, and changing the Java version our frontend is running. CMR: CHG0035448

Services Affected:

Berkeley Person Registry
Account Provisining
CalNet Admin Tool
CalNet Account Manager

March 24, 2022, 10:00 am

This emergency release fixed a bug that prevented CalNet accounts from expiring when they should. CMR: CHG0035425

Services Affected:

Berkeley Person Registry
LDAP

March 22, 2022, 7:00 pm

This release included additional tracking of UCPath primary jobs and a bug fix. CMR: CHG0035401

Services Affected:

Berkeley Person Registry
Account Claiming

March 22, 2022, 7:00 pm

In this release, we changed the firewall configuration for the CalNet LDAP cluster dedicated to authentication services. CMR: CHG0035405

Services Affected:

LDAP
Firewall

February 17, 2022, 7:00 pm

In this CalGroups change, we refactored 2-Step groups and also added a new feature for some admins in CalGroups to view alumni both in their groups and in their searches. 2-Step users should not notice the change. CMR: CHG0035296

Services Affected:

CalGroups
CalNet 2-Step

February 17, 2022, 7:00 pm

This was a major upgrade of the identity management system that does data intake, identity matching, account provisioning, web services and data writing to LDAP and Active Directory. The significant changes can be summarized as: A refactoring onto the latest Spring Boot framework (numerous code changes as a result), an upgrade to using latest dependency libraries, an upgrade to using latest Java 17 LTS, an upgrade to the Tomcat 9 application server, and moving to new, upgraded virtual machines running RedHat. There was a short planned outage associated with this release. CMR: CHG0035238

Services Affected:

Berkeley Person Registry
CalNet Admin Tool
CalNet Account Manager

January 30, 2022, 9:00 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. During this cycle we also upgraded our Nginx proxy servers. There was a short outage of bpr.calnet.berkeley.edu that affected CAT and CAM while that host rebooted. CMR: CHG0035220

Services Affected:

Berkeley Person Registry
CalNet Admin Tool
CalNet Account Manager
CAS
Shibboleth
CalGroups
LDAP

December 21, 2021, 7:00 pm

We patched the Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. There was a short outage of bpr.calnet.berkeley.edu thereby affecting CAT and CAM while that host rebooted. CMR: CHG0035116

Services Affected:

Berkeley Person Registry
CAS
Grouper
LDAP
Shibboleth

December 2, 2021, 7:00 pm

In this release, CalNet is updating email templates used for account locking and for Stu-Delegate account creation. CMR: CHG0035062

Services Affected:

Berkeley Person Registry
Account Claiming

November 30, 2021, 7:00 pm

The CalNet team is implementing an emergency change. The IP address of shib.berkeley.edu(link is external) will change. CMR: CHG0035046

IMPORTANT: If you currently enforce outbound firewall rules for web traffic, you must add an additional allow rule for the new Shibboleth virtual IP:

Port: 443
IP: 169.229.54.216

Services Affected:

SAML-based logins (bMail, ServiceNow, Adobe)

October 15, 2021, 6:00 am

We configured all Duo integrations to remove the phone callback option by default. Existing telephone users were not impacted and were required to fill out an exception by January 12, 2022. After January 12, 2022 only users with an exception / valid business case for using telephone with Duo are allowed to use the feature. There was no planned outage associated with this release. CMR: CHG0034869

Services Affected:

CalNet 2-Step Authentication

October 10, 2021, 8:30 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. There was a short planned outage for CAT/CAM within the release window. CMR: CHG0034879

Services Affected:

Shibboleth
LDAP
Berkeley Person Registry
CAS
Grouper
CalNet Admin Tool
CalNet Account Manager

September 25, 2021, 6:00 am

The CalNet Postgres databases will be upgraded by the campus database team. This will result in an outage of some CalNet services of approximately 90 minutes. CalNet logins will not be impacted during this outage. CMR: CHG0034838

Services Affected:

CalNet Account Manager (including account claiming, changing passphrase or ID and managing 2-Step)
CalNet Admin Tool
Berkeley Person Registry
CalGroups
The identifiers web service used by CalCentral and iHub

September 1, 2021, 7:00 pm

We deployed code changes for CalNet Identity Management. There was a short planned outage for a few minutes within the release window. CMR:CHG0034797

Services Affected:

Berkeley Person Registry
CalNet Account Manager
CalNet Admin Tool
Account Claiming

August 8, 2021, 6:00 am

We upgraded CAS on the production auth.berkeley.edu cluster to 6.3. This version of CAS is required to maintain support and future product enhancements and security patches. Other enhancements include: support for TLSv1.3, improved support for SAML and OIDC, support for newer Duo prompt, various upgrades to system software including Java, Tomcat, and Nginx. There was a planned outage associated with this release. CMR:CHG0034740

Services Affected:

CAS
Shibboleth

July 29, 2021, 6:45 pm

The CalNet Admin Tool got an update allowing support staff to use the Duo Application for user verification. There was a planned outage associated with this release. CMR:CHG0034736

Services Affected:

CalNet Admin Tool
CalNet Account Manager
Berkeley Person Registry

July 22, 2021, 7:00 pm

We updated CAT/CAM to implement a compatibility change for CAS 6 and Slate delegated logins. There was a brief outage while the server restarted. CMR:CHG0034593

Services Affected:

Berkeley Person Registry
CalNet Admin Tool
CalNet Account Manager

June 17, 2021, 7:30 pm

This release included changes to identifierTypes, changes to the no recovery email address screen in CalNet Account Manager, and changes to roles in CalNet Admin Tool. There was a planned outage associated with this release. CMR: CHG0034593

Services Affected:

CalNet Admin Tool
CalNet Account Manager
Berkeley Person Registry

May 24, 2021, 11:05 am

Starting at approximately 11:05 am some clients may have seen errors when trying to log into a CAS-protected application. The issue was resolved fully by 12:36 pm. The java process running the Tomcat web application server had more open file handles than allowed by the operating system. In trouble-shooting we found that the CAS process opens that script for every user log in to the service, but never closes the file handle. Over the course of approximately 30 days the number of opened files for that process grew above the hard limit set by the OS. There was an unplanned outage associated with this release which took place intermittently across the release window. CMR: CHG0034546

Services Affected:

May 20, 2021, 7:00 am

The majority of the remaining deprecated attributes definitions (objectClasses and attributeTypes) were removed. These attributes are no longer maintained and have been marked for removal for several years. The list of attributes that were removed can be found at https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization#B. There was no planned outage associated with this release. CMR: CHG0034495

Services Affected:

LDAP

May 20, 2021, 5:00 am

We configured DNS failover for the ldap.berkeley.edu cluster. This allows the service to automatically fail over to San Diego in case of a major network or system outage at EWH. There was no planned outage associated with this release. CMR: CHG0034507.

Services Affected:

LDAP

May 19, 2021, 7:00 pm

We issued a new certificate for the ldap cluster at ldap.berkeley.edu in preparation for enabling automated failover to our SDSC data center the following morning. We quiesced traffic to each node in turn to update the certificate. There was no planned outage associated with this release. CMR: CHG0034514.

Services Affected:

LDAP

May 5, 2021, 9:00 pm

This change allows campus postdocs to have a longer grace period. There was no planned outage associated with this release. CMR: CHG0034476

Services Affected:

Berkeley Person Registry

May 2, 2021, 6:00 am

We changed the load balancing direct routing method used by ldap.berkeley.edu to stop using ARP tables and instead use iptables. The ldap.berkeley.edu cluster configuration for direct routing was not working as intended. Some applications were experiencing loss of connectivity to ldap when we performed maintenance that should otherwise be transparent. This change was intended to correct this issue and allow us to perform maintenance without impacting customers in the future. There was a planned LDAP outage of 10 minutes within the release window. CMR: CHG0034444

Services Affected:

LDAP

April 25, 2021, 6:30 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition, we applied patches as needed from custom repositories for Zabbix and Duo. We patched to address OS bugs and vulnerabilities. There was a 5 minute outage for Manage My CalNet while that system rebooted. CMR: CHG0034443

Services Affected:

BPR systems
CAS
Grouper
LDAP
Shibboleth

April 21, 2021, 9:00 am

We issued a new certificate for the ldap cluster at ldap.berkeley.edu in preparation for enabling automated failover to our SDSC data center. We quiesced traffic to each node in turn to update the certificate. Application owners and developers using non-system keystores should ensure they are only referencing the root and intermediate certificates, and not the leaf node. There were no planned outages associated with this release. CMR: CHG0034209

No Services Affected

April 15, 2021, 7:00 pm

We upgraded the SDSC production Shibboleth servers to the same version we are now running in EWH. We did a quick failover test to confirm them afterwards. There were no planned outages associated with this release. CMR: CHG0034424.

Services Affected:

Shibboleth

March 31, 2021, 7:00 pm

We have upgraded the Shibboleth IDP to version 4x in order to stay current with the most recent release. There were no planned outages associated with this release. CMR: CHG0034375

Services Affected:

Shibboleth

March 22, 2021, 7:00 pm

This CalNet release included changes to the CalNet Account Manager Forgot Passphrase tool and added additional functionality to handle Potential Hire Academic POIs from UCPath. There was a brief outage during the specified release window. CMR: CHG0034359

Services Affected:

CalNet Account Manager
Berkeley Person Registry

March 4, 2021, 6:30 pm

CalNet restarted registry-p1 Tomcat for a DDODS database host change. There was a brief outage during the half-hour release window. CMR: CHG0034321

Services Affected:

Berkeley Person Registry
CalNet Account Manager
CalNet Admin Tool

February 23, 2021, 6:00 am

We replaced the certificate on the CAS instance (auth.berkeley.edu). The new certificate has a different issuer. We deprecated the Extended Validation certificates in favor of standard InCommon SHA-2 certificates. Certain applications, such as those using Java key stores or other non-operating system certificate stores, may require providing the root certificate in addition to the intermediate certificates. Obtain certificates from a trusted source like the certificate store on your local computer or directly from the Root CA. There were no planned outages associated with this release. CMR: CHG0034268

Services Affected:

February 11, 2021, 7:00 am

We replaced the certificate on the test CAS instance (auth-test.berkeley.edu). The new certificate has a different issuer. We deprecated the Extended Validation certificates in favor of standard InCommon SHA-2 certificates. Certain applications, such as those using Java key stores or other non-operating system certificate stores, may require providing the root certificate in addition to the intermediate certificates. Obtain certificates from a trusted source like the certificate store on your local computer or directly from the Root CA. There were no planned outages associated with this release. CMR: CHG0034267

Services Affected:

January 1, 2021, 9:00 am

We increased LDAP replication retention from 3 days to 5 days to ensure changes made while EWH DC is unavailable are retained in the event that the outage is longer than expected. These changes were pushed to LDAP-test on December 21, 2020. There were no planned outages associated with this release. CMR: CHG0034176

Services Affected

LDAP

December 21, 2020, 8:00 am

We removed the deprecated attribute values from CalNet LDAP directory (access to these attributes was revoked on Oct 29th). A list of those attributes can be found at https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization#B. There were no planned outages associated with this release. CMR: CHG0034140

Services Affected

LDAP

December 3, 2020, 6:30 pm

We changed the production DDODS connection string, no longer recognizing academic potential hire POI type, and changed how effective rows are calculated from DDODS POI table. There was a brief outage that occurred between 6:30pm - 7:00pm. CMR: CHG0034129

Services Affected

Berkeley Person Registry

November 30, 2020, 7:00 pm

We had about 1200 old-style departmental accounts that were expired. We moved them from ou=people to ou=expired people in LDAP. We have made attempts to contact these account owners, but there may still be some users who are using these old-style accounts. If that is the case, then we can roll back the change for that particular account. There was no planned outage associated with this release. CMR: CHG0034115

Services Affected

LDAP

November 30, 2020, 6:30 pm

We have set up new servers for the SPA Admin app. CNAME changes for the idc.berkeley.edu will point to these new servers. We added a new server name, spa.berkeley.edu, that idc.berkeley.edu will redirect to. This release included a planned outage, however the outage was momentary, and only impacted users logged in at that moment. If users were using the application at that time, they needed to refresh their browser. CMR: CHG0034119

Services Affected

SPA Admin Application

November 30, 2020, 6:00 pm

To make it easier to determine if one has the current person when adding a member to a group in CalGroups, we added more attributes to the display value for member lookups. Previously, it was displayName. It was changed to uid - displayName - department name or "non-FSA". This release included a planned outage, however the outage was momentary, and only impacted users logged in at that moment. If they were using the application at that time, they needed to refresh their browser. For more information regarding this release, please click here(link is external). CMR: CHG0034116

Services Affected

CalGroups

November 17, 2020, 8:00 pm

Informational Update - in this release, the Windows and bConnected teams switched the authentication page from ADFS to CAS for some campus services (eg Sharepoint). This release included a planned outage, however the outage was less than a minute and only impacted authentication attempts for applications using ADFS during that minute. CMR: CHG0034088

Services Affected

CAS
Sharepoint
O365
Azure
ADFS

November 12, 2020, 10:00 pm

We are pointing BPR to a different back-end LDAP cluster. This required a server restart. There was a planned outage for 5 minutes during the 60 minute time frame of this release. CMR: CHG0034016

Services Affected

CalNet Account Manager
CalNet Admin Tool
Berkeley Person Registry

November 8, 2020, 9:00 am

We brought two new LDAP hosts online to replace our remaining RHEL6 LDAP hosts. These hosts are dedicated to the BPR application but participate in the multi-master synchronization topology for all production LDAP servers. There was no planned outage associated with the release. CMR: CHG0034014

Services Affected

LDAP

October 29, 2020, 7:00 pm

SPAs were showing up in departmental groups in CalGroups after the recent changes. Since these departmental groups are employee groups, we removed the SPAs from these groups. There was no planned outage associated with the release. CMR: CHG0034037

Services Affected

SPA Admin Application
CalGroups

October 29, 2020, 7:00 am

We removed access to the CalNet LDAP/directory deprecated attributes. Those attributes can be found at https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization#B. There was no planned outage associated with the release. CMR: CHG0033993

Services Affected

LDAP

October 17, 2020, 9:00 am

We made modifications to SPA group names to allow both the group and the SPA to be added to groups. Multiple application owners would like to add SPAs to their groups since the accounts show up in their account list rather than the personal account.

Services Affected

CalGroups
LDAP
SPA Admin Application
CalNet AD

September 25, 2020, 2:00 pm

We updated the language found at mycalnet.berkeley.edu. This required a restart of CalNet Account Manager, so account claiming, passphrase resets, and other CAM functions were briefly unavailable.

Services Affected

CalNet Account Manager

September 19, 2020, 9:00 am

We made changes to property files in production Shibboleth by adding a new scripted attribute for the Library. CMR: CHG0033929

No Services Affected

September 19, 2020, 7:00 am

We reconfigured the LDAP cluster to use a different type of load balancing. This will enable us to track remote client IPs better. CMR: CHG0033928

Services Affected

LDAP

September 10, 2020, 7:00 pm

We renewed the certificate for the ldap cluster at ldap.berkeley.edu before it expires. We quiesced traffic to each node in turn to update the certificate. Application owners and developers using non-system keystores should ensure they are only referencing the root and intermediate certificates, and not the expiring leaf node. CMR: CHG0033895

No Services Affected

September 9, 2020, 7:00 am

We reconfigured the offsite LDAP clusters used for Shibboleth/CAS DR as well as general LDAP services to use a different type of load balancing. This enables us to track remote client IPs better. CMR: CHG0033896

Services Affected

LDAP at SDSC

September 2, 2020, 9:00 am

CalNet shutdown the CalAccess service at https:/idc.berkeley.edu/ca since the application is no longer in use. CMR: CHG0033880

No Services Affected

September 1, 2020, 10:30 am

We moved CalNet's Production Shared Services AWS account from the current AWS organization to the newer control tower-enabled central payer account organization. CMR: CHG0033881

No Services Affected

September 1, 2020, 7:00 am

CalNet will remove approximately 50 unused and deprecated attributes from the berkeleyEdu objectclass(es) and delete the attribute definitions from the schema. We will be applying this change to LDAP Test on August 11th. CMR: CHG0033825

Services Affected

LDAP

September 1, 2020, 7:00am

The passphrase complexity changes scheduled for August 17 have been rescheduled to September 1, 7am.

CalNet is updating the passphrase complexity requirement standards. Updated password complexity requirements will only affect *newly* created accounts or passphrases changed after the implementation. CMR: CHG0033821

Services Affected

BPR
CalNetAD

July 23, 2020, 7:30 am

Updated the certificate for the CalNet ActiveMQ instance because it was due for renewal. CMR: CHG0033781

Services Affected

CalNet Account Manager
CalNet Admin Tool

July 22, 2020, 8:00 pm

Removed the "Entity not found" entries from CalGroups. Entity not found entries in CalGroups are of two types. They are from either ou=expired or ou=advcon. We will remove those from ou=expired from all groups. We cleaned-up the advcon entries from any official groups, but not app or org groups. CMR: CHG0033797

Services Affected

CalGroups

July 8, 2020, 7:00 am

We are making updates to the LDAP schema in preparation for the new CalNet Directory Update tool. This includes modifications that should only be visible to internal CalNet processes.

CMR: CHG0033749

No Outages

July 4, 2020, 7:00 am

Additional settings to ensure a secure operating system. These settings have already been applied to the production CAS systems since April and have been in our test environment for a month. There will be a 10-minute outage of BPR while the server restarts after patching. Other services are load-balanced and no outage is expected. CMR: CHG0033719

Services Affected

BPR / CalNet Account Manager
Shibboleth
CalGroups
Manage My Keys
LDAP

July 1, 2020, 6:30 am

The PostgreSQL instance 'calnetbprprod' was migrated to a new RHEL7 VM dba-postgres-prod-55, as the RHEL6 VMs will soon be out of support. This database supports Calnet-BPR/IDM application. CMR: CHG0033740

Services Affected

BPR / CalNet Account Manager
CalNet Admin Tool

May 25, 2020, 7:30 am

We have upgraded CalGroups production servers to Grouper version 2.4. CMR: CHG0033624

Services Affected

CalGroups

May 23, 2020, 8:00 am

This change updates the CAS configuration to allow the release of the mail attribute for Sponsored Guests. CMR: CHG0033623

Services Affected

LDAP
CAS
CalNet Sponsored Guests

May 14, 2020, 6:00 pm

This release includes the following bug fix and feature enhancements, and will include a brief outage (less than 5 minutes) of BPR apps while the servers restart. CMR: CHG0033589

Services Affected

CalNet Account Manager
CalNet Admin Tool
CalNet Namespace
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CAT-172	Add Status and Expiration Date to CAT
CNR-2011	Changes to ou and berkeleyEduExpDate calculation for some students
CNR-2013	New Changes to Account Locked Emails
CNR-2010	User with CAT Role: ROLE_IHUB_TRIGGER is not able to trigger iHub message
CNR-2012	Create new person info registry-service endpoint for Directory Update app

April 29, 2020, 9:55 pm

This release will change the method of download for the InCommon Metadata. We have been doing nightly downloads of the entire list of InCommon SPs. A new method, Metadata Query service (MDQ), allows us to only download the SPs we need to access.
We will also begin the IDP cert change process. It involves adding the replacement cert to the metadata along with the original cert, allowing time for SPs to pick up the new cert, and eventually removing the original cert from the metadata. CMR: CHG0033559

Services Affected

Cloud based services including bConnected
Shibboleth

April 28, 2020, 7:16 am

This release is the removal of assured replication from the CalNet LDAP replication domains.CMR: CHG0033523

Services Affected

LDAP

April 28, 2020, 7:16 am

This release applies additional OS security settings to our systems. This change is to configure the level 1 and 2 CIS benchmark settings.CMR: CHG0033480

April 17, 2020, 2:08 pm

This release updates BPR and changes the managing of expired STU-DELEGATEs. When a student affiliation is expired, the delegate's stu-delegate affiliation will also expire.
When a student has extended SIS access, the delegate's affiliation should expire when the student's extended SIS access affiliation expires. There is no grace period for STU-DELEGATE affiliations. CMR: CHG0033488

Services Affected

April 14, 2020, 6:44 am

This release will enable hostname whitelisting to the CAS Duo integration in production. This was done for auth-test several months ago.CMR: CHG0033474
Services Affected

April 3, 2020, 8:55 am

This release adds an additional cipher to our LDAP servers' configuration to support older hosts using openssl.CMR: CHG0033453
Services Affected

LDAP

March 18, 2020, 6:30 pm

This release disables TLS 1.0 and 1.1 so that clients/integrations must use at least TLS 1.2.CMR: CHG0033356
Services Affected

BPR
CalNet Account Manager
CalNet Admin Tool
CalGroups
CAS
LDAP
Shibboleth

March 18, 2020, 6:30 pm

In this release, we will be applying a text change to the Berkeley Person Registry (BPR), specifically the CalNet Account Manager. Most public-facing BPR functions, like the CalNet Account Manager and CalNet Admin Tool, will be offline for a minute or two while the server restarts. CMR: CHG0033431

Services Affected

Berkeley Person Registry
CalNet Admin Tool
CalNet Account Manager

March 16, 2020, 6:00 am

This release is the removal of the expiring AddTrust root certificate is in the SSL template used for the EWH CAS load balanced VIP. CMR: CHG0033399

March 3, 2020, 9:30 pm

We will be changing the source for the org tree data found in production LDAP on Wednesday 3/4 from 9:30 - 10. There is no expected downtime. CMR: CHG0033388

March 3, 2020, 9:00 pm

We will change the certs for IDC servers on Wednesday 3/4 at 9 pm (30 min window). There will be no downtime, as the servers are HA. The services, SPA admin and Manage My Keys, will continue to be accessible during the change. CMR: CHG0033387

March 3, 2020, 5:30 pm

This code release for Berkeley Person Registry includes Grails upgrade, modifications to logic, and bug fixes. CMR: CHG0033384

Tickets Resolved

Ticket	Comment
CNR-1990	Upgrade to Grails 3.3.11
CNR-1989	Upgrade Grails Spring Security plugin to 3.3.1
CNR-441	Implement security on ucb-match and registry-match-service
CNR-1992	Modify match engine and match service configurations to use auth
CNR-1984	Restrict length of new CalNetIDs to 19 characters
CNR-1987	Change CalnetID requirements page to show max of 19 instead of 20
CNR-2003	Content change for source for i371 requests sent to iHub
CNR-1995	User is active but should not be

February 27, 2020, 8:00 pm

This release is an upgrade of CAS (auth.berkeley.edu) to 5.3.15. It includes minor bug fixes as well as CalNet specific changes to improve some error messages as well as an updated URL for forgotten passphrases. No outage is expected. CMR: CHG0033329

February 19, 2020, 8:00 pm

This release changes the way that Special Purpose Accounts are provisioned. We will no longer be using OpenIDM. No downtime is expected. CMR: CHG0033331

February 18, 2020, 7:00 am

At 7am on Tuesday, Feb 18, we will enforce AuthZ on CAS-enabled applications using the wildcard (*.berkeley.edu) registration. The purpose of this change is to ensure that, by default, only CalNet users with 2-step verification are permitted to authenticate. This includes all active and in-grace students, employees and affiliates, logging in as themselves or using SPAs or rSPAs. CMR: CHG0033199

See https://calnet.berkeley.edu/calnet-technologists/single-sign/sso-authorization for more information.

February 13, 2020, 7:00 am

This release is an update of the certs for CalGroups. There will be no downtime. CMR: CHG0033332

January 28, 2020, 7:30 am

A new version of CAS (5.3.15) will be released to auth-test on January 28. The update includes:

Update to the forgot CalNet ID or passphrase link on the CAS screen
Add 2-step help link and better language to the MFA error page
Various minor fixes in the base CAS project

December 17, 2019, 8:00 pm

This release is a certificate update for bpr.calnet.berkeley.edu. There will be a brief outage of BPR as the service restarts. CMR: CHG0033161

Services Affected

Berkeley Person Registry
CalNet Admin Tool
CalNet Account Manager

December 6, 2019, 5:30 pm

This release includes bug fixes and feature enhancements to Berkeley Person Registry, CalNet Admin Tool and CalNet Account Manager. CMR: CHG0033126

Services Affected

CalNet Account Manager
LDAP
CalNet Admin Tool
CalNet Namespace
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CAT-162	UIDOld and UIDOldConsolidationDate not getting written in consolidation
CAT-169	Namespace folders do not get moved from expired records in LDAP upon consolidation
CAT-170	ConsolidationDate and CalNetUidOld do not get written
CNR-1961	Detect and delete VOID VOID records
CNR-1962	Change Locked Account Email
CNR-1969	Update passphrase requirements text
CNR-1975	problem with BUSN email getting to UCPath
CNR-1978	Multiple new SORObjects partially matching to a UID
CNR-1979	Change the Rank Order used for Names from SORs
CNR-1980	Fix hash code bug when two DDODS email addresses swap PREF_EMAIL_FLAG values.
CNR-1981	Recognize PREF_EMAIL_FLAG='N' UCPath emails.

December 4, 2019, 9:00 pm

This release retires the legacy CalNet Guest application. CMR: CHG0033137

Services Affected

CalNet Guest application

Tickets Resolved

Ticket	Comment
CG-187	Retire Legacy Guest App

November 21, 2019, 8:30 am

We will be launching the process that enables the policy of requiring an employee as part of a SPA user group starting Thursday morning, Nov. 21 at 8:30 am. There is no down time.

Services Affected

Special Purpose Accounts

November 21, 2019, 7:00 am

We are making two changes to our LDAP access logs.

1. Add milliseconds to the timestamp format.
2. Switch to a combined log format to simplify log parsing and reduce log size.

Services Affected

LDAP

November 15, 2019, 8:00 am - November 22, 2019

We will decommission net-auth-p1 and calnet-p2 servers.

Both servers will be powered off and then deleted after 7 days.

Services Affected

Open IDM
SPA Admin App

November 13, 2019, 9:00 pm

We need to restart openidm on idm-p1 to remove a dependence on the krbservice/net-auth. The service affected is the SPA Admin app which is available to employees only. 2 minute outage of SPA App expected. CMR: CHG0033079

Services Affected

Open IDM
SPA Admin App

November 12, 2019, 7:00 am

We will update CAS registrations to specifically ensure sponsored guests cannot access services that have not directly been enabled for sponsored guests by the application owner. In some cases it is possible for a sponsored guest who has an existing and valid SSO session to access an application that has not specifically been enabled for guest access. This is due to an issue in CAS that affected the migration of service registrations and was fixed in the last CAS upgrade. CMR: CHG0033075

Services Affected

October 29, 2019, 8:00 pm

We will upgrade CAS (auth.berkeley.edu) to 5.3.12.1 and Tomcat server to 8.5.46. Both contain numerous bug and security fixes. Hazelcast is bundled with CAS and will receive a version bump as well. Auth-test and auth.berkeley.edu will be upgraded as follows:

Monday, 10/7 @0800 - Implement in auth-test.berkeley.edu
Tuesday, 10/29 @2000 - Implement in auth.berkeley.edu

We encourage developers to test their applications thoroughly against https://auth-test.berkeley.edu(link is external). A separate announcement will be sent for the production upgrade toward the end of October. CMR: CHG0032985

Services Affected

October 24, 2019, 9:00 pm

This release is a minor change to the idc.b.e/mmk app. We are removing the user defined option for bConnected keys. Given the idc.b.e system is HA, there is no expected downtime. CHG0033031

Services Affected

Manage My Keys

October 22, 2019, 5:30 pm

In this release, we add known bad passwords to ucb-dictionary. CMR: CHG0033024

Services Affected

ucb-dictionary
bidms-downstream
registry-service
account-manager

October 7, 2019, 8:00 pm

This release includes configuration adjustments and cosmetic changes to CAS. It was released to auth-test.berkeley.edu on 9/30/19 to allow time for testing. There are no major changes to CAS code in this release. CMR: CHG0032969

Services Affected

September 13, 2019, 6:00 pm - September 16, 2019, 8:00 pm

This release includes substantial changes to the CalNet stack. The MIT Kerberos authentication servers are being retired in favor of Active Directory. Reorganization of the AD structure follows security best practices and allows CalNet to be system of record for all user objects.

In addition, this release contains feature enhancements and bug fixes for CalNet Account Manager and CalNet Admin Tool; removal of legacy HCM and SIS processes; and an upgrade to Grails 3.3.10.

There may be brief periods of instability in the CalNet suite of services over the weekend while user account reprovisioning occurs. We expect all systems to return to their normal functions by 8pm on Monday, Sept. 16.

This release also retires the CalNet Sync Tool.

CMR: CHG0032879

Services Affected

All CalNet and Berkeley Person Registry Applications

CalNetAD

CalNet Sync Tool

Tickets Resolved

Ticket	Comment
CNR-1899	Change to match rule #2
CNR-1903	Remove legacy HCM account claiming entirely from CAM (Was: Delete extra employee account claim in CAM admin view)
CNR-1909	Fix UCPath LdapSync'ing in test environment
CNR-1904	Changes to CalNet ID creation - confirmation email
CNR-1938	Create a "Super Canonical" match engine config rule type
CNR-1939	registry-sor-gateway Quartz jobs stop working after some amount of time in production
CNR-1937	There is a CAM cache bug when a user changes calnetId
CNR-1926	Make it configurable to switch between sendgrid and greenmail for registry-service quartz jobs that send out email
CNR-1936	Not able to change CalNet ID to something I already own
CNR-1924	Need a way to identify "presirs with calnetIds" using roles
CNR-1922	AD provisioning: Changes to who gets provisioned to AD
CNR-1921	AD provisioning: OU changes based on primary affiliation
CNR-1920	AD provisioning: primaryGroupID changes based on primary affiliation
CNR-1919	Create new provisioning groups in my local AD
CNR-1918	AD provisioning: Active userAccountControl for in-grace people
CNR-1914	AD provisioning: OU and primaryGroupID changes for different primary affiliations and keeping in-grace people active
CNR-1516	Modify bidms-downstream change password endpoint to recognize certain AD passphrase validation errors codes
CNR-1911	Modify BPR tools to use AD Kerberos and not krbservice
CNR-1927	Enhancement to bidms-connectors/bidms-downstream to add and remove a person from directory groups
CNR-1917	When doing password change, use an user bind rather than an administrative bind
CNR-1928	Enable sendgrid (to test mailbox) in test for reg-serv end-of-life jobs
CNR-1496	Remove sisStudentSorKeyDataExtractor from sor-key-data-service
CNR-1944	bidms-downstream memory leak
CNR-1945	bidms-connectors isn't detecting a change when userAccountControl bits should be changing so no write is performed
CNR-1947	No longer referencing SYSADM.PS_TERM_TBL in any BPR queries to SIS databases
CNR-1946	Add CWR004 Staff Intern and CWR012 Traveling Nurse to official affiliatons in BPR
CNR-1910	Remove legacy hcm from SOR Gateway Service
CNR-1891	Remove defunct legacy HCM provisioning code from registry-provisioning-scripts
CNR-1949	Upgrade BIDMS web apps to Grails 3.3.10
CNR-1951	Add Deposit Pending to Campus Solutions query
CNR-1941	Provision BPR-managed SPAs to LDAP
CNR-1950	Update content on CAM welcome page
CNR-1956	Additional audit logging for CAT split/merge/reconciliation
CNR-1957	Additional audit logging for CAT split/merge/reconciliation
CNR-1958	Additional audit logging for CAT split/merge/reconciliation
CNR-1959	CalNet ID naming requirements need to be more restrictive temporarily

September 12, 2019, 8pm

In this release, we will add new authentication profile to the shibcas plugin. This is very minor change. Service won't be affected because the servers are in an HA configuration. CMR: CHG0032909

Services Affected

Shibboleth

September 12, 2019, 8:15 pm

This is a minor change to CalGroups, CalGroups that changes the large group limit for AD and LDAP provisioning from CalGroups. There will be a short break (15 sec) in provisioning to AD and LDAP when the provisioning service is restarted. CMR: CHG0032908

Services Affected

CalGroups

August 1, 2019, 6:00 am

This release will update CAS logging and A10 health checks. CMR: CHG0032767

Services Affected

July 4, 2019, 8:00 am

This is a test of DNS failover for auth.berkeley.edu and shib.berkeley.edu starting the morning of Thursday, July 4th at 08:00 AM PT. CMR: CHG0032674

The test period is expected to last for approximately 1 hour. During this period DNS requests for auth.berkeley.edu and shib.berkeley.edu will return the addresses for our DR site.

If you currently enforce outbound firewall rules for web traffic, you should add additional allow rules for the SDSC virtual IPs:

CAS:
Port: 443
IP: 192.107.102.203

Shib:
Port: 443
IP: 192.107.102.199

This should be transparent to your applications. If you experience any issues please contact calnet-admin@berkeley.edu(link sends e-mail) with a thorough description of your problem.

Services Affected

CAS
Shibboleth

July 3, 2019, 7:00 pm

This release will prevent Student Volunteers from creating CalNet accounts, per instruction from UCPath. There will be a brief outage when the servers are restarted. CMR: CHG0032702

Services Affected

CalNet Account Manager
CalNet Admin Tool

July 2, 2019, 7:00 am

DNS change for the Shibboleth production hostnames to allow us engage in HA with our SDSC servers. There will be an outage of Shibboleth of up to 10 minutes during this time. CMR: CHG0032671

Services Affected

Shibboleth

June 20, 2019, 8:00 am

We will upgrade CAS on the test auth-test.berkeley.edu cluster to 5.3.11. The CAS release contains bug fixes for delegated authentication. The CalNet-specific changes include enabling authentication and ticket issuance throttling. No downtime expected, we will fail over to SDSC and back to EWH. CMR: CHG0032637

Services Affected

auth-test.berkeley.edu

June 13, 2019, 9:00 pm

In this release, we will remove the passphrase synchronization feature from auth.berkeley.edu in preparation for the migration to AD Kerberos. This is not a user-facing function of CAS and is not to be confused with the passphrase reset features of CalNet Account Manager. CMR: CHG0032603

Services Affected

June 13, 2019, 7:00 am

In this release, we will configure DNS failover for the shib-test.berkeley.edu Shibboleth cluster. This will allow Shibboleth to fail over to San Diego in case of a major network or systems outage at EWH. There will be an outage to shib-test as DNS records will be deleted and re-created as new record types. CMR: CHG0032614

Services Affected

shib-test

June 6, 2019, 7:00 am

This release is a patch of RHEL 6.x and the JVM for the idc.berkeley.edu application cluster. CMR: CHG0032587

Services Affected

idc.berkeley.edu, including:
- Legacy Guests
- MMK

June 1, 2019, 10:00 am

This release will enable WebAuthn/FIDO2 and Touch ID for Duo users and devices. See https://guide.duo.com/security-keys(link is external) and https://guide.duo.com/touch-id(link is external) for details on these new options for Duo devices. Existing Duo U2F users will be prompted to re-register their devices. CMR: CHG0032567

Services Affected

CalNet 2-Step

May 28, 2019, 9:00 pm

We will modify the CAS principal lookup filter to be more exclusive by only returning berkeleyEduPerson objects. This is necessary to address an issue discovered while validating new Sponsored Guests with a specific application. CMR: CHG0032578

Services Affected

CAS
Shibboleth

May 23, 2019, 6:30 pm

This expedited change includes changes to UCPath and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

SOR Gateway Service
Registry Provisioning Scripts
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CNR-1898	UCPATH_DDODS hash query
CNR-1894	CWR020 Student Volunteer
CNR-1887	Cirrus Guest Account provisioning populate beKPS
CNR-1876	Set LDAP ucNetId value from UCPath external identifiers

May 23, 2019, 6:30 pm

This expedited change includes changes to UCPath and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

SOR Gateway Service
Registry Provisioning Scripts
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CNR-1898	UCPATH_DDODS hash query
CNR-1894	CWR020 Student Volunteer
CNR-1887	Cirrus Guest Account provisioning populate beKPS
CNR-1876	Set LDAP ucNetId value from UCPath external identifiers

May 12, 2019, 10:00 am

This release will modify the queries used for department and title code groups within CalGroups to only use UCPath data. Some users may gain or lose access to systems that use those groups. CMR: CHG0032522

Services Affected

Any system utilizing department / title code groups, such as:
- LDAP
- Active Directory
- Google
- CalGroups API

Tickets Resolved

Ticket	Comment
CG-173	Modify Department and title code groups in CalGroups

May 10, 2019, 6:30 pm

This release will upgrade all Berkeley Identity Management Suite apps to Grails 3.3.9.

It will also remove HCM as a system of record for job data and LDAP affiliations.

Employees and Affiliates that are in HCM but are not yet in UCPath may enter their grace period (https://calnet.berkeley.edu/calnet-me/how-claim-your-calnet-id/grace-periods) and are likely to get an account expiration notice. Employees and Affiliates who receive an unexpected expiration notice should review their UCPath HR status with their HR support staff.

LDAP affiliations for expired HCM and UCPath Affiliates will undergo a change to ensure backwards compatibility:

HCM Affiliates who enter their grace period will get the FORMER-HCM-AFFILIATE affiliation.
UCPath Affiliates who enter their grace period will get the FORMER-AFFILIATE affiliation.
In 3-4 months, CalNet will transition to using FORMER-AFFILIATE, only.
Developers will receive additional communications when this change is made, and when the FORMER-HCM-AFFILIATE will be deprecated.

All affiliate records should only ever have either a FORMER affiliation or an active AFFILIATE-TYPE- affiliation, but not both at the same time.

See UCPath Affiliation Changes(link is external) for additional affiliation information.

CMR: CHG0032500

Services Affected

Berkeley Person Registry
Registry Service
Registry Provisioning
SOR Gateway Service
Match Service
CalNet Account Tool
CalNet Account Manager
LDAP

Tickets Resolved

Ticket	Comment
CNR-1859	Upgrade all BIDMS apps to Grails 3.3.9
CNR-1879	Create replacement roles for Manager/Supervisor in UCPath
CNR-1880	Recognize UCPath "PRF" coded names as sorPreferredName
CNR-1881	Minor changes to match engine logging output
CNR-1884	Assert FORMER-AFFILIATE for former UCPath affiliates. Don’t assert FORMER-HCM-AFFILIATE for active UCPath affiliates.
CNR-1883	Remove legacy HCM job data
CM-445	Edit error message for CAM
CM-447	Error message for twoStepClaim
CM-448	Redirect Slate-authenticated users
CM-449	List of AFFILIATE-TYPE- values for authorization need to be updated in CAM

April 24, 2019, 9:00 pm

In this release, CAS operating system patches will be applied. CMR: CHG0032465.

Services Affected

CAS
Shibboleth

April 24, 2019, 7:00 pm

This release includes work on the CalNet Sponsored Guest project, and some continuing UCPath cleanup. CMR: CHG0032481

Services Affected

Berkeley Person Registry
Registry Service
Registry Provisioning
LDAP
SOR Gateway Service
Match Service
CalNet Sponsored Guests

Tickets Resolved

Ticket	Comment
CNR-1860	Ensure CAM restricts users from creating CalNet IDs that start with UID
CNR-1862	Cirrus reporting http 403 error
CNR-1864	Add REST endpoints to registry-service that talk to Cirrus API to create invitations for existing UIDs
CNR-1865	Write a program that creates Cirrus invitations for existing UIDs through registry-service endpoints
CNR-1863	Convert existing guests into Cirrus guests using pre-sent Cirrus invitations
CNR-1870	Remove legacy SIS (pre-CS) from LdapSync process
CNR-1869	Remove legacy HCM sor from LdapSync process
CNR-1868	Add ucpath to LdapSync now that dev/test have prod ucpath EMPLIDs
CNR-1867	Rename ldapAffilGuestTypeSocial role to be consistent with the new string value in LDAP
CNR-1849	Add sorObjKey to registry-match-service NewSORConsumerService response log message
CNR-1874	Claim token can be used twice
CNR-1875	Trigger IHub button in CAT should send message to both CS and UCPath, if it isn't already

April 14, 2019, 8:00 am

This is an update to the Slate theme of the Duo login page. Related to: CHG0032441.

CMR: CHG0032458

Services Affected

CAS
Shibboleth

April 9, 2019, 8:00 pm

This is an update to a new version of the Duo websdk and includes changes to the CAS login view, to change how the Duo iframe is generated. Some users may now see the 2-Step page rendered as smaller-than-normal. See Known Issues for steps to fix this issue. CMR: CHG0032441

Services Affected

CAS
Shibboleth

April 1, 2019, 4:45 pm

This code is an update to the logic BPR uses regarding UCPath messages; specifically, to ignore ActionReason 'VOI' jobs in I-280 and DDODS. CMR: CHG0032422

Services Affected

Berkeley Person Registry

April 1, 2019, 8:45 am

This code fixes timeout exceptions when provisioning large quantities from Berkeley Person Registry to Active Directory. CMR: CHG0032419

Services Affected

Berkeley Person Registry
Active Directory

March 28, 2019, 3:00 pm

This release fixes a bug in provisioning in which berkeleyEduExpDate got improperly reset for some legacy HCM former employees CMR: CHG0032416

Services Affected

LDAP
Berkeley Person Registry

March 27, 2019, 11:00 pm

With this release, we will replace the EV TLS cert for auth.berkeley.edu. Additional alternative names will be included to support future DNS failover. CMR: CHG0032402

Services Affected

CAS
Shibboleth

March 27, 2019, 3:10 pm

This CalNet release updates logic used to populate employeeNumber attribute in LDAP as well as the way CalNet looks at POIs from UCPath. CMR: CHG0032413

Services Affected

Berkeley Person Registry
LDAP

Tickets Resolved

Ticket	Comment
CNR-1851	UCPath POIs aren't getting masterActive role if their only active affiliation is UCPath POI
CNR - 1852	Delete employeeNumber from LDAP if active UCPath POI/CWR but not an employee, even if active emp in legacy HCM

March 25, 2019, 10:40 am

This deployment is for new code to handle new information from UCPath DDODS tables. This deployment required a restart on registry-p1, which led to a brief outage. This deployment is already complete. CMR: CHG0032404

Services Affected

Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CNR-1847	New info from UCPath: DML_INDICATOR='D' in DDODS tables indicates a DELETED row

March 25, 2019, 7:00 am

In this release, we will configure DNS failover for the auth-test.berkeley.edu CAS cluster. This will allow CAS to fail over to San Diego in case of a major network or systems outage at EWH. There should be no noticeable outage, this is just a transparent DNS change from the perspective of CAS clients. CMR: CHG0032379

Services Affected

auth-test.berkeley.edu
CAS-test

March 22, 2019, 7:00 am

This change is an upgrade to CAS on the test auth-test.berkeley.edu cluster to version 5.3.9. The CAS release contains minor bug fixes. This changes also includes cosmetic updates to support CalNet Sponsored Guest accounts. The TLS certificate for auth-test will also be updated to add additional SAN records for DNS failover and to use an EV certificate to mirror production.

The service will be down for less than 5 minutes for a restart. CMR: CHG0032374

Services Affected

auth-test.berkeley.edu
CAS-test

March 20, 2019, 6:00 am

CalNet will begin UCPath Go-Live and reprovisioning activities on or after 3/20/2019.

During the go-live process, there may be restarts needed that will affect CalNet Admin Tool and CalNet Account Manager for ~5 minutes. Reprovisioning could cause delays in real time messaging and updates to LDAP, Active Directory and API Integration Hub.

LDAP attributes will be updated with UCPath data (most notably: employeeNumber, berkeleyEduAffID, berkeleyEduAffiliations, title codes). Users using these attributes should refer to https://ucpath.berkeley.edu/ucpath-cal/tech-talk(link is external) or https://ucpath.berkeley.edu/faq/technical(link is external) for additional information.

There is no planned outage for SSO, CAS, Shibboleth, or LDAP.

This change date is tentative, and may be delayed by 1 or more days if UCPath conversion is behind schedule. CMR: CHG0032350

Services Affected

LDAP - attributes only
CalNet Admin Tool
CalNet Account Manager

March 20, 2019, 12:00 pm

During this change, legacy apps using Rails are no longer needed and are vulnerable will be retired. CMR: CHG0032376

Services Affected

Manage Your Identity Applications
CalNet Deputy Application
UAS Portal

Tickets Resolved

Ticket	Comment
OPS-409	Deprecate MYI/UAS - calnet-p2/net-auth-p2

March 6, 2019, 6:00 pm

This release will add notices/warnings on the directory update pages hosted on calnet-p1. These warn about the potential for public exposure of addresses and phone numbers entered via the Directory Update app when published to the Campus CalNet Directory.

A brief outage of less than 1 minute will occur when the app is restarted. CMR: CHG0032344

Services Affected

CalNet Directory Update Application

March 6, 2019, 6:45 am

This release includes code changes in support of the UCPath implementation and server patches. There will be two short outages, about one minute each, as the server is restarted. CMR: CHG0032340

Services Affected

Berkeley Person Registry
Registry Service
Registry Provisioning
CalNet Account Manager
CalNet Admin Tool
Active Directory
LDAP

Tickets Resolved

Ticket	Comment
CNR-1667	UCPath: If personal email address becomes available via UCPath, modify sor-key-data-extractor to parse out and modify registry-provisioning-scripts to provision as personal email address
CNR-1741	UCPath: Need to understand how "UCB" POIs are identified in DDODS
CNR-1785	UCPath: Gain access to the DDODS UAT instance
CNR-1801	Modify bidms-connectors to reuse same LDAP connection within a call to persist()
CNR-1803	UCPath: Integrate with the new "delete EMPLID" queue once it becomes available (yet to happen, but code is there to support it)
CNR-1805	UCPath: Quartz job to find old emplids in i-280 sor that aren't in DDODS anymore
CNR-1806	UCPath: dev DDODS hash query throwing an string concatenation exception
CNR-1809	UCPath: DDODS query needs to handle POI-only people with no jobs
CNR-1810	UCPath: The test I-371 IHub REST endpoint is not working
CNR-1811	UCPath: POI_TYPE codes have changed in DDODSQPT
CNR-1812	UCPath: There are additional CWR codes in DDODSQPT that we weren't originally given
CNR-1813	UCPath: The "send to IHub" logic needs to become more complex to support multiple IHub endpoints for CS and UCPath
CNR-1814	UCPath: last_updates subquery is causing slowness of the per-EMPLID DDODS query
CNR-1816	UCPath: Make ucPathId a recognized account claim identifier in CAM and registry-service
CNR-1817	UCPath: Create a SQL query to compare UAT active employee list with legacy HCM active employee list
CNR-1818	UCPath: Modify reg-prov-scripts to have UCPath be prioritized over legacy HCM for payroll-related LDAP attributes
CNR-1819	UCPath: In match engine, make UCPATH_DDODS<->UCPATH_INTER_PERUPD primary key pairing a canonical match
CNR-1820	UCPath: Create a view from DDODS data that only contains I-280 data elements
CNR-1821	UCPath: Look at BOTH PPS_ID and PSFT_ID for a legacy HCM external identifier
CNR-1823	UCPath is sometimes incorrectly removing the leading zero from legacy HCM identifiers
CNR-1829	UCPath: last_updates inline view has a SQL bug in it

February 27, 2019, 9:00 pm

On Wednesday evening (2/27) from 9-10 pm, we will be upgrading the ShibCAS plugin on the production Shibboleth servers. Since the servers are redundant, there will be no down time while the updates happen. This service is used by any campus member logging into an external service like bConnected. CMR: CHG0032328

Services Affected

Shibboleth

February 27, 2019, 7:00 am

This is an update to the CAS / AD password sync filter. With the implementation of AD password sync in CAS on Sunday (CHG0032283) we are seeing a high number of errors for a specific account. This change will alter the LDAP filter to exclude the account from the sync call. CMR: CHG0032323

Services Affected

CAS
Active Directory

February 24, 2019, 8:00 am

We will upgrade CAS on the production auth.berkeley.edu cluster to 5.3.7. CMR: CHG0032283

Notable Changes Include

CalNet AD password synchronization
Improved surrogate/impersonation support for SPAs
Support for social guests
Accessibility improvements

Services Affected

CAS
Shibboleth

February 21, 2019, 6:00 pm

We will reconfigure the httpd TLS settings on calnet.b.e and net-auth.b.e to follow OWASP recommendations for TLS security. A brief outage of less than 1 min will happen as the web servers are restarted. CMR: CHG0032301

Services Affected

Directory Update App
krbservice

February 17, 2019, 9:00 am

In this release, we will extend the berkeleyEduPerson object class to include a new attribute named berkeleyEduUCPathID. After conversion to UCPath, the berkeleyEduHCMID will contain the deprecated employee id. Both berkeleyEduUCPathID and employeeNumber will contain the UCPath employee id. CMR: CHG0032274

Services Affected

LDAP

February 13, 2019, 7:00 am

We will replace the certificate on the test/QA CAS instance (auth-test.berkeley.edu) to update the subject alternative names in preparation for DNS failover testing. There will be a brief outage while CAS is restarted, from 7am-7:10am. CMR: CHG0032291

Services Affected

auth-test.berkeley.edu
CAS-test

February 11, 2019, 9:00 am

This release is an upgrade of the CAS test/QA service definition files to the latest format to prepare for the CAS 5.3.7 upgrade in prod later this month.

We will also implement a new default authorization policy on CAS applications that have not registered with the CalNet team. The default authorization will enforce that any non-registered applications are restricted to student, staff, faculty and valid HCM affiliates. See https://calnet.berkeley.edu/calnet-technologists/single-sign/cas/cas-default-authorization for more information. CMR: CHG0032273

January 31, 2019, 8:00 am

This release is the retirement of the nds.berkeley.edu LDAP service. CMR: CHG0032216. All customers should use ldap.berkeley.edu as the primary LDAP service and ldap-test.berkeley.edu for test/qa purposes.

On October 31, 2018 ldap.berkeley.edu was upgraded to the latest directory server software, which is a major upgrade from nds.berkeley.edu. With that service stable we are now retiring the legacy LDAP service.

If your service depends on LDAP, you can test the performance and functionality of the latest software using either ldap.berkeley.edu or ldap-test.berkeley.edu. It is highly recommended that you test your applications as soon as possible and report any issues to calnet-admin@berkeley.edu(link sends e-mail).

If your application or TLS/SSL libraries do not accept the ldap.berkeley.edu certificates as trusted see this resource for developers.

January 3, 2019, 6:00 pm

This is an emergency release primarily to address a regression bug affecting some accounts with conflicting affiliations. CMR: CHG0032199

Notable changes Include

Fix for employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time
Add LDAP mail attribute for social guests
Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.

Services Affected

Registry Service
Registry Provisioning
Cirrus Guest App
CalNet Account Manager
CalNet Guest Accounts

Tickets Resolved

Ticket	Comment
CNR-1800	LDAP mail attribute with cirrus/social guests user email address
CNR-1804	Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.
CNR-1807	Employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time.
CNR-1808	Add additional exception handling in provisionUid and provisionUidBuilk (related to CNR-1804)

December 2, 2018, 8:00 am

The nds.berkeley.edu certificate is expiring on December 6th, 2018. Though this is now considered to be our legacy LDAP system we have several customers still using the cluster. This may impact their applications if they are manually importing certificates into their application's key store. CMR: CHG0032146

Services Affected

nds.berkeley.edu
Any application still using nds.berkeley.edu

November 30, 2018, 7:00 am

This release is an upgrade of the the test/qa instance of CAS to version 5.3.6. This will enable customers to test the latest version of CAS on auth-test.berkeley.edu. CMR: CHG0032155

Services Affected

CAS auth-test

November 1, 2018, 7:30 am

This release includes a variety of bug fixes; updates to system software; improvements to Registry Provisioning, SOR-Gateway Service, Active Directory, and CalNet Account Manager; and development on UCPath and the Cirrus guest app replacement. CMR: CHG0032080

Notable changes include

Users in grace can use CalNet Account Manager
Users in grace will be disabled but not deleted in Active Directory
Users with a lapsed but not terminated HCM record will receive regular grace period notifications
Guests will be able to use CalNet Account Manager to recover passphrase and change passphrase (new Guests will need to wait 24 hours after account creation before they can use this feature)

Services Affected

Registry Service
Registry Provisioning
SOR Gateway Service
CS Delegates
SOR Gateway
UCPath
Cirrus Guest App
CalNet Account Manager
CalNet Guest Accounts
Active Directory
Special Purpose Accounts

Tickets Resolved

Ticket	Comment
CNR-1744	registry-service java.lang.IllegalArgumentException: null exception
CNR-1743	registry-service principal cannot be null exception
CNR-1748	CS delegate quartz job is running but doesn't appear to be doing anything in production
CNR-1737	UCPath: Get test env hooked up to ddodsdpt ucpath DDODS
CNR-1738	UCPath: Gain access to I-371 integration team's api-central REST endpoint
CNR-1753	UCPath: real time messages need to go through the match engine
CNR-1751	UCPath: Get test env hooked up to i-280 ihub endpoint
CNR-1731	UCPath: Add mock i280 SORObjects to registry-mock
CNR-1662	UCPath: Develop JMS consumer for expected format of real-time iHub messages for I-280 data
CNR-1752	UCPath: Write a script to invoke I-371 (request I-280) for a list of EMPLIDs
CNR-1750	UCPath: Send a UID message to uc path uid endpoint
CNR-1740	UCPath: Add PS_PER_POI_TRANS to DDODS query
CNR-1732	UCPath: Modify reg-prov-scripts to treat the i280 SOR as primary uc path SOR
CNR-1749	UCPath: IHub real-time messages currently contain " " (quotespacequote) for empty values. Need to convert these to nulls.
CNR-1665	UCPath: Modify BPR views to replace HCM with UCPath or augment views with UCPath data
CNR-1758	sor-gateway hash and query quartz jobs should not be executing service methods within log.info() call
CNR-1759	In sor-gateway incorrect calnetSorHashAndQuery.enabled check logic in hash and query quartz jobs
CNR-1761	UCPath: Improve the UcPath?AppointmentsJson.getUcPathAppointmentEffectiveStatus logic for future effective appointments
CNR-1725	UCPath: Mechanism for detecting desynchronization between DDODS and last i280 received
CNR-1762	Create mechanism in SGS to call the IHub UCPath I-371 (request msg) interface
CNR-1771	Cirrus: Create LDAP DownstreamObject for Cirrus guests and add GUEST-TYPE-SOCIAL to berkeleyEduAffiliations (this has changed to GUEST-TYPE-SPONSORED as of March 2019).
CNR-1776	Cirrus: Add sponsorUid to LDAP
CNR-1774	Cirrus: Need to pay attention to the guest end date in the Cirrus JSON
CNR-1763	Cirrus: Add Cirrus SORObject processing to registry-provisioning-scripts
CNR-1766	Cirrus: Add an Identifier type for the Cirrus primary key
CNR-1767	Cirrus: Add an IdentifierType for the Cirrus accepted invitation ID
CNR-1765	Cirrus: Add an IdentifierType for Cirrus Guest Sponsor UID
CNR-1718	Cirrus can't provide sponsorUid, only sponsorEppn (calnetId), in the messages they pass back -- convert eppn to uid as early as possible on our end
CNR-1768	Cirrus: Add an IdentifierType for Cirrus Guest Sponsor EPPN
CNR-1769	Cirrus: Add a cirrusGuest role
CNR-1770	Cirrus: Set primaryOU to ou=Guests
CNR-1772	Cirrus: Add person name from Cirrus JSON to PersonName table
CNR-1773	Cirrus: Add personal (social) email address to Email table
CNR-1722	Latest Apache HttpClient versions, included in recent Grails/SpringBoot apps, break REST HTTP Digest authentication
CNR-1622	Remove commas from the calnet sor person identifier in the CalNet SOR Person tool for a better copy and paste experience
CNR-1782	Create a batch job to reprovision people where current date > ASGN_END_DT
CNR-1784	AD: In-grace people should be disabled in AD, not deleted
CNR-1781	Upgrade SGS to Atomikos 4.0.6
CNR-1780	Upgrade to Camel 2.21.2 and ActiveMQ 5.15.5 within Grails plugins for BIDMS
CNR-1727	Create spa registry account/credentials and grant role to sorObjects endpoint for SPA SOR
CNR-1786	UCPath: Add support to SGS for querying multiple DDODS instances
CNR-1787	UCPath: Add support to SGS to listen on multiple UCPath real time message queues
CNR-1788	Make best effort in determining if person has employee or student in-grace roles during IdentifierBuilder phase and mark identifier as active if so
CNR-1790	In registry-provisioning-scripts legacy SIS role builder, remove anything looking at stale legacy SIS term data
CNR-1791	Confirm a legacy guest can use CAM to change or reset passphrase once legacy system has provisioned Guest to LDAP
CNR-1792	Get CAM forgot passphrase working for legacy guests
CNR-1793	Remove Change Personal Email Address functionality for legacy guests in CAM
CNR-1794	Remove Change CalnetId functionality in CAM for legacy guests
CNR-1783	registry-provisioning needs Spring Security authn/authz added for url protection

October 31, 2018, 6:00 am

This release is a migration of the ldap.berkeley.edu LDAP service to DS 6.0. This is a major upgrade to the LDAP server software and will complete our migration to the latest version. In addition to this upgrade the LDAP SSL public certificate will change. It will be important for developers whose applications do not trust the Comodo root CA to update their applications manually. We will post the new certificate ahead of the upgrade. CMR: CHG0032027

Services Affected

LDAP

October 24, 2018, 6:00 am

This release is a migration of the dir.calnet.berkeley.edu LDAP service to DS 6.0. This is a prerequisite step to change CHG0032027. This upgrade will allow us to implement the updated certificate and test the latest LDAP server software upgrade on the cluster that will become ldap.berkeley.edu on October 31. CMR: CHG0032031

Services Affected

LDAP

October 18, 2018, 9:30 pm

Users going in to grace starting will continue to be required to 2-Step until they expire or move to ADVCON. Users in ADVCON who are currently doing the 2-Step will no longer be required. CMR: CHG0032049

Services Affected

CalGroups
2-Step

October 1, 2018, 10:00 am

The Access Control Instruction (ACI) for the anonymous bind account will be changing starting on October 1, 2018. Currently the ACI permits access to many attributes [1] anonymously, but starting October 1, 2018, access to the berkeleyEduAffiliations attribute will be removed. After further review by various campus security and functional units, further access restrictions are likely to happen at a later date. See Changes to LDAP Binds for more information. CMR: CHG0031961

Services Affected

LDAP

September 30, 2018, 8:00 am

This release is to upgrade the nodes behind the dir-auth LDAP cluster to DS 6.0, apply OS security patches, and apply a new SSL certificate. These nodes support CAS and Shibboleth. CMR: CHG0032023

Services Affected

LDAP
CAS
Shibboleth

September 28, 2018, 7:30 am

This release fixes a bug that is causing accounts in grace to be deleted in AD. This will require a Tomcat restart, which will result in an outage of appox. 30 seconds. CMR: CHG0032030

Services Affected

Active Directory
Registry-p1
SOR Gateway Service
Berkeley Person Registry

September 26, 2018, 9:oo pm

This release is a routine patch of the OS/JVM on the CalNet Grouper and Shibboleth VMs. CMR: CHG0032009

Services Affected

CalGroups
Shibboleth

September 25, 2018, 7:00 am

This release is a change to the CAS screen for students not enrolled in 2-Step, and changes to CalGroups to support the last step of the Student 2-Step project. CMR: CHG0032016

Services Affected

CalGroups
CAS

September 20, 2018, 6:30 am

This release is an upgrade to the nodes behind the dir-bpr LDAP and application of OS security patches. CMR: CHG0032001

Services Affected

LDAP
Berkeley Person Registry

September 19, 2018, 8:30 am

This release is a routine OS patching for RHEL for dir-os-p* VMs at SDSC. CMR: CHG0032007

Services Affected

LDAP

September 5, 2018, 6:00 pm

This release is a reboot of calnet-p2/net-auth-p2 to install a new OS kernel. It will primarily impact users of the krbsync pw sync to AD tool. A brief (< 5 min) outage will occur. Any adverse risk is low since the change can be reverted quickly if needed. CMR: CHG0031976

Services Affected

Active Directory

August 30, 2018, 8:30 pm

We will apply OS patches and also apply a required certificate update on the Apache ActiveMQ server used by CalGroups and the Berkeley Person Registry. - Changes made to CalGroups during this maintenance window may be slightly delayed to downstream systems (eg AD, Google). Changes will resume after AMQ is back up. CMR: CHG0031963

Services Affected

CalGroups
Berkeley Person Registry
Downstream systems

August 26, 2018, 9:00 pm

This release updates 2-Step notification CAS UI for students not enrolled in 2-Step. CMR: CHG0031967

Services Affected

CAS Login Screen

August 24, 2018, 3:30 pm

This emergency release includes security patches for the OS as well as a revised krbsync app. CMR: CHG0031962

Services Affected

Active Directory

August 9, 2018, 6:30 am

This substantial release includes updates and bug fixes to many CalNet services, as well as updates to CalNet's UC \Path development. CMR: CHG0031910

Services Affected

Active Directory
CalNet Account Manager
CalNet Admin Tool
Berkeley Person Registry
Registry Service
SOR Gateway Service
UCPath

Tickets Resolved

Ticket	Comment
CNR-1515	Modify registry-service to call bidms-downstream AD change password REST endpoint at the same time it calls krbservice to set Kerberos password
CNR-1591	Resolve all duplicate calnetIds in our systems
CNR-1598	There may be reg-serv, CAM or CAT Quartz jobs that need to be disabled on bpr-t2
CNR-1623	Upgrade everything to Grails 3.3.x
CNR-1631	merge delete SORObject cascade exception
CNR-1647	Sync BPR display name changes to AD
CNR-1653	no more ou=students, send students to fsa
CNR-1654	ActiveMQ Derby transaction log is growing beyond what it should
CNR-1658	For ActiveMQ, get embedded Derby listening on a network port so we can connect to it externally with the Derby client
CNR-1659	delete expired people out of AD
CNR-1660	UCPath: Build UCPath DDODS queries
CNR-1661	UCPath: Add UCPath DDODS queries to Sor Gateway Service
CNR-1668	UCPath: Once HCM identifier name becomes known in external_identifiers, modify sor-key-data-extractor to parse out
CNR-1670	UCPath: Create IdentifierTypes for different UCPath environment EMPLIDs
CNR-1671	UCPath: Add berkeleyEduUCPathID and berkeleyEduUCPathDevID to dev LDAP schema
CNR-1672	UCPath: Add UCPath EMPLID to identifiers (crosswalk) service for different UCPath environments
CNR-1673	UCPath: Modify registry-prov-scripts to provision UCPath EMPLID to Identifiers table
CNR-1674	UCPath: Modify reg-prov-scripts to add berkeleyEduUCPath<ENV>ID to the LDAP DownstreamObject JSON
CNR-1675	UCPath: Investigate which HCM table has values that end up in employee berkeleyEduAffiliations in LDAP
CNR-1678	UCPath: Add mock UCPath DDODS SORObjects to registry-mock
CNR-1679	UCPath: Need to add DDODS "source" to DDODS SORObjects
CNR-1680	UCPath: Find out how HCM APPT_TYPE and ORG_NODE are going to be converted in UCPath
CNR-1681	UCPath: Modify reg-prov-scripts to add ucPathIds to Identifiers table
CNR-1682	UCPath: Figure out overall isActive logic for the UCPath Identifier
CNR-1683	UCPath: Figure out primary job logic
CNR-1684	UCPath: Add PS_UC_LL_EMPL_DTL to query for UC_HOME_DEPT_CD
CNR-1685	UCPath: Add PS_UC_JOB_CODES to query for UC_FACULTY_INDC
CNR-1686	UCPath: Replicate the EDW CUR_REC_FLAG for UCPath JOBS by adding an IS_EFFECTIVE flag
CNR-1687	UCPath: Need to figure out how future-dated appointments are presented in UCPath: EFF_DT/EFFSEQ?
CNR-1688	UCPath: Possibly add PS_PRIMARY_JOBS to query for PRIMARY_FLAG
CNR-1689	UCPath: The methods in reg-prov-scripts UcPathUtil need to be extensively tested with UCPath sample data
CNR-1690	UCPath: Add a CAMPUS_SOLUTIONS_STUDENT_ID identifier to Identifiers table and to identifiers service
CNR-1693	Start-of-grace email that goes out is showing the start of grace date to be one day earlier than it should
CNR-1694	UCPath: Need to enable the isActive logic in registry-sor-key-data
CNR-1695	UCPath: Build list of tables being queried so that service acct access can be requested for these tables
CNR-1697	UCPath: rps DOB builder
CNR-1698	UCPath: rps job builder
CNR-1699	UCPath: rps role builder
CNR-1700	UCPath: Add employee class roles based on the EMPL_CLASS codes and descriptions
CNR-1701	UCPath: Logic to turn UCPath state into LDAP berkeleyEduAffiliations and part of masterAccountStatus calculation
CNR-1702	AD renaming errors on certain type of entries
CNR-1703	change log message when receiving a CS EMPLID change message and the SORObject remains unchanged
CNR-1704	UCPath: reg-prov-scripts UcPathTypeMapper needs to gain awareness of UCPath POI/CWR affiliate types
CNR-1705	UCPath: Add documenting comments to top of the UcPathRoleBuilder.build() method
CNR-1706	UCPath: reg-prov-scripts needs to set title code and deptartment attributes in LDAP sourced from UCPath
CNR-1708	UCPath: In reg-prov-scripts PersonRoleExecutorSpec there are some commented out ucpath test cases that need to be looked at
CNR-1715	bidms-downstream AD CANT_ON_RDN error
CNR-1716	reg-prov-scripts: Set samAccountName to uidUID# for anybody with "system" as calnetId as this is not an allowed samAccountName
CNR-1720	Suppress noisy "Purging orphaned entry" messages in sor-gateway-service log

August 8, 2018, 9:00 am

Unneeded Access Control Instructions (ACIs) have a negative impact on performance, so we are removing several from the OpenDJ production LDAP tier. This requires no downtime for the affected hosts.

Services Affected

CalNet systems such as CAS and Shibboleth,and BPR

August 1, 2018, 7:00 am

We will be removing access to affiliations from anonymous LDAP binds on August 1, 2018. This will improve the security of anonymous searches. Click here to find out how this impacts your service. CMR: CHG0031713

Services Affected

All campus applications that use an anonymous LDAP bind

Tickets Resolved

Ticket	Comment
LDAP-3	Update ACI for anonymous binds

Jul 24, 2018, 4:30 pm

This release is a patch to CalGroups. The service will remain up while the patching happens, since the servers are redundant. Potential affected users are campus employees. CMR: CHG0031888

Services Affected

CalGroups

Tickets Resolved

Ticket	Comment
CG-168	Install CalGroups Patch

May 29, 2018, 6:00 am

This release will update the OS and JVM for the BPR stack (registry-p1, amq-p1, bpr-p1). This will result in a brief 5-min outage for public CalNet applications such as CalNet Account Manager (CAM). CMR: CHG0031688

Services Affected

Berkeley Person Registry
CalNet Account Manager
CalNet Admin Tool

May 23, 2018, 5:30 pm

This release includes updates to language in account lock/unlock and new account/change ID screens in CalNet Admin Tool and CalNet Account Manager. CMR: CHG0031701

Services Affected

CalNet Admin Tool
CalNet Account Manager

Ticket	Comment
CM-427	Update language in account lock/unlock messages
CM-424	Update account language in Create ID and Change ID screens to reflect auto bMail provisioning

May 21, 2018, 5:15 pm

This release changes the way affiliations are filtered in CalNet Account Manager. CMR: CHG0031704

Services Affected

CalNet Account Manager

Tickets Resolved

Ticket	Comment
CNR-1692	Filter affiliations list in CalNet Account Manager

April 4, 2018, 7:00 am

This release includes bug fixes and upgrades to the CalNet stack and changes to AD provisioning scripts. CMR: CHG0031553

Services Affected

Berkeley Person Registry
Active Directory

Tickets Resolved

Ticket	Comment
CNR-1650	Turn off ActiveMQ journal
CNR-1611	Fix regression on the performance of an individual ldapSync queue message consumption
CNR-1595	Fix bidms-downstream provision changed identities quartz job exception
CNR-1651	A registry-model uniqueness exception is now getting thrown
CNR-1644	Stop BPR provisioning of SPAs to AD

March 26, 2018, 5:00 am

During the 5 to 5:15 am window a 5-min outage of all CalNet services (CAS, Shib, LDAP, etc.) will occur as firewall services are migrated. CMR: CHG0031513

Services Affected

CAS
Shibboleth
LDAP
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
OPS-401	Move CalNet networks from ASA to Palo Alto firewall service.

March 16, 2018, 6:00 am

This release updates the target date on the 2-Step notification CAS UI. CMR: CHG0031507

Services Affected

CAS Login Screen

March 14, 2018, 5:00 pm

This release was completed on March 15, at 7am. It included updates and new functionality to CalNet Account Manager and CalNet Admin Tool. CMR: CHG0031508.

Services Affected

CalNet Admin Tool
CalNet Account Manager
Berkeley Person Registry
bConnected

Tickets Resolved

Ticket	Comment
CNR-1641	Add database constraint to enforce that CREDMGMT (and LDAP/AD) sorObjKeys must match the uid
CNR-1620	Modify CalNet SOR Person tool to trigger a provision for newly created or updated accounts
CAT-163	Call bConnected API to lock Google account when CalNet account is locked
CAT-165	Create new CAT User Role

March 7, 2018, 5:00 pm

This release is a patch to the Active Directory provisioning code. CMR: CHG0031506.

Services Affected

Active Directory

Tickets Resolved

Ticket	Comment
CNR - 1640	AD provisioning change

March 4, 2018, 6:00 am

This release contains regular updates for the nds-p* nodes in the ldap.b.e cluster, including patches for OpenDJ, OpenJDK, and RHEL. CMR: CHG0031454

Services Affected

Users of the ldap.b.e cluster

February 24, 2018, 6:00 pm

This release resolves a known issue in which new AD accounts are not getting enabled when CalNet account is claimed. CMR: CHG0031477

Services Affected

Active Directory

Tickets Resolved

Ticket	Comment
CNR - 1634	Reports of userAccountControl in AD not going active when account goes active

February 21, 2018, 6:00 am

This release updates the URL for the sign-up link on the 2-Step notification CAS UI. CMR: CHG0031464

Services Affected

CAS Login Screen

February 15, 2018, 6:00 am

This CAS release updates the notification message displayed by the auth.b.e cluster for 2-Step Cohort 1 not yet in CalNet 2-Step. CMR: CHG0031451

Services Affected

CAS Login Screen

February 13, 2018, 7:00 am

A Tomcat restart is required to change configuration to enable Two-Step during account claim for anyone in the RequiredMinusExemptFromReq group. CMR: CHG0031456

Services Affected

CalNet Account Manager

February 06, 2018, 7:00 am

In this release, Berkeley Person Registry will start provisioning records to CalNet Active Directory. CMR: CHG0031380

Services Affected

Berkeley Person Registry
All services that use CalNet Active Directory (AD)

February 03, 2018, 7:00 pm

This release includes updates to CalNet Account Manager and Registry Service in support of the 2-Step project. CMR: CHG0031410

Services Affected

account-manager
bidms-downstream
calnet-admin-tool
calnet-people
registry-match-service
registry-provisioning
registry-service
registry-sor-gateway
ucb-match

Tickets Resolved

Ticket	Comment
CM-403	Modify 2-Step page in CAM to remove opt-out
CM-404	Create workflow for requiring 2-Step of new employees during account claim process
CM-406	For a non-mandatory two-step enroller, the get backup passcodes button remains greyed out (disabled) even after adding a device
CM-408	Modify BPR QA environment to use group-test instead of production grouper
CM-409	Modify CAM to also consider HCM affiliations along with Allow2StepUserTest membership
CM-410	CAM two-step needs more complete audit logging
CM-411	CAM two-step needs to show end user decent error messages when duo or grouper services fail
CM-412	Unable to type in "Create your CalNet ID" field
CM-413	Ability in CAM to mock Grouper for test environments by bypassing it and going directly to LDAP
CM-415	Make requiring employees to two-step during claim configurable and turn it off for now
CNR-1369	Convert to using central Tomcat JNDI database connection pool to stay under our PostgreSQL connection limits
CNR-1589	bypass-the-match-engine queue is throwing exception in reg-prov
CNR-1629	Every project needs its version and group put into gradle.properties
CNR-1630	Publish WAR files to Maven repo for all BIDMS web applications
WA-55	Create a calnetSwitch to replace buggy bootstrapSwitch

February 1, 2018, 6:00 am

The legacy auth-key.berkeley.edu (Second-level) CAS server will be turned off. This legacy server has been replaced by CalNet 2-Step Verification. CMR: CHG0031248.

Known Services Affected

OSCAR II

February 01, 2018, 6:00 am

This release will be an upgrade to the CAS server cluster (auth.b.e) to the Apereo CAS release (5.0.10) with some custom UC Berkeley mods. This affects all CAS- and Shibboleth-integrated apps.

Update: The new version of CAS is now up in auth-test. It is a minor change that should not affect any existing integrations, but we recommend testing your applications well before February 1 to be certain it functions as anticipated. CMR: CHG0031216

Services Affected

CAS
Shibboleth

January 9, 2018, 9:00 pm

This release is a patch of CalGroups servers. Since the servers are redundant, there will be no user level outage on CalGroups, however, there will be a brief lag in syncing updates to LDAP, AD, and Google. Affected user base will be employees. Affected systems are SPA Admin app and MyCalNet, related to CalNet 2-Step. CMR: CHG0031223

Services Affected

CalNet Account Manager
SPA Admin App
CalGroups

January 04, 2018, 7:00 am

On 1/4/18, the reset passphrase token app will require CalNet 2-Step to log in. CMR: CHG0031275

Services Affected

Token app

December 13, 2017, 8:00 am

In this release, the option to automatically send a push to a phone will be disabled since it prevents users from enabling the Remember Me option. CMR: CHG0031246

Services Affected

CalNet Account Manager
SPA Admin App
CalGroups

November 27, 2017, 6:00 am

Apply security and other updates to the OS and JVM for the BPR prod tier (amq-p1, registry-p1, and bpr-p1). A brief outage while systems are restarted will be required during the maintenance window. CMR: CHG0031177

Services Affected

Berkeley Person Registry
CalNet Account Manager
CalNet Admin Tool

November 15, 2017, 5:00 am

The Berkeley Person Registry postgres database will be upgraded on 11/15/17, 5am. Outage expected from 5am-6am. Additional details forthcoming. CMR: CHG0031129

Services Affected

Berkeley Person Registry
CalNet Account Manager
CalNet Admin Tool
CalNet Crosswalk

November 6, 2017, 9:00 pm

We will be upgrading the OS and the Shib-Cas plugin. It will be a rolling upgrade, so no downtime is expected. The Shibboleth IDP service is used by the entire campus for access to apps like Google, Box, and CalTime. CMR: CHG0031116.

Services Affected

Shibboleth

Tickets Resolved

Ticket	Comment
OPS-385	Upgrade Production Shibboleth IDP

November 1, 2017, 7:00 am

CalNet 2-Step required for all IST employees and users of CAT effective November 1, 2017. CMR: CHG0031128

Services Affected

CAS
CalNet Admin Tool

October 29, 2017, 6:00 am

Perform a rolling patch and upgrade to the RHEL 7.x OS, OpenJDK JVM, and OpenDJ LDAP servers dedicated for use by CAS and Shibboleth. CMR: CHG0031096

Services Affected

CAS
Shibboleth

Tickets Resolved

Ticket	Comment
OPS-384	Upgrade OS, JVM, and OpenDJ for dir-auth.calnet.1918.b.e cluster

October 25, 2017, 7:00 am

This release includes upgrades to how CalNet sets passphrases, CalNet Account Manager, Grails 3.2.11, registry provisioning, work in support of a new AD structure, and changes to how records are consolidated. Changes released to QA 10/9/17.CMR: CHG0031112

Services Affected

CAS
CalNet Admin Tool
CalNet Account Manager
LDAP
Berkeley Person Registry
SOR Gateway Service
Registry Service

Tickets Resolved

Ticket	Comment
CM-386	Passphrase work
CM-387	Modify CAM to use the new bidms-credential-policy plugin that centralizes passphrase validation
CM-389	Passphrase related to CAM
CM-391	CAM is giving generic "system error"
CM-394	Change CAM Menu text
CM-395	CAM Lib update
CNR-1367	Provision from BPR to Active Directory
CNR-1415	SGS needs to set uid on LDAP and AD SORObjects rather than waiting until LdapSync does it
CNR-1497	Add a configuration item to enable/disable AD provisioning in bidms-downstream
CNR-1498	Add a configuration item to enable/disable creation of AD DownstreamObjects in registry-provisioning-scripts
CNR-1504	immediate entryUUID retrieval is not working in prod after an insert or rename
CNR-1518	Create "dynamic attribute" feature for bidms-connectors
CNR-1532	Bug in reg-prov-scripts for AD where dn.ONCREATE has "CN=null" in it for uids with no name
CNR-1536	bidms-downstream provision changed identities quartz job is throwing an exception
CNR-1537	Need ability in reg-prov to create AD downstreamobjects but not send messages to downstream AD queue
CNR-1538	When setting AD DownstreamObject userAccountControl DISABLE, TrackStatus lock flag is being checked, but what about Person.isLocked?
CNR-1540	Access to bidms-downstream quartz/list web page is being denied
CNR-1541	AD userAccountControl has to be 546, not 512, on CREATE for active users
CNR-1542	Check for invalid characters in AD CN since it's part of the DN
CNR-1544	Remove primaryGroupID from AD DownstreamObject
CNR-1545	Remove guests from list of users provisioned to AD
CNR-1546	Set AD CN to Display Name (UID)
CNR-1547	CS SORObjects have some badly-structured JSON in them
CNR-1548	CAT and CAM can no longer download Bower assets
CNR-1549	Improve the performance of CredentialTokenService
CNR-1551	CAT and CAM are trying to use same Greenmail ports in dev and test environments
CNR-1564	SGS REST endpoint that serves same purpose as JMS SORObjectJSONQueue
CNR-1569	Add audit logging support to registry-provisioning NewUidController and ProvisionController
CNR-1573	SGS endpoints need to be protected with spring security
CNR-1575	mleefers requesting AD street address go into a different attribute
CNR-1576	mleefers requesting two-letter instead of three-letter country code
CNR-1577	Modify registry-match-service triggerMatch endpoint to return uid if it's assigned
CNR-1578	need to proxy SGS sorConsume REST calls through registry-service for networking security reasons
CNR-1579	When deleting entries, bidms-connectors LDAP needs to check for and delete "subordinate" entries
CNR-1580	match-service triggerMatch endpoint needs to recognize synchronousDownstream=false
CNR-1581	Support sending uid in the JSON payload in the sorObjects controller to match new sorObjects with existing uids
n/a	upgrade to Grails 3.2.11
n/a	Passphrase work
CM-400	Updates to change ID email language

October 6, 2017, 7:30 am

This release prevents enablement of CalNet 2-Step with a smart phone until after the Duo Mobile App has been verified to have been installed on the smart phone. CMR: CHG0031064

Services Affected

CalNet Account Manager
Duo 2-Step

Tickets Resolved

Ticket	Comment
CM-399	Update hasDevices logic to make sure Duo account is active.

September 19, 2017, 6:00 pm

This release updates the merge function in CalNet Admin Tool. CMR: CHG0031005

Services Affected

CalNet Account Manager
Registry Service

Tickets Resolved

Ticket	Comment
CAT-169	During merges, don't copy delete.credmgmt.calnetId if keep.ldap.beKerbPrincStr is present

September 14, 2017, 6:00 pm

This release fixes a bug and updates the CalNet Admin Tool. CMR: CHG0030992

Services Affected

CalNet Account Manager

Tickets Resolved

Ticket	Comment
CAT-154	Enable X-FORWARDED-FOR header for auth.calnet.b.e
CAT-157	CAT needs modifications to work with latest ucb-spring-security-cas-ldap
CAT-158	Error when consolidating records in CAT

September 9, 2017, 9:00 am

We will be changing our SLB config to allow HTTP templates for the Auth.b.e VIP. We will give ourselves a 30 min window to do the work, and there will be a few seconds downtime as the SLB saves and responds to the new configuration. The change will happen Saturday morning, September 9, from 9 - 9:30 am. This affects any server using the campus SSO and the entire campus population. This change was tested successfully with the SDSC DR and BR CAS cluster. CMR: CHG0030879

Services Affected

Tickets Resolved

Ticket	Comment
CAS-5	Enable X-FORWARDED-FOR header for auth.calnet.b.e

August 26, 2017, 6:00 am

To support new CalNet 2-Step users starting Monday, a new CAS server build with help text for Duo 2-Step is deployed. CMR: CHG0030956

Services Affected

This affects all CAS users, but the change is only additional help text show at the Duo 2-Step prompt.

August 10, 2017, 7:00 pm

This release includes fixes and updates to CalNet Account Manager and CalNet Admin Tool as well as an upgrade to Grails 3.2.11. CMR: CHG0030913

Services Affected

CalNet Account Manager
CalNet Admin Tool

Tickets Resolved

Ticket	Comment
CAT-154	CAT is displaying a "null" in the list of affiliations for all records.
CM-384	Update 2-Step Email notification to stop Google Phishing warning.
CNR-1454	New employee can't claim CalNet ID
N/A	Upgrade to Grails 3.2.11

July 28, 2017, 3:00 pm

This release replaces the CalNet OpenIDM. OpenIDM will be turned off and Downstream Provisioner will write directly to LDAP. CMR: CHG0030864

Services Affected

SOR Gateway Service
Registry Provisioning
Registry Provisioning Scripts
Downstream Provisioner
OpenIDM
LDAP

Tickets Resolved

Ticket	Comment
CNR-1419	Replace OpenIDM with a new downstream provisioning system
CNR-1490	If in grace but affiliations are unknown, set primaryOu to existing LDAP ou
CNR-1493	DownstreamProvisioningRESTClientService.provisionUid is throwing exceptions
CNR-1494	sor-gateway DailyHashAndQueryJob is throwing exception
CNR-1492	bidms-downstream LDAP schema violation exceptions
CNR-1495	Registry-d1 sor-gateway is throwing a start-up exception related to oracle db connection
CNR-1489	Removal of calnetId is causing an exception in registry-provisioning-scripts
CNR-1476	bidms-downstream is reporting bad avg batch time values in the timing statistics
CNR-1477	bidms-downstream sometimes can't find uid in LDAP but when a LDAP write is attempted, NameAlreadyBoundException is seen
CNR-1484	bidms-downstream seeing OpenDJ errors sometimes with namespace changes
CNR-1464	Change capitalization to berkeleyEduUnitHRDeptName in DownstreamObject JSON
CNR-1465	Don't send audit log entries to the app log, as it's already logged in audit log file
CNR-1466	Create DownstreamObjects for LDAP namespace entries

July 26, 2017, 6:00 am

This release will patch the production MIT Kerberos cluster. A brief outage of about 1 minute per node will occur. Some Kerberos clients will automatically fail over to the slave KDC when this happens. CMR: CHG0030836

Services Affected

July 19, 2017, 6:00 am

This release will update OS to RHEL 7.x and latest application libraries on the calnet.b.e web server, which includes the Directory Update Application. CMR: CHG0030822

Services Affected

Directory Update Application

July 18, 2017, 7:00 am

This release fixes an error in the CalNet Admin Tool and also changes what information is displayed in the tool. CMR: CHG0030863

Services Affected

CalNet Admin Tool

Tickets Resolved

Ticket	Comment
CAT-133	Delete "Empl ID" field from basic info
CAT-150	Remove OU from CAT
CAT-152	CAT Throwing a MissingProperty Error

July 12, 2017, 6:00 am

This release will patch RHEL 6.x and the JVM for the idc.b.e application cluster. CMR: CHG0030818

Services Affected

CalNet self-service applications on the idc.b.edu cluster, such as Guests, SPAs, and Access Keys

June 28, 2017, 6:00 am

This release reconfigures the CAS auth.b.e servers to not do SSO for the base /cas/login URL if no service parameter is provided. This change is considered a security best practice. CMR: CHG0030793

Services Affected

All campus CAS users, especially those using 2-Step Verification

June 21, 2017, 6:00 am

This release is a rolling upgrade of the production CAS Server to fix intermittent degradation of service due to load and a known bug in the 5.0.4 server. CMR: CHG0030785

Services Affected

June 15, 2017, 6:00 am

This release is a rolling upgrade of the production CAS Server cluster to release 5.0.6 with bug fixes and some additional custom UI fixes. CMR: CHG0030749

Services Affected

CAS
Shibboleth

June 12, 2017, 6:00 am

In this release, CalNet will migrate net-auth.berkeley.edu to RHEL 7.x from 5.x. 15-min planned outage affecting campus customers of the Berkeley Person Registry identity management applications CalNet Admin Tool and CalNet Account Manager. CMR: CHG0030742

Services Affected

net-auth.berkeley.edu
Berkeley Person Registry
CalNet Account Manager
CalNet Admin Tool

June 8, 2017, 2:00 am

This release includes updates to CalNet Account Manager. Changes to CAM will be visible only to users who have been granted access to CalNet Two-Step beta testing. CHG0030750.

Services Affected

CalNet Account Manager

Tickets Resolved

Ticket	Comment
CM-344	2FA Login
CM-345	Pilot implementation of 2FA admin iFrame
CM-351	Add page headers to CAM pages
CM-352	2FA documentation
CM-353	Restrict who can see 2-Step Verf in the menu
CM-354	2-Step form edits for the instructions
CM-356	Changes to 2-Step Form Based on User Feedback
CM-357	Turn on 2-Step Switch Automatically
CM-358	Do not ask for pw on the 2-Step Switch
CM-359	Don't ask for pw on the Get Backup Passcodes request
CM-360	Get Backup Passcodes Screen Changes
CM-361	2FA Form Format and Color Changes
CM-362	Changes to New Enrollment Instructions
CM-363	Change 2-Step Switch Title
CM-364	Changes to Manage Your Devices - Help Text
CM-367	Send email when generating backup codes
CM-368	Add link to privacy statement in the footer
CM-370	Change language on passphrase reset screen
CM-371	reduce UC Berkeley logo
CM-372	Delete numbers on the items in the Help Section
CM-373	2 Step Switch Format Change
CM-374	Backup Passcodes Format Change
CM-375	Reduce Duo iFrame height
CM-376	Add line spaces
CM-377	2 Step Switch Confirmation Messages
CM-378	Changes to Get Backup Passcodes Page
CM-379	cross-site request forgery protection?
CM-381	Change font-size and weight in help headers
CM-382	Move on/off + passcode button closer to text

June 6, 2017, 9:00 pm

This release is a minor upgrade of the Shibboleth IDP to version 3.3.1 and the Shibcas connector. There is no expected downtime, though we have an hour window to complete the work. Affected systems include any using the Shibboleth IDP for authentication. Students, staff, and faculty could potentially be affected. Site examples include most off-campus services like Google, ServiceNow, Learning Center, Salesforce, and Box.

The Shibcas connector upgrade will fix the error messages displayed to a user readable message rather than the current code dump. CMR CHG0030731.

Services Affected

Shibboleth
Any using the Shibboleth IDP for authentication

Tickets Resolved

Ticket	Comment
SHIB-1	Minor Shibboleth IDP upgrade - 3.3.1, Shibcas

May 18, 2017, 10:00 pm

This emergency CAS Server release fixes the regression affecting some campus applications using SPAs. No outage is expected as we will do a rolling restart of the cluster nodes. CMR: CHG0030704

Services Affected

CAS
Special Purpose Accounts

May 16, 2017, 10:00 am

This release is a rolling restart for CAS, no outage expected. CMR: CHG0030697

Services Affected

May 15, 2017, 6:00 am

Begin testing on April 7, 2017

This release is the final step in migration to CAS Server 5.0.4. We are upgrading the Apereo CAS servers at UC Berkeley from version 4.1.x to 5.0.4 with some additional features deployed, with the help of Unicon(link is external), one of the major contributors to the CAS project(link is external). CMR: CHG0030513

The QA tier will be updated on April 7 to allow for testing. To test, point your QA CAS client application at the auth-test.berkeley.edu DNS name. The previous QA nodes (cas-t1/t2) will remain available for a transition period as individual nodes. Please be sure to test your application before May 15.

Find additional details about this upgrade on our website: Migration to CAS Server 5.0.4

Services Affected

May 10, 2017, 6:00 pm

This release provides improved audit logging of account events for integration with Security Operations monitoring. CMR CHG0030673.

Services Affected

Berkeley Person Registry
CalNet Admin Tool
CalNet Account Manager

Tickets Resolved

Ticket	Comment
CNR-1416	CAM/CAT/reg-service events log

May 5, 2017, 4:15 pm

This release fixes a condition that is causing SGS LDAP imports to fail and removes case-sensativity from email address field in CalNet Account Manager.

Services Affected

Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CNR-1462	OpenDJ objects that start with entryuuid= are causing SGS LDAP imports to fail
CM-342	Reset passphrase recovery case insensitive email lookup

May 5, 2017, 10:00 am

This release changes the logic CalNet uses to determine expiration dates and fixes a condition that causes provisioning exceptions. CMR: CHG0030628

Services Affected

Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CNR-1451	Update expiry logic
CNR-1460	Provisioning exceptions

May 4, 2017, 5:00 pm

This release fixed a bug in which stale cache was preventing new employees from claiming a CalNet account.

Services Affected

Berkeley Person Registry
CalNet Account Manager

Tickets Resolved

Ticket	Comment
CNR-1454	Stale cache - production restart required

April 26, 2017, 5:15 am

In this release a number of CalNet applications are being upgraded to use the Grails 3 framework. This release will be deployed to QA on April 10, 2017. CMR CHG0030578.

Services Affected

Berkeley Person Registry
CalNet Account Manager
SOR Gateway Service
Registry Provisioning
Registry Rest Service

Tickets Resolved

See April 19, 2017 release for complete list of ticket resolved.

April 19, 2017, 7:00 am

In this release CalNet Admin Tool is being upgraded to use the Grails 3 framework. This release will be deployed to QA on April 10, 2017. A second release on April 25 will upgrade Berkeley Person Registry and CalNet Account Manager to use the Grails 3 framework. CMR CHG0030548.

Services Affected

CalNet Admin Tool

Tickets Resolved

Ticket	Comment
CAT-134	Convert to Grails 3.x
CM-161	Upgrade CAM to Grails 3.x
CNR-1275	Migrate grails-external-groovy-plugin to Grails 3.x
CNR-1276	Regression: Between Groovy 2.4.4 and Groovy 2.4.5 (Grails 3 uses .7) a change was made that as reintroduced a memory leak to external-groovy
CNR-1277	Migrate sor-key-data plugin to Grails 3.x
CNR-1278	Migrate registry-provisioning-scripts to Grails 3.x
CNR-1280	Migrate registry-model plugin to Grails 3.x
CNR-1281	Migrate grails-gorm-util-plugin to Grails 3.x
CNR-1282	Migrate registry-commons to Grails 3.x
CNR-1283	Migrate grails-domain-utils-plugin to Grails 3.x
CNR-1286	Migrate groovy-hashchode-ast to Groovy 2.4.7
CNR-1296	Migrate grails-render-json-plugin to Grails 3.x
CNR-1316	Migrate groovy-sql-util to Grails 3
CNR-1347	Update sorQuery script to accept a SORObjectKey (Grails 3 branch)
CNR-1353	Migrate mock-registry to Grails 3
CNR-1360	Migrate ucb-messaging plugin to Grails 3.x
CNR-1361	Migrate the UCB fork of the grails-routing plugin to Grails 3.x
CNR-1363	Grails 3 registry-model jobAppointments collection not being persisted when person is saved and not being retrieved when person is loaded
CNR-1365	For registry-model Grails 3 branch, type: JSONBType, sqlType: 'jsonb' in mapping is not working
CNR-1368	Property injection into Provision object is not working on Grails 3 branch
CNR-1372	Migrate registry-provisioning to Grails 3.x
CNR-1373	Migrate rest-client-builder-digest-auth to Grails 3.x
CNR-1374	Grails 3 Spring Boot in conjunction with registry-settings is complaining of multiple jms connection factories
CNR-1375	Grails 3 registry-settings doesn't seem to be merging config correctly
CNR-1378	Grails 3 reg-prov: no log output is being produced
CNR-1382	Figure out why grails 3 reg-prov wiped out the database at start-up
CNR-1383	Grails 3 reg-settings needs to set dbCreate to not delete by default
CNR-1384	Migrate sor-gateway-service to Grails 3.x
CNR-1385	Migrate ucb-match to Grails 3.x
CNR-1386	Migrate registry-match service to Grails 3.x
CNR-1391	Migrate registry-rest-client to Grails 3.x
CNR-1393	Migrate registry-service to Grails 3.x
CNR-1394	Migrate rest-queryfilter-plugin to Grails 3.x
CNR-1397	Integration Hub is changing the development AMQ host
CNR-1399	Grails 3 reg-service is having odd transaction management problems
CNR-1401	Grails 3 reg-service doesn't need jmsTransactionManager/ChainedTransactionManager because it only produces JMS and JMS producers aren't transactional
CNR-1402	Grails 3 reg-settings: Add option to create JMS beans but skip the jmsTransactionManager if the app is only using JMS for producing messages
CNR-1403	Grails 3 reg-service still is using ChainedTransactionManager even after removing jmsTransactionManager
CNR-1404	Grails 3 reg-settings: Add an "enable multiple data source" option to reg-settings to work around a Grails 3 bug
CNR-1405	Grails 3 reg-prov's BootStrap.groovy isn't running
CNR-1407	Some Grails 3 registry-service integration tests aren't passing and have been @Ignored
CNR-1408	In order to get Grails 3 reg-service integration tests to pass, had to move setupSpec to setup, but this makes running tests very slow
CNR-1409	SorPeopleAssignmentServiceIntegrationSpec passing locally but is failing on Bamboo
CNR-1417	Grails 3 match-service isn't consuming the newUid queue
CNR-1420	Deadlock between match-service and call out to registry-provisioning's provisionUid in Grails 3 (but probably Grails 2 too)
WA-46	Move ucb-webapp-foundation to Grails 3.1.x
WA-49	Migrate ucb-twitter-bootstrap and ucb-twitter-bootstrap-fields plugins to Grails 3

April 4, 2017, 4:30 pm

This release provides a fix so that alumni already in OU = ADVCON do not get grace notification emails. CMR: CHG0030512

Services Affected

Berkeley Person Registry
LDAP Provisioning

Tickets Resolved

Ticket	Comment
CNR-1412	Users in ADVCON receiving grace notification emails

March 15, 2017, 3:00 am

This release resumes the CalNet account expiration process and implements grace period email notifications. This release requires a second restart at 6pm on March 16. CMR: CHG0030441.

Services Affected

Berkeley Person Registry
CalNet Account Manager
CalNet Admin Tool

March 14, 2017, 9:00 pm

Upgrade production shibboleth IDP (shib.berkeley.edu) to version 3.3.0. The upgrade will bring us to the current release and allow us to use the consent model. The change will take place during a change window on Tuesday, March 14, from 9 - 11 pm. The actual change will be within that time and will be a brief, approximate 15 sec delay. The service affects most campus users. CMR: CHG0030422

Services Affected

Shibboleth IDP
Any system using the Shibboleth IDP for attribute release / authentication

March 9, 2017, 3:00 am

This release includes work in support of the CalNet account expiration process, fixes a bug in CalNet consolidation and refines logic for changing CalNet IDs. This release was originally scheduled for March 8, 2017. CMR: CHG0030440

Services Affected

Berkeley Person Registry
LDAP Provisioning
CalNet Account Manager
CalNet Admin Tool

Tickets Resolved

Ticket	Comment
CNR-1371	Berkeley.edu email address should key of alternateIdEmailAddress
CNR-1366	Do not use BPR LDAP Display Name for full name
CNR-1364	Check hql in findPeopleExitingExpiry
CNR-1362	If a person does not have an @berkeley.edu account don't try to send additional emails.
CNR-1359	Registry Service gets wrong values from config in GraceServiceJob
CNR-1358	Refine logic for changing CalNet ID
CNR-1357	Grace Period Notify email still using calnet@berkeley.edu(link sends e-mail) FROM address
CNR-1356	Cannot format given Object as a Date Error
CNR-1349	CNR-1169 Filter out people who does not have a calnetId
CNR-1325	Disallow future-dated startOfRoleGraceTimes in PersonRoleArchive table Update provisioning code to set start grace time to current time when source data has a future end date but goes inactive
CNR-1322	CNR-1167 Make adjustments to Grace period jobs
CNR-1308	UIDold and Consolidation date not being written during CAT consolidations
CNR-1302	Send email notification for expired accounts that have been activated again
CNR-1293	CNR-1167 Check if person has berkeley email address before sending email

March 1, 2017, 1:00 am

This release includes minor edits and bug fixes for CalNet Account Manager and CalNet Admin Tool. Also introduces new features to CalNet Account Manager that display user's names and affiliations. CMR: CHG0030408

Services Affected

CalNet Account Manager
CalNet Admin Tool

Tickets Resolved

Ticket	Comment
CM-334	Edit CAM Footer
CM-333	Edit CAM Account Info page
CM-331	Re-enable change in CM-311
CM-311	Show more info after user logs into CAM
CAT-118	An Error Has Occurred message after consolidation in CAT
CAT-117	Assigning someone SIS View privilege doesn't appear to work
CAT-44	CAT-37 Make simple / advanced search
CAT-127	Show more info for user
CAT-122	CAT-118 Consolidation error bug

February 28, 2017, 5:30 pm

A restart of the PostgreSQL DB behind the prod Berkeley Person Registry (BPR) to allow more active connections will result in a brief outage to allow reconfiguration. Outage anticipated from 5:30pm-5:35pm on Tuesday, February 28. CMR: CHG0030418

Services Affected

Berkeley Person Registry

February 27, 2017, 1:00 am

Refining logic for CalNet ID change. Release is in support of new alumni email program. CMR: CHG0030411

Services Affected

CalNet Account Manager

Tickets Resolved

Ticket	Comment
CNR-1358	Refine logic for changing CalNet ID

February 21, 2017, 6:00 am

This release is to patch the OS and JVM for the four servers comprising the CalNet Berkeley Person Registry (BPR) prod tier (registry-p1, bpr-p1, amq-p1, and idm-p2). CMR: CHG0030335

Services Affected

CalNet Account Manager
CalNet Admin Tool
Berkeley Person Registry

February 14, 2017, 8:00 pm

This release updates the production Grouper servers, which service calgroups.berkeley.edu, from version 2.2 to 2.3. The upgrade is a precursor to using a new provisioning UI. CalGroups will be down during the upgrade due to a database upgrade. CMR: CHG0030385

Services Affected

CalGroups
CalNet SPAs
LDAP Groups

Tickets Resolved

Ticket	Comment
CG-156	Upgrade production Grouper

February 1, 2017, 3:00 pm

This release includes fixes to improve memory usage and upgrading of dependencies. CMR: CHG0030348

Services Affected

Berkeley Person Registry
Registry Service
LDAP

Tickets Resolved

Ticket	Comment
CAT-118	An Error Has Occurred message after consolidation in CAT
CNR-1311	Convert bad HCM job-end dates that are set to 9999-12-31 to be null, which causes the Registry to write the current date as the start-of-grace-time when it encounters such a bad end date.
CNR-1291	Don't write legacy guest system accounts to LDAP
CNR-1262	New ou determination logic based on roles (but back-port the "don't move to a lesser OU" work-around that was in the old code into the new code)
CNR-1197	Don't provision (IGNORE) to LDAP any new uid missing at least one-LDAP affiliation
CNR-1262	Fixes CNR-1193 and CNR-1256 (dupe of CNR-1193): Records in presir when they should be in ADVCON
CNR-1197	Fixes CNR-1184: Employee Only CS Record provisioned to presir ou because of partial HCM record
CNR-1262	Rewrite OU determination logic to key off of roles instead of identifiers

January 25, 2017, 5:00 am

This release was completed on January 26, 2017, and made additional changes to CalNet ID changing logic and enabled account expiration processes. CHG0030323

Services Affected

CalNet Account Manager
Berkeley Person Registry
LDAP

Tickets Resolved

Ticket	Comment
CNR-1285	Changing recoveryEmailAddress after changing calnetId should not rewrite calnetId
CNR-1267	When setting recovery email address, the oldCalnetId is overwritten with current calnetId in CREDMGMT SOR Object
CNR-1265	Prevent claiming CalNet IDs only defined in KDC
CNR-1239	Send a message to people who are in grace but never received an email
CNR-1217, CNR-1167	Make cron job to send grace emails
CNR-1213	Track status object must have metadata field to store extra info
CNR-1191, CNR-1167	Create rest endpoint to send email
CNR-1169	Disable account when an account has expired
CNR-1298	LdapInformation endpoint
CNR-1304	Password error in account locking
CM-319	Users not able to claim CalNet IDs they already own in namespace
CM-323	Add custom link in full text to passphrase reset button
CM-327	Fix CalNet ID change screen

January 25, 2017, 3:00 pm

This release implements new Campus Solutions update code to accept real time messages via JMS queue and make database queries on demand for individual student records. It should allow new CalNet accounts to be created in near real time once all the appropriate record creation has been completed in Campus Solutions. Release also includes updates to Registry provisioning logic to support en- of-life account handling. CMR: CHG0030328

Services Affected

Berkeley Person Registry
Registry Service
LDAP

Tickets Resolved

Ticket	Comment
(no CNR)	Fix setting a proper grace start date for the aggregate roles: masterAccountActive and ldapNoExpDate.
CNR-1287	Fix no students in Dev marked as registered
CNR-1292	Close out new Sql instances in an attempt to fix connection pool leak in SGS
CNR-1273	Upgrade SOR Gateway Service to Grails 2.5.5
CNR-1272	Convert the Camel routes in SGS to use reliable-tx-camel
CNR-1031	Convert sor-gateway-service to use JTA Transaction Manager
CNR-1266	Consume CS "person basic sync" messages from IHub to trigger 'real-time' SGS EMPLID querying
CNR-1297	Replace special 07/28/16 CS affiliation end dates with 01/01/1901 so real dates used instead from other SOR data
CNR-1289	Create an expirationNotify role

January 8, 2017, 11:45 am

This release fixes a bug in the CalNet Account Manager, in which a CalNet ID change reverts if the user sets their recovery email address in the same session. CHG0030266. (This release rescheduled from 1/6/17, 5:00am).

Services Affected

CalNet Account Manager
Berkeley Person Registry
LDAP

Tickets Resolved

Ticket	Comment
CM-321	Change CalNet ID bug

January 6, 2017, 6:40 am

This Emergency SOR Gateway Service patch deploys a one-liner patch that adds 14 days to the calculation of last semester end date because Campus Solutions indicates the spring semester has started but they have not yet updated the registration service indicators to show spring instead of fall. This affects the berkeleyEduAffiliation: STUDENT-TYPE-REGISTERED value in LDAP. Tomcat restart on registry-p1 is required. CMR: CHG0030268. (This relesase rescheduled from 1/6/16, 5pm).

Services Affected

Berkeley Person Registry
LDAP

Tickets Resolved

Ticket	Comment
CNR-1287	No students in Dev marked as registered

December 19, 2016, 5:00 pm

This release includes functionality to support upcoming term changes, backend registry handling of grace periods, service indicators that prevent students from being unregistered, improvements to how HCM employees and alumni are provisioned, and clearing of stale berkeleyEduExpDates. CMR: CHG0030233

Services Affected

Berkeley Person Registry
Registry Service
LDAP

Tickets Resolved

Ticket	Comment
CNR-917	CNR-860 Determine current or future CS terms
CNR-970	CNR-860 Logic for determining start of next Fall or Spring term for -REGISTERED grace period
CNR-1016	Once CNR-970 taken care of, uncomment the commented code for SERVICE_INDICATOR term checks in CsPersonRoleBuilder
CNR-1189	Provisioning HCM accounts with appointment dates later than the entry date
CNR-1225	Add "is active" logic to HRMS and ADVCON key extractors
CNR-1226	Use "is active" key extractor logic to send HRMS and AVCON SORObjects to match queue if they lack UID and key extractor says they're now active
CNR-1227	Try to get the sor-key-data-extractor to load certain external reg-prov-script classes to execute "is active" logic on the raw SORObject data
CNR-1228	Clear berkeleyEduExpDate when active
CNR-1240	Add support for a numeric sync marker, instead of just a timestamp, to SorObjectChecksum and SorObjectChecksumQuery tables
CNR-1243	Tweaks to registry provisioning scripts for CalNet SOR Person
CNR-1244	Calculate grace delta upon immediately adding a personRoleArchive entry
CNR-1246	berkeleyEduStuID should remain in LDAP after student has gone into grace or expired
CNR-1247	Modify SGS to include new service indicator view for CS query

December 16, 2016, 5:00 am

This release improves the Change CalNet ID function in CalNet Account Manager, and fixes a bug related to alumni accounts. It also includes an update to the instructions regarding claiming accounts and changing accounts. CMR: CHG0030232

Services Affected

CalNet Account Manager
Registry Service

Tickets Resolved

Ticket	Comment
CNR-1265	Prevent claiming CalNet IDs only defined in KDC
CM-314	Allow alums to change CalNet ID without a recovery email address
CM-313	Change CalNet ID failure bug
CM-312	When user changes CalNet ID and does not have an ext email address do not show error
CM-310	Edit confirmation message when an alum changes CalNet ID
CM-308	Account Manager throwing javax.management.MalformedObjectNameException
CM-305	Stack trace appears on Change CalNet ID page
CM-316	When changing recovery email without previous recovery email address, system reports an error

December 1, 2016, 9:30 pm

To support updating of certain AdvCon (mostly Alumni) CAS customers, a check for CalNetIDs starting with "cads" is now done. The popup dialog triggered then redirects the browser to the Change CalNetID page. Released to QA (auth-test.b.e) November 30, 2016. CMR: CHG0030193.

Services Affected

Tickets Resolved

Ticket	Comment
OPS-350	Trap CalNetIDs starting with "cads" and redirect to Change ID app

November 18, 2016, 5:00 am

This release added the ability for alumni to set a bConnected key.

Services Affected

CalNet Admin Tool
Berkeley Person Registry
LDAP

Tickets Resolved

Ticket	Comment
CS-26	MMK should allow ou=ADVCON to be able to set a bConn key so that alumni can create bConn accounts.

November 3, 2016, 11:00 am

This release is to provision FORMER employee, affiliate and student statuses , test and guest accounts to LDAP and BPR fixes. It also includes CAM and CAT text and content changes. See CMR: 30120

Services Affected

Berkeley Person Registry
LDAP
CalNet Admin Tool
CalNet Account Manager

Tickets Resolved

CNR-1029	Provision FORMER affiliation when an active affiliation is removed
CNR-1163	Modify DownstreamLdapBuilder to add FORMER affiliations
CNR-1171	Modify LdapDownstreamBuilder to add current LDAP affiliation roles based on calculated berkeleyEduAffiliation values
CNR-1174	Report of invalid date format for bECalNetIDUpdatedDate
CNR-1190	Change SGS HRMS Oracle hash query to hash(firstname\|\|lastname) rather than hash(firstname) + hash(lastname)
CNR-1194	Don't provision (IGNORE) TEST accounts to LDAP
CNR-1195	Add a test account role for TEST accounts
CNR-1200	Provision GUEST LDAP affiliation for guest accounts
CNR-1206	Refactor archived role builders to use a builder context to avoid Hibernate exceptions
CNR-1207	Modify registry-model Person to disallow same roles both in assignedRoles and archivedRoles
CNR-1213	Track status object must have metadata field to store extra info
CM-304	Update language in notification when users can't claim an account
CAT-113	Edit email message when account is locked
CAT-112	For locked accounts, allow option to not send email
CAT-111	Show more info for locked accounts lists

October 24, 2016, 6:00 am

Available in QA: October 14th

Update: war built from qa-to-prod-delegation branch is now deployed to cas-p2/p3/p7 (auth) with default theme set to "default" the OS and JVMs also patched on those hosts, the CAS prod tier.

A feature release of Apereo CAS Server 4.1.9 will be deployed to auth-test on 10/14/16 at 6 am and, assuming no regression is found, to auth on 10/24/16 at 6 am. OS and JVM patches will also be applied. The new features include improved performance when showing lists of SPAs, and a delegated authentication option for apps using the test/qa CAS server environments. CMR: CHG0030053.

Services Affected

CAS
SPA users

October 20, 2016, 12:00 am

This release improves CalNet Admin Tool and adds the ability for an admin to set a CalNet ID on behalf of a user directly from the CalNet Admin Tool. CMR: CHG0030077

Services Affected

CalNet Admin Tool
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CNR - 1188	Add rest endpoint to set calnetId
CAT-107	Ability for admin to set a record's CalNet ID
CAT-109	Update role mapping wiki page
CAT-110	Create new role for SIS in QA

October 13, 2016, 4:30 pm

This release fixes a provisioning bug that is picking up inactive records. CMR: CHG0030054

Services Affected

Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CNR - 1186	Stop provisioning employee-onlys without a CAMPUS_ID

October 13, 2016, 6:00 am

Updated description: This release updates the CalNet Admin Tool, including adding affiliations, better scrolling, and cache manager naming issue. It also clears up an error when attempting to match records and automates some consolidation functions. CMR: CHG0030051.

Services Affected

CalNet Admin Tool
Registry Service

Tickets Resolved

Ticket	Comment
CAT-105	Error when attempting to match records
CAT-104	Show a record's current affiliations
CAT-101	Cache manager naming issue on production
CAT-99	Better scrolling for partial match view
CNR-1149	After merge, wrong CalNet ID marked as active
CNR-1178	When merging two records, an error is thrown

October 12, 2016, 3:05 pm

This critical patch will fix a bug that prevented some new employees and affiliates from claiming CalNet accounts. CMR: CHG0030050.

Services Affected

Registry Provisioning
LDAP
OpenIDM

Tickets Resolved

Ticket	Comment
CNR-1176	Add empty-string check for CAMPUS_ID in the SGS CS "employee-only" detection logic
CNR-1182	Rename isNotProd config param in LdapSync to isProd and adjust the code accordingly
CNR-1183	Fix LdapSync bug where cleanUpMismatchedAssignments() is being called in prod instead of dev/qa
none	Add some hibernate session clearing calls to try and eliminate a memory leak

October 4, 2016, 6:00 am

Update to October 4 CalNet Release:

This release has progressed as planned. The legacy Sync Code has been turned off. The new LDAP schema is in place. Approximately 70,000 active accounts are being updated by the Berkeley Person Registry. We anticipate all records to be done updating within one or two days. Additional status updates will be provided as needed.

----------------

On October 4, 2016, the CalNet team will retire the legacy LDAP Sync Code and hand control of LDAP provisioning to the Berkeley Person Registry. This step modernizes campus identity data management. CMR: 4816.

Find detailed information about LDAP Schema changes at: https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization

See additional information about impacts of the Sync Code Retirement, here: https://calnet.berkeley.edu/news/calnet-sync-code-retiring

Services Affected

LDAP Provisioning
LDAP Sync Code
Berkeley Person Registry
CalNet Deputy UAS Portal
CalNet Deputy Issue Initial Token Application

Tickets Resolved

Ticket	Comment
CAT-38	Replace registry-p1 and idm-p2 scripts with CAT buttons
CAT-62	ability for admin to allow someone to change CalNet ID
CAT-81	Improve view of list of records to be matched
CAT-82	generate an notification email when account is locked / unlocked
CAT-83	edits to account locking/unlocking email content
CAT-93	Missing link to submit all records for rematch
CM-293	switch to berkeleyEduIsMemberOf
CNR-1000	Provision affiliation roles to LDAP
CNR-1007	Provisioning to ADVCON OU
CNR-1013	Remove isLegacy / isOwned / definitiveAttributes from LdapDownstreamBuilder
CNR-1018	Provision berkeleyEduAffID (ucbaffid)
CNR-1021	Rename IdentifierType hrmsEmployeeId to hcmId to avoid future confusion
CNR-1022	Develop API for ADVCON to replace account claiming API to kerb service
CNR-1023	Make REST endpoints for reprovisioning and sorHash/sorQuery
CNR-1024	Add a PersonJob table to the registry schema and add it to the model
CNR-1025	Modify registry-provisioning-scripts to provision to PersonJob table
CNR-1039	Remove hrmsPrimaryApptRcdNo role now that we have PersonAppointment table with an isPrimary flag
CNR-1040	Primary job determination logic needs to be moved to a PostBuilder so there's one one primary job if multiple HRMS SORObjects
CNR-1043	Create endpoint for advcon to use passphrase reset
CNR-1044	Endpoint for ADVCON to set recovery Email address
CNR-1045	Endpoint for ADVCON to set passphrase
CNR-1046	Don't set berkeleyEduUnitHRDeptName because sync code has stopped setting it
CNR-1047	Change berkeleyEduEmpDeptUnitTitleCode to be single-value pointing to primary appointment
CNR-1050	Investigate which HRMS records get an AffId
CNR-1052	Implement Audit in registry-service
CNR-1053	Create an "Archived Identifier" table to store old identifiers
CNR-1056	Add new HCM identifier types to distinguish between employee-specific and affilite-specific HCM identifiers.
CNR-1057	Change prov-script affiliateId and employeeNumber logic to use new hcm IdentifierTypes
CNR-1061	Implement pagination and showing rejected records for PartialMatch service
CNR-1065	Provision HCM employee and affiliate berkeleyEduAffiliations
CNR-1066	Provision ADVCON berkeleyEduAffiliations
CNR-1070	Provision UAS Identifier from LDAP_AFFILIATESOURCE data
CNR-1071	Provision uas affiliate id as part of LDAP berkeleyEduAffID array
CNR-1072	Provision uasAffiliateId as LDAP berkeleyEduCalNetAffID
CNR-1074	changes to NameTypeEnum[] priorityList
CNR-1075	SGS registry-p1 still occasionally throwing deadlock exceptions
CNR-1078	Provision birthday info to LDAP
CNR-1080	Provision berkeleyEduCalNetIDUpdatedDate
CNR-1081	Provision berkeleyEduCalNetUIDConsolidationDate
CNR-1082	Provision berkeleyEduCalNetUIDOld
CNR-1084	prov-scripts needs refactoring for LDAPDownstream to use person objects directly instead of as JSON or a Map
CNR-1085	Provision berkeleyEduUnitHrDeptName
CNR-1086	Registry service should write, when a record is consolidated.
CNR-1090	Disable legacy SIS SOR
CNR-1092	Change legacy SIS isActive logic to always return false now
CNR-1093	Modify LdapSync logic to account for Registry being responsible for provisioning HRMS and ADVCON to LDAP now
CNR-1097	Why is ADVCON cads2986 not matching up to Expired uid 563834 in prod?
CNR-1100	Will need to create ArchiveIdentifier records for any current LDAP identifiers not matched up to a SORObject so they don't get overwritten
CNR-1103	crosswalk service occasionally throws LinkedHashMap exception
CNR-1105	ldapSyncQueue is hanging/crashing/notworking
CNR-1106	Add an "unknown affiliate id" identifier type
CNR-1108	Replace LdapPersonIdentifier json with IdentifierArchive json in PersonSorObjectsJson
CNR-1109	Create dummy web service to trick OpenIDM into resetting its sync key for testing purposes
CNR-1110	Fix deleteTrackStatus, throws an exception
CNR-1111	Write a general LDIF "diff" script to compare two LDIF files for differences
CNR-1114	Don't provision berkeleyEduBirthYear to LDAP
CNR-1115	berkeleyEduBirthDay and berkeleyEduBirthMonth should always be formatted with two digits (leading '0' if necessary)
CNR-687	Add hcmEmployee role(s)
CNR-791	Provision SORObject(SOREnum.CALNET_CREDMGMT) oldCalnetId
CNR-799	Upgrade match-service and match engine to Grails 2.5.4
CNR-988	Provision primary job title code to LDAP
CNR-989	Provision primary department to LDAP
CNR-990	Provision department code to LDAP
CNR-991	Provision employee number to LDAP
CNR-992	Provision employee type to LDAP
CNR-993	Provision person's affiliations to LDAP
CNR-994	Provision person names to LDAP
CNR-995	Provision unique identifiers for a person to LDAP
CNR-996	Provision old CalNet ID to LDAP
CNR-997	Provision ou to LDAP
CNR-999	Refactor LdapDownstreamBuilder
CNR-1116	OpenIDM on registry-d1 isn't moving people from ou=people to ou=advcon people
CNR-1122	Prevent OpenIDM from reprovisioning SPAs to LDAP
CNR-1121	Provision AFFILIATE-TYPE for HCM affiliates into LDAP berkeleyEduAffiliations
CNR-1124	Clear out all berkeleyEduAffiliationsDetailed values now
CNR-1104	Quartz job to observe CsCampusIdMismatchView and set PersonIHub.timeresendrequested and trigger to service to resend those
CNR-1059	After all new apps deployed using hcmId IdentifierType, remove deprecated hrmsEmployeeId from IdentifierTypeEnum and prov-scripts and the table

September 21, 2016

This is a release to deploy endpoints for ADVCON to use Account Manager. In addition, this release includes new features and improvements to the CalNet Admin tool and a necessary change in the CalNet Account Manager required by the CalGroups service. CMR: 4817.

Services Affected

Berkeley Person Registry Services
CalNet Admin Tool
CalNet Account Manager

Tickets Resolved

Ticket	Comment
CNR-996	Provision old CalNet ID to LDAP
CNR-1022	Develop API for ADVCON to replace account claiming API to herb service
CNR-1023	Make REST endpoints for reprovisioning and sorHash/sorQuery
CNR-1043	Create endpoint for advcon to use passphrase reset
CNR-1044	Endpoint for ADVCON to set recovery Email address
CNR-1045	Endpoint for ADVCON to set passphrase
CNR-1061	Implement pagination and showing rejected records for PartialMatch service
CAT-38	Replace registry-p1 and idm-p2 scripts with CAT buttons
CAT-81	Improve view of list of records to be matched
CAT-82	Generate an notification email when account is locked / unlocked
CAT-83	Edits to account locking/unlocking email content
CM-293	Switch to berkeleyEduIsMemberOf

September 14, 2016, 6:00 am

For this release, we will point the production CAS cluster to a new, more powerful OpenDJ LDAP cluster for back-end directory services. This change will be transparent to both CAS client applications as well as users; it is an internal change for the service with no external impact other than better performance. See CMR: 4787

Services Affected

August 18, 2016, 10:00 pm

This emergency patch is an update to CalNet import code deployed to fix changes to SOR Gateway Service. It should reduce or eliminate the frequent exceptions currently being seen when a data import job is attempted due to Spring JDBC pooling bug. Crosswalk service should not be impacted.

Registry-p1Tomcat restart required. CMR: 4752.

Note: this change during the No Fly Zone has been approved by SIS project team.

Services Affected

Berkeley Person Registry
LDAP

August 10, 2016

This release is in response to a security advisory by OpenIDM. It contains a patch to OpenIDM 3.1.0 which will be applied to registry-d1 and prevents exposure of vulnerable encryption keys. CMR: 4734

A separate release issues changes to LDAP production.

Services Affected

Registry Provisioning
LDAP
OpenIDM

Tickets Resolved

Ticket	Comment
CNR-1008	Seed displayName in LDAP to an initial value if not set
	Added csRegisteredStudent role and set -REGISTERED affiliation in LDAP

August 9, 2016

This new SOR Gateway service release will fix a bug in the the programming logic that determines employee affiliation as well as implementing newly developed logic for determining terms for registered students. It also deploys a fix for database production errors. CMR: 4729.

Services Affected

Berkeley Person Registry
LDAP

Tickets Resolved

Ticket	Comment
CNR-987	CS Employees with both an Employee AND Instructor affiliation are still getting into the partial match queue
CNR-917	Determine current or future CS terms
CNR-970	Logic for determining start of next Fall or Spring term for -REGISTERED period
CNR-982	Tweak "employee-only-without-a-CAMPUSID" logic to ignore "APPLICANT/Applied" affiliations when calculating if employee-only or not
CNR-1001	Try to find another way to get a Postgres BaseConnection object in the SGS other than by using custom SafeNativeConnectionExecutor, which may be contributing to SGS exceptions.
CNR-1003	Fix PostgreSQL SGS refreshPersonSorObjectsJson deadlock scenario
CNR-1005	"Already value for key" connection pool exceptions in SGS

August 7, 2016, 6:00 am

The campus CAS server cluster behind auth.berkeley.edu will have the OS patched, the CAS server upgraded to release 4.1.9 and an improved Spring LDAP pooling configuration. These changes are currently in place for the auth-test.berkeley.edu service. No new TLS certificate is involved and no service outage is planned. CMR 4679.

Services Affected

CAS
LDAP

Tickets Resolved

Ticket	Comment
CM-4679	CAS server upgrade and patching

August 3, 2016

This patch to the SOR Gateway Service changes the validation query on connections in the database connection pool to see if it helps get rid of prematurely closed exceptions that are causing exceptions to be thrown when re-hashing and re-querying. CMR: 4720.

Requires a registry-p1 Tomcat restart.

Services Affected

CalNet Admin Tool

August 2, 2016

All CalNet services including CAS (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), LDAP Directory (ldap.berkeley.edu) will be unavailable for a 10 to 15 min window - between 4 and 4:30 am - while new network load balancer equipment is enabled. CMR 4685.

Services Affected

CAS
LDAP
Shibboleth

August 1, 2016

This releases added account locking and unlocking features within CalNet Admin Tool for CalNet staff. It also contained minor UI edits and created access for additional roles. CMR: 4714.

Services Affected

CalNet Admin Tool
CalNet Account Manager
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CAT-71	Outgoing email on lock/unlock do not show HTML correctly
CAT-5	Ability for CalNet Staff to lock accounts
CAT-6	Ability for CalNet Staff to unlock accounts
CAT-39	Person must have "locked" flag
CAT-64	Check wording for email sent to user when account is locked
CAT-65	Check wording for email sent to department when account is locked
CAT-66	Check wording for email sent to user when account is unlocked
CAT-68	Create a role and view for Limited View group
CAT-69	Add Recovery Email Address to basic Info
CAT-70	Create role for security
CAT-73	In QA, no form on the CAT home page
CAT-74	CAT does not reflect recovery email address entered in CAM
CAT-75	Ability to update recovery email address for a user with no CalNet ID
CAT-76	Added a way to bump logging levels on server
CAT-78	Testing in QA: unclear error message when searching
CM-289	Change order of menu links
CNR-980:	Prevent locked accounts from doing Account Manager service call
CNR-947	Endpoint to lock and unlock account
CNR-980	Make creation of CredManangerSor able to take only recovery email without CalNet ID

July 19, 2016

This release deployed a change that prevents pulling Campus Solutions employee-only records into Berkeley Person Registry/CalNet unless they have a UID already set in CS. This is so we can reliably match CS employees with HCM records.

This release does require a Tomcat restart. CMR: 4682

Services Affected

SOR Gateway Service
Berkeley Person Registry
LDAP

July 9, 2016, 12:00 am

Hotfix: Use csDelegateProxyEmailAddress directly when sending out proxy delegate emails (with a fallback to calnetCredentialRecoveryEmailAddressCalculated). CMR: 4668.

Services Affected

CalNet Account Manager
Berkeley Person Registry

July 8, 2016, 4:00 pm

This patch fixes a bug in the "CalNet SOR Person" tool (used in the creation of test accounts). CMR 4666.

Services Affected

SOR Gateway Service
CalNet SOR Person Creation Tool

July 5, 2016

This patch issues a fix to the SGS nightly LdapSync process that queries for unmatched CS objects to send to the match queue.

Services Affected

Berkeley Person Registry
LDAP

July 5, 2016

This release deploys fixes for registry-provisioning and registry-service and changes the way Recovery Email Addresses are calculated.

Services Affected

Berkeley Person Registry
LDAP

Tickets Resolved

Ticket	Resolved
CNR-952	Reset "STU-" affiliations in LDAP, not just "STUDENT-", for CS people.
CNR-953	Modify registry-service PeopleToProvision to include all changed DownstreamObjects in the OpenIDM query, not just for CS people. (In support of CNR-952 fix)
CNR-957	When person has no SORObject other than LDAP, set DownstreamObject DN to whatever the existing LDAP DN is. (In support of CNR-952 fix)
CNR-966	Reject all email addresses that end in berkeley.edu for calnetCredentialRecoveryEmailAddressCalculated email type.

July 1, 2016

This release features enhancements recommended by security assessments as well as instructional additions. An additional release at 4pm includes a patch to Registry SOR Gateway Service to assign new CS employees a UID based on the UID they send us instead of fuzzy matching.

Services Affected

Berkeley Person Registry
CalNet Account Manager
LDAP

Tickets Resolved

Ticket	Resolved
CM-284	ASTP Report Action Item: return response header with name "X-Frame-Opt"
CM-286	Refactor rest client calls out of CAM and into plugin to also be used in CAT
CM-287	Added instructions online for users claiming an account but have no recovery email address
CM-288	Added "Affiliate ID" to instructions
CNR-961	Modify SGS to assign SORObject a UID if UID exists in the source key data
CNR-945	ASTP Report Action Item: increase token length to 16 characters

June 29, 2016

Deployment of new code to the CalNet Registry Stack. It also includes a minor bug fix for the registry-service as well as registry upgrades. New logic to prevent the creation a new UID for employee records from Campus Solutions. UID creation should only happen when a record comes from HCM. CMR 4641.

Services Affected

Berkeley Person Registry
- Provisioning
- SOR Gateway Service
- Match Service
LDAP

Tickets Resolved

Ticket	Comment
CNR-799	Upgrade match-service and match engine to Grails 2.5.4
CNR-886	Modify SGS and to send CS people that don't have an admit/sircompleted/student affiliation to match queue with matchOnly indicator set to true
CNR-904	The displayName parser may not be parsing lastName, firstName correctly (is this different than normal displayName format?)
CNR-912	@LogicalEqualsAndHashCode refactor for domain classes to improve provisioning performance
CNR-913	Add sysadm.PS_UC_SRVC_IND_VW1 (Service Indicators) to SGS CS query
CNR-919	Prevent circular reference loop in @DomainEqualsAndHashCode hashCode() generator
CNR-924	LDAP DownstreamObject bug when LDAP fields have JSON characters in them
CNR-930	Add a "matchOnly" indicator for match queue messages for registry-match-service
CNR-932	add a sql statement timeout in SGS to avoid deadlocks in the consumer of the SORObject JSON queue
CNR-933	Modify LdapSync to call rematch service on CS SORObjects that haven't yet matched up to a UID
CNR-934	Modify registry-match-service to remove sorObject from PartialMatch when uid assigned
CNR-935	CsPersonRoleBuilder not assigning csEmployee role to all people with active CS jobs
CNR-937	If LdapSync assigns an uid to a SORObject, remove that SORObject from PartialMatch table if it exists
CNR-939	Assign csEmployee role to anyone with a CS EMPLOYEE affiliation

June 28, 2016

This release is an enhancement to the Change CalNet ID form. It improves error handling, updates CalNet ID requirements and includes some minor text changes. It also includes improved search function and enhanced admin capability to update a user's recovery email address. CMR 4640.

Services Affected

CalNet Account Manager
CalNet Admin Tool
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CAT-4	Ability for CalNet admins and deputies to change recovery email address for user
CAT-50	Simple Search functions not working for certain attributes
CM-281	Refactor PersonUtil out of Account-Manager into registry-commons
CM-280	Format change in Change CalNet ID form
CM-279	Allow CalNet IDs not created by Acct Mgr to be changed
CM-274	Remove SIS links from Acct Mgr Admin Home page
CM-273	Reformat Change CalNet ID form
CM-272	Update CalNet ID requirement
CM-267	Need to check if an account is locked before allowing access
CM-262	When changing calnetId, and the passphrase is wrong, the shown message is not reflecting this.
CM-261	Change instruction text in Change CalNet ID form

June 23, 2016

CalNet ran a job to correct 454 student records that had been incorrectly set to expired status which was affecting email access. A check of impacted records has confirmed that the job was successful.

Services Affected

LDAP

June 22, 2016

The auth.berkeley.edu CAS cluster [1] will begin using as primary its current failover dedicated OpenDJ LDAP cluster (dir-auth.calnet.1918.berkeley.edu) [2] beginning Wednesday, June 22 at 6 am.

There is no planned outage for this migration, which will be over at 6:15 am. At that time, the current primary cluster (nds-auth.calnet.1918.berkeley.edu) will become the failover target. See CMR 4577.

The new OpenDJ cluster provides a 50% increase in vCPU capacity (6 vs. 4) and twice the JVM RAM available (14 vs. 7 GB) compared to the current OpenDJ cluster it replaces. The new nodes are running RHEL 7.2 vs. 6.7 for the OS.

[1] auth.berkeley.edu consists of cas-p2.calnet.berkeley.edu, cas-p3.calnet.berkeley.edu, and cas-p7.calnet.berkeley.edu

[2] dir-auth.calnet.1918.berkeley.edu consists of dir-p4.calnet.1918.berkeley.edu, dir-p5.calnet.1918.berkeley.edu, dir-p10.calnet.1918.berkeley.edu.

These new OpenDJ VMs are running OpenDJ 2.6.4 with 6 vCPUs and 24 GB RAM each using tuned 14 GB OpenJDK 8 JVMs on RHEL 7.2 servers.

Services Affected

CAS
LDAP
Shibboleth

Tickets Resolved

Ticket	Comment
OPS-332	Convert auth.berkeley.edu cluster to use dir-auth.calnet.1918.b.e OpenDJ cluster

June 17, 2016

Hotfix being deployed to production to fix bug causing large "cn" values, leading to problems in LDAP. No Tomcat restarts anticipated due to change happening in external provisioning scripts. See CMR 4623.

Services Affected

LDAP
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CNR-924	LDAP DownstreamObject bug when LDAP fields have JSON characters

June 14, 2016

Fixes bug in which users with numeric values for CalNet IDs encounter errors in ID creation.

Separate release enhances CalNet Account Manager to allow use by people not associated with CS. CMR: 4631.

Services Affected

CalNet Account Manager
LDAP
Berkeley Person Registry

Ticket Resolved

Ticket	Comment
CM-265	MAP@Berkeley(link sends e-mail) users with all numeric CalNet IDs can't create a CalNet ID
CNR-915	Need to always write beKerberosPrincipalString to LDAP when someone has a CREDMGMT SORObject

June 10, 2016

This release includes a bug fix to correct matches and show claim token. Feature enhancement includes showing LDAP record, search function improvements and revamped UI.

Services Affected

CalNet Admin Tool

Tickets Resolved

Ticket	Comment
CAT-58	Match fails in prouction CAT
CAT-3	Reconciliation Manager stops displaying new partial matches
CAT-8	Ability to see LDAP record
CAT-12	Make login interval longer
CAT-25	Whan app times out, require user to log in
CAT-26	Display search result in list format
CAT-31	Create another access role for view only with raw data
CAT-42	CAT master is failing Bamboo tests, preventing deployment to prod
CAT-45	Reconcile mis a button to click when matching records
CAT-47	Hide SSN in SR
CAT-48	CAT does not show tokens - this is needed for support

June 3, 2016

Update: This release is complete. Known issues with CAT search results are being investigated.

This release improves LDAP provisioning performance and CalNet Admin Tool and Account Manager, as well as fixes various bugs. Fixes include changes to permissions and processes for those using the Account Manager to change their CalNet IDs and addressing inconsistency in CalNet Admin tool searches to yield improved search results. Due to changes in this release, reprovisions will be required within the registry stack. See CMR 4613.

Services Affected

Berkeley Person Registry

Provisioning

CalNet Admin Tool
Account Manager
LDAP

Tickets Resolved

Ticket	Comment
CAT-22	Inconsistent search results
CM-255	Change email address for Change CalNet ID notices
CM-256	Allow CalNet ID change to existing name if UID owns it
CM-257	Only allow CalNet ID change with CM tool for IDs created through CM
CM-260	Update "from" email in prod.
CM-271	Delegate email changes - critical changes requested
CNR-779	registry-service endpoint to allow calnetID change
CNR-822	Add newCalnetId to change calnet id track status
CNR-824	REST endpoint to check if a calnet id was created by account-manager
CNR-826	Registry Service Endpoint URL changes for checkForExistingCalnetId now with UID
CNR-827	Endpoint for checkForExistingCalnetId must take into account uid
CNR-828	Inconsistent search result - interim solution
CNR-841	Move LDAP attr-determination scripts from OpenIDM to registry-provisioning-scripts and write JSON to DownstreamObject table
CNR-844	Add LDAP attributes to SGS LDAP querying that are used in LdapDownstreamBuilder
CNR-849	Have the SGS pull in all LDAP attributes except metadata like timestamps and modifiedBy etc
CNR-850	Modify peopleToProvision service to read from DownstreamObject table
CNR-862	Set OpenIDM to "own" CS people with CS Student affiliation
CNR-863	Endpoint to disable and enable password reset request
CNR-864	Reset passphrase should be prevented if flag is set in registry
CNR-866	A provisionUid bug somewhere in the SOR Gateway Service processing chain
CNR-867	Create a second provisionUidBuild queue for "bulk" operations like from queueChangedIdentities.sh
CNR-876	Don't write berkeleyEduOfficialEmail and mail back to LDAP
CNR-877	Improve CollectionUtil.sync performance

May 27, 2016

Emergency patch to OpenIDM in production to not write to berkeleyEduOfficialEmail and mail attributes. This will require an OpenIDM restart.

When: Approx 11:10am.

See CMR 4606.

Services Affected

LDAP Provisioning

May 25, 2016

Available for testing on auth-test: May 19, 2016

The CAS service for the auth.berkeley.edu cluster will use Spring LDAP pooling for SPA lookups. This improves the efficiency of those searches so that CAS queries to populate the SPA pick list occur more quickly.

See CMR 4591.

Services Affected

CAS
LDAP
CalGroups

Tickets Resolved

Ticket	Comment
OPS-334	Spring LDAP pooling for CAS SPA lookups

May 22, 2016

RHEL 6.x OS patching for production MIT Kerberos KDC cluster completed.

See CMR 4558.

Services Affected

Campus MIT Kerberos

Tickets Resolved

Ticket	Comment
	OS patching MIT Kerberos KDCs.

May 21, 2016

Edits made to delegate email to make claiming a delegate account more user friendly.

Services Affected

CalNet Account Manager

Tickets Resolved

Ticket	Comment
CM-271	Delegate email changes - critical changes requested

May 18, 2016

People in CS with only student affiliation and not admit or SIRCompleted affiliations are now getting "berkeleyEduAffiliations: STUDENT-TYPE-NOT REGISTERED" set in LDAP.

Services Affected

Berkeley Person Registry
LDAP Provisioning

Tickets Resolved

Ticket	Comment
CNR-862	Set OpenIDM to "own" CS people with CS Student affiliation.

May 16, 2016

The obsolete DNS CNAME records for auth2.berkeley.edu and ncas.berkeley.edu were removed from DNS today.

See CMR 4579.

Services Affected

May 13, 2016

Edited logic to deal with duplicates in Berkeley Person Registry. Implemented redirect for idc.berkeley.edu to calnetweb.berkeley.edu.

Services Affected

Berekely Person Registry
LDAP Provisioning
idc.berkeley.edu

Tickets Resolved

Ticket	Comment
CNR-848	Move CS SORObjects between dupe uids according to some logic
OPS-333	Redirect idc.berkeley.edu to calnetweb

May 10, 2016

Bug fixes and URL update for Calnet Admin Tool. Redirect for mycalnet.berkeley.edu implemented.

Services Affected

Account Manager

May 3, 2016

Data import enhancements to recognize additional role types in the Berkeley Person Registry for students in Campus Solutions and employees in HCM.

Updated LDAP provisioning logic to allow CalNet ID changes for all account types via the Account Manager. See CMR 4553.

Services Affected

Berkeley Person Registry
Account Manager
LDAP Provisioning

Tickets Resolved

Ticket	Comment
CNR-687	Add HCM roles.
CNR-790	Re-enable assigning csUndergraduate/csGraduate/csStudent roles in Registry and also add csExtension and csAdvisor roles.
CNR-794	Upgrade to Grails 2.5.4.
CNR-795	Upgrade to Grails 2.5.4.
CNR-805	Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_verif_v view.
CNR-806	Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_verif_v view.
CNR-807	Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_di_v view. (Partially complete. Next release will have further mods).
CNR-832	Always write berkeleyEduKerberosPrincipalString and berkeleyEduCalNetIDUpdatedFlag.

May 1, 2016

As part of the SIS 5.3 Release, CalNet will be coordinating with bCourses, CalCentral and MAP@Berkeley(link sends e-mail) to update the CAS URLs their clients are using from auth2.berkeley.edu(link is external) to auth.berkeley.edu(link is external). See CMR 4547.

Services Affected

CAS MAP@Berkeley(link sends e-mail) plugin
Account Manager

April 27, 2016

Update feature in CalNet Account Manager.

Services Affected

CalNet Account Manager

Tickets Resolved

Ticket	Comment
CM-255	Change email address for Change CalNet ID notices

April 24, 2016

A CAS 4.1.7 security patch is scheduled for deployment on Sunday 4/24/16 at 6am. This version is already deployed to auth-test.b.e. There will be a 1 minute outage during the restart of all CAS nodes. See CMR 4529.

Services Affected

April 21, 2016

Minor updates CalNet Account Manager.

Services Affected

CalNet Account Manager

Tickets Resolved

Ticket	Comment
CM-249	Text Corrections
CM-250	Disallow SPA's to make any changes

April 20, 2016

New features to the CalNet Account Manager and Berkeley Person Registry allow users to change CalNet ID. Minor updates to menu and message language.

Services Affected

CalNet Account Manager
Berkeley Person Registry

Tickets Resolved

Ticket	Comment
CM-234	Ability for emps/students to change calnet ID
CM-236	Change menu item label
CM-244	Edit message for those claiming an account but who already have one
CM-246	Error message for people who can't reset password via CM
CNR-779	Registry-service endpoint to allow calnetID change

April 17, 2016 - deferred

Delayed, to be rescheduled.

CAS URL updated to auth.berkeley.edu(link is external) for Account Manager and MAP@Berkeley(link sends e-mail) delegated authentication.

Services Affected

CAS delegated authentication
CalNet Account Manager

April 11, 2016

Summary

Added new features to the CalNet Account Manager application to allow users to reset their passphrase and change their recovery email address.
Added error reporting to calnet-systems@berkeley.edu(link sends e-mail).
Added filter to disallow undergraduate admits who have not SIR'ed from creating a CalNet ID.
Revised code to allow users with CalNet ID's that are all-numeric or begins with "CADS" to be able to create a new CalNet ID.
Revised code to check the namespace before granting a CalNet ID.
Revised code to check that a delegate does not have CalNet ID before allowing them to create one.
Minor webpage and email content edits.

Services Affected

CalNet Account Manager
Berkeley Person Registry
LDAP Provisioning

Known Bugs with this Release

This issues are being addressed and will be resolved as soon as possible.

Requesting an update to an empty external email address currently isn't working.
When a requestor submits their recovery email address to reset their passphrase, CalNet Account Manager is erroneously showing the requestor's non-employee and non-student accounts, if they exist, to be reset. This functionality doesn't work and will be addressed in a later version.

Tickets Resolved

Ticket	Comment
CM-123	Ability for emps/students/delegates to reset forgotten passphrase
CM-169	Of the admitted undergrads, only those who accepted their offers can claim CalNet ID
CM-187	NPE in DelegateService.bindDelegateCommands
CM-188	If a delegate account already has a CalNet ID don't let them claim
CM-192	Change polling delegates timing
CM-197	Delegate account email "I already have a CalNet ID" doesn't work.
CM-206	Check namespace for CalNet ID availability
CM-213	Update Account Manager Main Menu
CM-214	Allow people with all numeric or cads calnet ids to create a new calnet id
CM-223	PW reset Email Invite Format changes
CM-224	Add contact info in CalNet Account Manager
CM-225	Send Error log entries to calnet-systems@berkeley.edu(link sends e-mail)
CM-227	Testing Findings Using QA Stack
CM-228	Revise Reset Passphrase form
CM-230	Testing Reset Passphrase Using Dev
CM-231	Testing Reset Passphrase Using QA
CM-232	Username and Email address are Null for slate student
CM-235	Update to account creation page
CM-236	Change menu item label
CM-237	Edit email confirmation to delegates - SIS request
CM-238	Account manager CAS configuration needs updating

April 8, 2016 - deferred

Deferred until we determine how to support LDAPS via the SLB/VIP for ldap.berkeley.edu.

Update and patch the OS and JVM for the nds-auth LDAP directory cluster nds-p4/-p5/-p10 (used by the auth.b.e CAS cluster) and perform a rolling upgrade of the OpenDJ servers to the 2.6.4 release.

Services Affected

CAS and LDAP

April 7, 2016

Registry Provisioning and OpenIDM bug fixes and preparations for new account manager functionality.

Services Affected

LDAP Provisioning

Tickets Resolved

Ticket	Comment
CNR-754	provisionUid is removing and re-adding the same identifiers every time it reprovisions
CNR-765	Create csDelegate role in Registry
CNR-766	Make it so none of the provisioning-scripts builders run if the SORObject is isDeleted=true
CNR-767	Distinguish between active (future) and inactive (ex) STUDENT-TYPE-NOT-REGISTEREDs.
CNR-768	Don't set STUDENT-TYPE-NOT REGISTERED if STUDENT-TYPE-REGISTERED is set.
CNR-770	OpenIDM throwing exceptions trying to rename namespace entries
CNR-771	OpenIDM needs to refire recon-by-id somehow after LINK and UNLINK operations
CNR-775	Probable bug where the CS IdentifierBuilder is not detecting properly when there is only one job and its active
CNR-776	isActive on HRMS identifier possibly set incorrectly.
CNR-785	Remove LDAP Student expiration dates when adding an active CS affiliation

March 29, 2016

Three releases scheduled. Upgrade to production ActiveMQ 5.13.2 on amq-p1. Bug fix for CalAccess that repaired the service that checks on FERPA requirements for a user.

Scheduled CAS upgrade in which default CAS Authorization was pushed into production at auth.berkeley.edu was disabled because of a bug in LDAP. We are investigating the issue and will update you with our plans going forward as we are able to.

Services Affected

Berkeley Person Registry
LDAP Provisioning
CalAccess
CAS

Tickets Resolved

Ticket	Comment
CNR-758	Upgrade to ActiveMQ
CA-299	FerpaService fails to authenticate

March 28, 2016

Emergency fix to remove blocker for LDAP provisioning.

Services Affected

OpenIDM
LDAP Provisioning

Ticket	Comment
CNR-770	OpenIDM throwing exceptions trying to rename namespace entries

March 20, 2016

Bug fix to handle account creation issues reported by users.

Services Affected

Berkeley Person Registry
CalNet Account Manager
LDAP Provisioning
Kerberos Provisioning

Tickets Resolved

Ticket	Comment
CM-220	Account Creation is failing
CM-218	Production Account Manager is throwing locking exceptions

March 18, 2016

Feature enhancements for the following:

ability for delegates to create their CalNet ID accounts
ability for CalNet ID account holders to change their external email addresses

Code fixes for the following:

error handling when an expired token is used to claim an account
changes to confirmation email content and format
checking that a user’s requested CalNet ID is not already in namespace

Services Affected

Berkeley Person Registry
CalNet Account Manager
LDAP Provisioning

Tickets Resolved

Ticket	Comment
CM-147	ability for emps/students/delegates to change recovery email
CM-179	Delegates can claim account directly
CM-180	When user tries to use an expired token, they see a CAS login
CM-183	edit delegate email invitation to create CalNet ID
CM-198	edit confirmation email message when a CalNet ID is activated
CM-199	format changes for confirmation message when a delegate's CalNet ID is created
CM-200	Confirmation page for undergrads is broken
CM-201	send email to existing accounts about the change request for recovery email address
CM-202	content for email to continue process for recovery email address creation
CM-207	account-manager must verify calnetId on new checkForExistingCalnetId endpoint in registry-service
CM-209	send email to new account to confirm completed recovery email address process
CM-211	New wording change for delegate invite mail
CM-217	Edit email confirmation message for delegates again!
CNR-717	Registry-service endpoint to store and verify recovery email address
CNR-723	Write CalNet ID to namespace upon creation

March 17, 2016

This was a fix for bug that was allowing new users to create CalNet IDs that had already been reserved by some other system. Usually an email alias or mail list name. 42 affected CalNet IDs were changed to resolve the conflict and new code was deployed to improve namespace updates when new CalNet IDs are created.

Services Affected

Berkeley Person Registry
CalNet Account Manager
LDAP Provisioning

Tickets Resolved

Ticket	Comment
CN-723	Write CalNet ID to namespace upon creation

March 16, 2016

Bug fix release to improve logging and to deploy updates to the account creation process to do more thorough namespace checking.

Services Affected

CalNet Account Manager
Berkeley Person Registry
LDAP Provisioning

Tickets Resolved

Ticket	Comment
CM-207	account-manager must verify calnetId on new checkForExistingCalnetId endpoint in registry-service
CNR-537	Remove the SOR Sql objects from SGS resources.groovy
CNR-682	Make CS_DELEGATE hash/query timestamp-aware
CNR-692	SisStudentIdentifierBuilder.isActive is not handling multiple terms nor disregarding past terms
CNR-709	in registry-provisioning-scripts, use parseFullName() as an additional way to try to parse out individual name components from displayName
CNR-718	Don't make "sorObject not found" a "fatal" error in NewUidService
CNR-719	Add INFO log statement when oprId, security key, or email changes for CS_DELEGATE

Quick Links

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University. Below are CalNet releases from previous calendar years. Records of releases have been maintained on this website since March 2016.

You can sign up to receive timely notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases(link is external) and click JOIN.Or, see current year CalNet Releases.

November 13, 2022, 8:00 am

November 6, 2022, 8:00 pm

October 20, 2022, 7:00 pm

October 3, 2022, 5:00 pm

September 7, 2022, 7:00 pm

August 12, 2022, 11:00 am

August 10, 2022, 7:30 pm

August 10, 2022, 7:00 pm

July 1, 2022, 3:00 pm

July 1, 2022, 12:00 pm

June 30, 2022, 9:00 am

June 7, 2022, 5:30 am

May 24, 2022, 7:00 pm

April 5, 2022, 8:00 pm

April 1, 2022, 1:00 pm

March 31, 2022, 11:45 am

March 31, 2022, 8:00 am

March 24, 2022, 10:00 am

March 22, 2022, 7:00 pm

March 22, 2022, 7:00 pm

February 17, 2022, 7:00 pm

February 17, 2022, 7:00 pm

January 30, 2022, 9:00 am

December 21, 2021, 7:00 pm

December 2, 2021, 7:00 pm

November 30, 2021, 7:00 pm

October 15, 2021, 6:00 am

October 10, 2021, 8:30 am

September 25, 2021, 6:00 am

September 1, 2021, 7:00 pm

August 8, 2021, 6:00 am

July 29, 2021, 6:45 pm

July 22, 2021, 7:00 pm

June 17, 2021, 7:30 pm

May 24, 2021, 11:05 am

May 20, 2021, 7:00 am

May 20, 2021, 5:00 am

May 19, 2021, 7:00 pm

May 5, 2021, 9:00 pm

May 2, 2021, 6:00 am

April 25, 2021, 6:30 am

April 21, 2021, 9:00 am

April 15, 2021, 7:00 pm

March 31, 2021, 7:00 pm

March 22, 2021, 7:00 pm

March 4, 2021, 6:30 pm

February 23, 2021, 6:00 am

February 11, 2021, 7:00 am

January 1, 2021, 9:00 am

December 21, 2020, 8:00 am

December 3, 2020, 6:30 pm

November 30, 2020, 7:00 pm

November 30, 2020, 6:30 pm

November 30, 2020, 6:00 pm

November 17, 2020, 8:00 pm

November 12, 2020, 10:00 pm

November 8, 2020, 9:00 am

October 29, 2020, 7:00 pm

October 29, 2020, 7:00 am

October 17, 2020, 9:00 am

September 25, 2020, 2:00 pm

September 19, 2020, 9:00 am

September 19, 2020, 7:00 am

September 10, 2020, 7:00 pm

September 9, 2020, 7:00 am

September 2, 2020, 9:00 am

September 1, 2020, 10:30 am

September 1, 2020, 7:00 am

September 1, 2020, 7:00am

July 23, 2020, 7:30 am

July 22, 2020, 8:00 pm

July 8, 2020, 7:00 am

July 4, 2020, 7:00 am

July 1, 2020, 6:30 am

May 25, 2020, 7:30 am

May 23, 2020, 8:00 am