CalNet Releases

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University.  As technology is updated throughout the CalNet portfolio, updates will appear on this page.  

If you support technology that depends on CalNet tools, this is the best place to look to understand if something in the CalNet technology stack has changed and how it could be affecting your services. You can also sign up to receive notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases and click JOIN.
 

                


Upcoming Releases


Recent Releases

May 25, 2020, 7:30 am

We have upgraded CalGroups production servers to Grouper version 2.4. CMR: CHG0033624

Services Affected

  • CalGroups 


May 23, 2020, 8:00 am

This change updates the CAS configuration to allow the release of the mail attribute for Sponsored Guests. CMR: CHG0033623

Services Affected

  • LDAP
  • CAS
  • CalNet Sponsored Guests 

May 14, 2020, 6:00pm

This release includes the following bug fix and feature enhancements, and will include a brief outage (less than 5 minutes) of BPR apps while the servers restart. CMR: CHG0033589

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool
  • CalNet Namespace
  • Berkeley Person Registry

Tickets Resolved

TicketComment
CAT-172 Add Status and Expiration Date to CAT
CNR-2011  Changes to ou and berkeleyEduExpDate calculation for some students
CNR-2013  New Changes to Account Locked Emails
CNR-2010 User with CAT Role: ROLE_IHUB_TRIGGER is not able to trigger iHub message
CNR-2012 Create new person info registry-service endpoint for Directory Update app

April 29, 2020, 9:55pm

This release will change the method of download for the InCommon Metadata. We have been doing nightly downloads of the entire list of InCommon SPs. A new method, Metadata Query service (MDQ), allows us to only download the SPs we need to access.
We will also begin the IDP cert change process. It involves adding the replacement cert to the metadata along with the original cert, allowing time for SPs to pick up the new cert, and eventually removing the original cert from the metadata. CMR: CHG0033559

Services Affected

  • Cloud based services including bConnected
  • Shibboleth

April 28, 2020, 7:16am

This release is the removal of assured replication from the CalNet LDAP replication domains.CMR: CHG0033523

Services Affected

  • LDAP

April 28, 2020, 7:16am

This release applies additional OS security settings to our systems. This change is to configure the level 1 and 2 CIS benchmark settings.CMR: CHG0033480


April 17, 2020, 2:08pm

This release updates BPR and changes the managing of expired STU-DELEGATEs. When a student affiliation is expired, the delegate's stu-delegate affiliation will also expire.
When a student has extended SIS access, the delegate's affiliation should expire when the student's extended SIS access affiliation expires. There is no grace period for STU-DELEGATE affiliations. CMR: CHG0033488

Services Affected

  • BPR

April 14, 2020, 6:44am

This release will enable hostname whitelisting to the CAS Duo integration in production. This was done for auth-test several months ago.CMR: CHG0033474
Services Affected

  • CAS

April 3, 2020, 8:55am

This release adds an additional cipher to our LDAP servers' configuration to support older hosts using openssl.CMR: CHG0033453
Services Affected

  • LDAP

March 18, 2020, 6:30pm

This release disables TLS 1.0 and 1.1 so that clients/integrations must use at least TLS 1.2.CMR: CHG0033356
Services Affected

  • BPR
  • CalNet Account Manager
  • CalNet Admin Tool
  • CalGroups
  • CAS
  • LDAP
  • Shibboleth

 March 18, 2020, 6:30pm

In this release, we will be applying a text change to the Berkeley Person Registry (BPR), specifically the CalNet Account Manager. Most public-facing BPR functions, like the CalNet Account Manager and CalNet Admin Tool, will be offline for a minute or two while the server restarts. CMR: CHG0033431

Services Affected

  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

March 16, 2020, 6:00am

This release is the removal of the expiring AddTrust root certificate is in the SSL template used for the EWH CAS load balanced VIP. CMR: CHG0033399


March 3, 2020, 9:30pm

We will be changing the source for the org tree data found in production LDAP on Wednesday 3/4 from 9:30 - 10. There is no expected downtime. CMR: CHG0033388


March 3, 2020, 9:00pm

We will change the certs for IDC servers on Wednesday 3/4 at 9 pm (30 min window). There will be no downtime, as the servers are HA. The services, SPA admin and Manage My Keys, will continue to be accessible during the change. CMR: CHG0033387


March 3, 2020, 5:30pm

This code release for Berkeley Person Registry includes Grails upgrade, modifications to logic, and bug fixes. CMR: CHG0033384

Tickets Resolved

Ticket Comment
CNR-1990 Upgrade to Grails 3.3.11
CNR-1989 Upgrade Grails Spring Security plugin to 3.3.1
CNR-441 Implement security on ucb-match and registry-match-service
CNR-1992  Modify match engine and match service configurations to use auth
CNR-1984 Restrict length of new CalNetIDs to 19 characters
CNR-1987  Change CalnetID requirements page to show max of 19 instead of 20
CNR-2003 Content change for source for i371 requests sent to iHub
CNR-1995  User is active but should not be

February 27, 2020, 8:00pm

This release is an upgrade of CAS (auth.berkeley.edu) to 5.3.15.  It includes minor bug fixes as well as CalNet specific changes to improve some error messages as well as an updated URL for forgotten passphrases. No outage is expected. CMR: CHG0033329


February 19, 2020, 8:00pm

This release changes the way that Special Purpose Accounts are provisioned. We will no longer be using OpenIDM. No downtime is expected. CMR: CHG0033331


February 18, 2020, 7:00am

At 7am on Tuesday, Feb 18, we will enforce AuthZ on CAS-enabled applications using the wildcard (*.berkeley.edu) registration. The purpose of this change is to ensure that, by default, only CalNet users with 2-step verification are permitted to authenticate. This includes all active and in-grace students, employees and affiliates, logging in as themselves or using SPAs or rSPAs. CMR: CHG0033199

See https://calnetweb.berkeley.edu/calnet-technologists/single-sign/cas/cas-... for more information.


February 13, 2020, 7:00am

This release is an update of the certs for CalGroups. There will be no downtime. CMR: CHG0033332


January 28, 2020, 7:30am

A new version of CAS (5.3.15) will be released to auth-test on January 28. The update includes:

  • Update to the forgot CalNet ID or passphrase link on the CAS screen
  • Add 2-step help link and better language to the MFA error page
  • Various minor fixes in the base CAS project

December 17, 2019, 8:00pm

This release is a certificate update for bpr.calnet.berkeley.edu. There will be a brief outage of BPR as the service restarts. CMR: CHG0033161

Services Affected

  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

December 6, 2019, 5:30pm

This release includes bug fixes and feature enhancements to Berkeley Person Registry, CalNet Admin Tool and CalNet Account Manager. CMR: CHG0033126

Services Affected

  • CalNet Account Manager
  • LDAP
  • CalNet Admin Tool
  • CalNet Namespace
  • Berkeley Person Registry

Tickets Resolved

Ticket Comment
CAT-162 UIDOld and UIDOldConsolidationDate not getting written in consolidation
CAT-169 Namespace folders do not get moved from expired records in LDAP upon consolidation
CAT-170 ConsolidationDate and CalNetUidOld do not get written
CNR-1961 Detect and delete VOID VOID records
CNR-1962 Change Locked Account Email
CNR-1969 Update passphrase requirements text
CNR-1975 problem with BUSN email getting to UCPath
CNR-1978 Multiple new SORObjects partially matching to a UID
CNR-1979 Change the Rank Order used for Names from SORs
CNR-1980 Fix hash code bug when two DDODS email addresses swap PREF_EMAIL_FLAG values.
CNR-1981 Recognize PREF_EMAIL_FLAG='N' UCPath emails.

December 4, 2019, 9:00pm

This release retires the legacy CalNet Guest application. CMR: CHG0033137

Services Affected

  • CalNet Guest application

Tickets Resolved

Ticket Comment
CG-187 Retire Legacy Guest App

November 21, 2019, 8:30am

We will be launching the process that enables the policy of requiring an employee as part of a SPA user group starting Thursday morning, Nov. 21 at 8:30 am. There is no down time. 

Services Affected

  • Special Purpose Accounts

November 21, 2019, 7:00am

We are making two changes to our LDAP access logs.

1. Add milliseconds to the timestamp format. 
2. Switch to a combined log format to simplify log parsing and reduce log size.

Services Affected

  • LDAP

November 15, 2019, 8:00am - November 22, 2019

We will decommission net-auth-p1 and calnet-p2 servers.

Both servers will be powered off and then deleted after 7 days.

Services Affected

  • Open IDM
  • SPA Admin App

November 13, 2019, 9:00pm

We need to restart openidm on idm-p1 to remove a dependence on the krbservice/net-auth. The service affected is the SPA Admin app which is available to employees only.  2 minute outage of SPA App expected. CMR: CHG0033079

Services Affected

  • Open IDM
  • SPA Admin App

November 12, 2019, 7:00am

We will update CAS registrations to specifically ensure sponsored guests cannot access services that have not directly been enabled for sponsored guests by the application owner.  In some cases it is possible for a sponsored guest who has an existing and valid SSO session to access an application that has not specifically been enabled for guest access.  This is due to an issue in CAS that affected the migration of service registrations and was fixed in the last CAS upgrade. CMR: CHG0033075

Services Affected

  • CAS

October 29, 2019, 8pm

We will upgrade CAS (auth.berkeley.edu) to 5.3.12.1 and Tomcat server to 8.5.46.  Both contain numerous bug and security fixes.  Hazelcast is bundled with CAS and will receive a version bump as well. Auth-test and auth.berkeley.edu will be upgraded as follows:

Monday, 10/7 @0800 - Implement in auth-test.berkeley.edu
Tuesday, 10/29 @2000 - Implement in auth.berkeley.edu

We encourage developers to test their applications thoroughly against https://auth-test.berkeley.edu.  A separate announcement will be sent for the production upgrade toward the end of October. CMR: CHG0032985

Services Affected

  • CAS

October 24, 2019, 9:00pm

This release is a minor change to the idc.b.e/mmk app. We are removing the user defined option for bConnected keys. Given the idc.b.e system is HA, there is no expected downtime. CHG0033031

Services Affected

  • Manage My Keys

October 22, 2019, 5:30pm

In this release, we add known bad passwords to ucb-dictionary. CMR: CHG0033024

Services Affected

  • ucb-dictionary
  • bidms-downstream
  • registry-service
  • account-manager

October 7, 2019, 8pm

This release includes configuration adjustments and cosmetic changes to CAS. It was released to auth-test.berkeley.edu on 9/30/19 to allow time for testing. There are no major changes to CAS code in this release. CMR: CHG0032969

Services Affected

  • CAS

Sept. 13, 2019, 6pm - Sept. 16, 2019, 8pm

This release includes substantial changes to the CalNet stack. The MIT Kerberos authentication servers are being retired in favor of Active Directory. Reorganization of the AD structure follows security best practices and allows CalNet to be system of record for all user objects.

In addition, this release contains feature enhancements and bug fixes for CalNet Account Manager and CalNet Admin Tool; removal of legacy HCM and SIS processes; and an upgrade to Grails 3.3.10.

There may be brief periods of instability in the CalNet suite of services over the weekend while user account reprovisioning occurs. We expect all systems to return to their normal functions by 8pm on Monday, Sept. 16.

This release also retires the CalNet Sync Tool.

CMR: CHG0032879

Services Affected

  • All CalNet and Berkeley Person Registry Applications
  • CalNetAD
  • CAS
  • CalNet Sync Tool

Tickets Resolved

Ticket

Comment

CNR-1899

Change to match rule #2

CNR-1903

Remove legacy HCM account claiming entirely from CAM (Was: Delete extra employee account claim in CAM admin view)

CNR-1909

Fix UC Path LdapSync'ing in test environment

CNR-1904

Changes to CalNet ID creation - confirmation email

CNR-1938

Create a "Super Canonical" match engine config rule type

CNR-1939

registry-sor-gateway Quartz jobs stop working after some amount of time in production

CNR-1937

There is a CAM cache bug when a user changes calnetId

CNR-1926

Make it configurable to switch between sendgrid and greenmail for registry-service quartz jobs that send out email

CNR-1936

Not able to change CalNet ID to something I already own

CNR-1924

Need a way to identify "presirs with calnetIds" using roles

CNR-1922

AD provisioning: Changes to who gets provisioned to AD

CNR-1921

AD provisioning: OU changes based on primary affiliation

CNR-1920

AD provisioning: primaryGroupID changes based on primary affiliation

CNR-1919

Create new provisioning groups in my local AD

CNR-1918

AD provisioning: Active userAccountControl for in-grace people

CNR-1914

AD provisioning: OU and primaryGroupID changes for different primary affiliations and keeping in-grace people active

CNR-1516

Modify bidms-downstream change password endpoint to recognize certain AD passphrase validation errors codes

CNR-1911

Modify BPR tools to use AD Kerberos and not krbservice

CNR-1927

Enhancement to bidms-connectors/bidms-downstream to add and remove a person from directory groups

CNR-1917

When doing password change, use an user bind rather than an administrative bind

CNR-1928

Enable sendgrid (to test mailbox) in test for reg-serv end-of-life jobs

CNR-1496

Remove sisStudentSorKeyDataExtractor from sor-key-data-service

CNR-1944

bidms-downstream memory leak

CNR-1945

bidms-connectors isn't detecting a change when userAccountControl bits should be changing so no write is performed

CNR-1947

No longer referencing SYSADM.PS_TERM_TBL in any BPR queries to SIS databases

CNR-1946

Add CWR004 Staff Intern and CWR012 Traveling Nurse to official affiliatons in BPR

CNR-1910

Remove legacy hcm from SOR Gateway Service

CNR-1891

Remove defunct legacy HCM provisioning code from registry-provisioning-scripts

CNR-1949

Upgrade BIDMS web apps to Grails 3.3.10

CNR-1951

Add Deposit Pending to Campus Solutions query

CNR-1941

Provision BPR-managed SPAs to LDAP

CNR-1950

Update content on CAM welcome page

CNR-1956

Additional audit logging for CAT split/merge/reconciliation

CNR-1957

Additional audit logging for CAT split/merge/reconciliation

CNR-1958

Additional audit logging for CAT split/merge/reconciliation

CNR-1959

CalNet ID naming requirements need to be more restrictive temporarily


September 12, 2019, 8pm

In this release, we will add new authentication profile to the shibcas plugin. This is very minor change. Service won't be affected because the servers are in an HA configuration. CMR: CHG0032909

Services Affected

  • Shibboleth

September 12, 2019, 8:15pm

This is a minor change to CalGroups, CalGroups that changes the large group limit for AD and LDAP provisioning from CalGroups. There will be a short break (15 sec) in provisioning to AD and LDAP when the provisioning service is restarted.  CMR: CHG0032908

Services Affected

  • CalGroups

August 1, 2019, 6am

This release will update CAS logging and A10 health checks. CMR: CHG0032767

Services Affected

  • CAS

July 4, 2019, 8am

This is a test of DNS failover for auth.berkeley.edu and shib.berkeley.edu starting the morning of Thursday, July 4th at 08:00 AM PT. CMR: CHG0032674

The test period is expected to last for approximately 1 hour. During this period DNS requests for auth.berkeley.edu and shib.berkeley.edu will return the addresses for our DR site. 

If you currently enforce outbound firewall rules for web traffic, you should add additional allow rules for the SDSC virtual IPs:

CAS:
Port: 443
IP: 192.107.102.203

Shib:
Port: 443
IP: 192.107.102.199

This should be transparent to your applications. If you experience any issues please contact calnet-admin@berkeley.edu with a thorough description of your problem.

Services Affected

  • CAS
  • Shibboleth

July 3, 2019, 7pm

This release will prevent Student Volunteers from creating CalNet accounts, per instruction from UC Path. There will be a brief outage when the servers are restarted. CMR: CHG0032702

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

July 2, 2019, 7am

DNS change for the Shibboleth production hostnames to allow us engage in HA with our SDSC servers. There will be an outage of Shibboleth of up to 10 minutes during this time. CMR: CHG0032671

Services Affected

  • Shibboleth

June 20, 2019, 8am

We will upgrade CAS on the test auth-test.berkeley.edu cluster to 5.3.11.  The CAS release contains bug fixes for delegated authentication.  The CalNet-specific changes include enabling authentication and ticket issuance throttling.  No downtime expected, we will fail over to SDSC and back to EWH. CMR: CHG0032637

Services Affected

  • auth-test.berkeley.edu

June 13, 2019, 9pm

In this release, we will remove the passphrase synchronization feature from auth.berkeley.edu in preparation for the migration to AD Kerberos.  This is not a user-facing function of CAS and is not to be confused with the passphrase reset features of CalNet Account Manager. CMR: CHG0032603

Services Affected

  • CAS

June 13, 2019, 7am

In this release, we will configure DNS failover for the shib-test.berkeley.edu Shibboleth cluster.  This will allow Shibboleth to fail over to San Diego in case of a major network or systems outage at EWH.  There will be an outage to shib-test as DNS records will be deleted and re-created as new record types. CMR: CHG0032614

Services Affected

  • shib-test

June 6, 2019, 7am

This release is a patch of RHEL 6.x and the JVM for the idc.berkeley.edu application cluster. CMR: CHG0032587

Services Affected

  • idc.berkeley.edu, including:
    • Legacy Guests
    • MMK

June 1, 2019, 10am

This release will enable WebAuthn/FIDO2 and Touch ID for Duo users and devices. See https://guide.duo.com/security-keys and https://guide.duo.com/touch-id for details on these new options for Duo devices. Existing Duo U2F users will be prompted to re-register their devices. CMR: CHG0032567

Services Affected

  • CalNet 2-Step

May 28, 2019, 9pm

We will modify the CAS principal lookup filter to be more exclusive by only returning berkeleyEduPerson objects.  This is necessary to address an issue discovered while validating new Sponsored Guests with a specific application. CMR: CHG0032578

Services Affected

  • CAS
  • Shibboleth

May 23, 2019, 6:30pm

This expedited change includes changes to UC Path and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

  • SOR Gateway Service
  • Registry Provisioning Scripts
  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1898

UCPATH_DDODS hash query 
CNR-1894 CWR020 Student Volunteer

CNR-1887 

Cirrus Guest Account provisioning populate beKPS

CNR-1876

Set LDAP ucNetId value from UCPath external identifiers

May 23, 2019, 6:30pm

This expedited change includes changes to UC Path and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

  • SOR Gateway Service
  • Registry Provisioning Scripts
  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1898

UCPATH_DDODS hash query 
CNR-1894 CWR020 Student Volunteer

CNR-1887 

Cirrus Guest Account provisioning populate beKPS

CNR-1876

Set LDAP ucNetId value from UCPath external identifiers

May 12, 2019, 10:00am

This release will modify the queries used for department and title code groups within CalGroups to only use UCPath data. Some users may gain or lose access to systems that use those groups. CMR: CHG0032522

Services Affected

  • Any system utilizing department / title code groups, such as:
    • LDAP
    • Active Directory
    • Google
    • CalGroups API

Tickets Resolved

Ticket Comment
CG-173 Modify Department and title code groups in CalGroups

May 10, 2019, 6:30pm

This release will upgrade all Berkeley Identity Management Suite apps to Grails 3.3.9.

It will also remove HCM as a system of record for job data and LDAP affiliations.

Employees and Affiliates that are in HCM but are not yet in UCPath may enter their grace period (https://calnetweb.berkeley.edu/calnet-me/info-new-users/grace-periods) and are likely to get an account expiration notice. Employees and Affiliates who receive an unexpected expiration notice should review their UCPath HR status with their HR support staff.

LDAP affiliations for expired HCM and UCPath Affiliates will undergo a change to ensure backwards compatibility:

  • HCM Affiliates who enter their grace period will get the FORMER-HCM-AFFILIATE  affiliation.

  • UCPath Affiliates who enter their grace period will get the FORMER-AFFILIATE  affiliation.

  • In 3-4 months, CalNet will transition to using FORMER-AFFILIATE, only.  

  • Developers will receive additional communications when this change is made, and when the FORMER-HCM-AFFILIATE will be deprecated.

All affiliate records should only ever have either a FORMER affiliation or an active AFFILIATE-TYPE- affiliation, but not both at the same time.

See UCPath Affiliation Changes for additional affiliation information.

CMR: CHG0032500

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • SOR Gateway Service
  • Match Service
  • CalNet Account Tool
  • CalNet Account Manager
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1859 Upgrade all BIDMS apps to Grails 3.3.9
CNR-1879 Create replacement roles for Manager/Supervisor in UCPath
CNR-1880 Recognize UCPath "PRF" coded names as sorPreferredName
CNR-1881 Minor changes to match engine logging output
CNR-1884 Assert FORMER-AFFILIATE for former UC Path affiliates.  Don’t assert FORMER-HCM-AFFILIATE for active UC Path affiliates.
CNR-1883 Remove legacy HCM job data
CM-445 Edit error message for CAM
CM-447 Error message for twoStepClaim
CM-448 Redirect Slate-authenticated users
CM-449 List of AFFILIATE-TYPE- values for authorization need to be updated in CAM

April 24, 2019, 9:00pm

In this release, CAS operating system patches will be applied. CMR: CHG0032465.

Services Affected

  • CAS
  • Shibboleth

April 24, 2019, 7:00pm

This release includes work on the CalNet Sponsored Guest project, and some continuing UCPath cleanup. CMR: CHG0032481

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • LDAP
  • SOR Gateway Service
  • Match Service
  • CalNet Sponsored Guests

Tickets Resolved

Ticket Comment
CNR-1860 Ensure CAM restricts users from creating CalNet IDs that start with UID
CNR-1862 Cirrus reporting http 403 error
CNR-1864 Add REST endpoints to registry-service that talk to Cirrus API to create invitations for existing UIDs
CNR-1865 Write a program that creates Cirrus invitations for existing UIDs through registry-service endpoints
CNR-1863 Convert existing guests into Cirrus guests using pre-sent Cirrus invitations
CNR-1870 Remove legacy SIS (pre-CS) from LdapSync process
CNR-1869 Remove legacy HCM sor from LdapSync process
CNR-1868 Add ucpath to LdapSync now that dev/test have prod ucpath EMPLIDs
CNR-1867 Rename ldapAffilGuestTypeSocial role to be consistent with the new string value in LDAP
CNR-1849 Add sorObjKey to registry-match-service NewSORConsumerService response log message
CNR-1874 

Claim token can be used twice

 CNR-1875 Trigger IHub button in CAT should send message to both CS and UCPath, if it isn't already

April 14, 2019, 8:00am

This is an update to the Slate theme of the Duo login page. Related to: CHG0032441.

CMR: CHG0032458

Services Affected

  • CAS
  • Shibboleth

April 9, 2019, 8:00pm

This is an update to a new version of the Duo websdk and includes changes to the CAS login view, to change how the Duo iframe is generated. Some users may now see the 2-Step page rendered as smaller-than-normal. See Known Issues for steps to fix this issue. CMR: CHG0032441

Services Affected

  • CAS
  • Shibboleth

April 1, 2019, 4:45pm

This code is an update to the logic BPR uses regarding UCPath messages; specifically, to ignore ActionReason 'VOI' jobs in I-280 and DDODS. CMR: CHG0032422

Services Affected

  • Berkeley Person Registry

April 1, 2019, 8:45am

This code fixes timeout exceptions when provisioning large quantities from Berkeley Person Registry to Active Directory. CMR: CHG0032419

Services Affected

  • Berkeley Person Registry
  • Active Directory

March 28, 2019, 3:00pm

This release fixes a bug in provisioning in which berkeleyEduExpDate got improperly reset for some legacy HCM former employees CMR: CHG0032416

Services Affected

  • LDAP
  • Berkeley Person Registry

March 27, 2019, 11:00pm

With this release, we will replace the EV TLS cert for auth.berkeley.edu.  Additional alternative names will be included to support future DNS failover. CMR: CHG0032402

Services Affected

  • CAS
  • Shibboleth

March 27, 2019, 3:10pm

This CalNet release updates logic used to populate employeeNumber attribute in LDAP as well as the way CalNet looks at POIs from UCPath. CMR: CHG0032413

Services Affected

  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1851 UCPath POIs aren't getting masterActive role if their only active affiliation is UCPath POI
CNR - 1852 Delete employeeNumber from LDAP if active UCPath POI/CWR but not an employee, even if active emp in legacy HCM

March 25, 2019, 10:40am

This deployment is for new code to handle new information from UCPath DDODS tables. This deployment required a restart on registry-p1, which led to a brief outage. This deployment is already complete. CMR: CHG0032404

Services Affected

  • Berkeley Person Registry

Tickets Resolved

Ticket Comment
CNR-1847 New info from UC Path: DML_INDICATOR='D' in DDODS tables indicates a DELETED row

March 25, 2019, 7:00am

In this release, we will configure DNS failover for the auth-test.berkeley.edu CAS cluster.  This will allow CAS to fail over to San Diego in case of a major network or systems outage at EWH.  There should be no noticeable outage, this is just a transparent DNS change from the perspective of CAS clients. CMR: CHG0032379

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 22, 2019, 7:00am

This change is an upgrade to CAS on the test auth-test.berkeley.edu cluster to version 5.3.9. The CAS release contains minor bug fixes. This changes also includes cosmetic updates to support CalNet Sponsored Guest accounts. The TLS certificate for auth-test will also be updated to add additional SAN records for DNS failover and to use an EV certificate to mirror production.

The service will be down for less than 5 minutes for a restart. CMR: CHG0032374

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 20, 2019, 6:00am

CalNet will begin UCPath Go-Live and reprovisioning activities on or after 3/20/2019.

During the go-live process, there may be restarts needed that will affect CalNet Admin Tool and CalNet Account Manager for ~5 minutes. Reprovisioning could cause delays in real time messaging and updates to LDAP, Active Directory and API Integration Hub.

LDAP attributes will be updated with UCPath data (most notably: employeeNumber, berkeleyEduAffID, berkeleyEduAffiliations, title codes). Users using these attributes should refer to https://ucpath.berkeley.edu/ucpath-cal/tech-talk or https://ucpath.berkeley.edu/faq/technical for additional information.

There is no planned outage for SSO, CAS, Shibboleth, or LDAP.

This change date is tentative, and may be delayed by 1 or more days if UCPath conversion is behind schedule. CMR: CHG0032350

Services Affected

  • LDAP - attributes only
  • CalNet Admin Tool
  • CalNet Account Manager

March 20, 2019, 12:00pm

During this change, legacy apps using Rails are no longer needed and are vulnerable will be retired. CMR: CHG0032376

Services Affected

  • Manage Your Identity Applications
  • CalNet Deputy Application
  • UAS Portal

Tickets Resolved

Ticket Comment
OPS-409           Deprecate MYI/UAS - calnet-p2/net-auth-p2

March 6, 2019, 6:00pm

This release will add notices/warnings on the directory update pages hosted on calnet-p1. These warn about the potential for public exposure of addresses and phone numbers entered via the Directory Update app when published to the Campus CalNet Directory.

A brief outage of less than 1 minute will occur when the app is restarted. CMR: CHG0032344

Services Affected

  • CalNet Directory Update Application

March 6, 2019, 6:45am

This release includes code changes in support of the UC Path implementation and server patches. There will be two short outages, about one minute each, as the server is restarted. CMR: CHG0032340

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • CalNet Account Manager
  • CalNet Admin Tool
  • Active Directory
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1667             UC Path: If personal email address becomes available via UC Path, modify sor-key-data-extractor to parse out and modify registry-provisioning-scripts to provision as personal email address
CNR-1741 UC Path: Need to understand how "UCB" POIs are identified in DDODS
CNR-1785 UC Path: Gain access to the DDODS UAT instance
CNR-1801 Modify bidms-connectors to reuse same LDAP connection within a call to persist()
CNR-1803 UC Path: Integrate with the new "delete EMPLID" queue once it becomes available (yet to happen, but code is there to support it)
CNR-1805 UC Path: Quartz job to find old emplids in i-280 sor that aren't in DDODS anymore
CNR-1806 UC Path: dev DDODS hash query throwing an string concatenation exception
CNR-1809 UC Path: DDODS query needs to handle POI-only people with no jobs
CNR-1810 UC Path: The test I-371 IHub REST endpoint is not working
CNR-1811 UC Path: POI_TYPE codes have changed in DDODSQPT
CNR-1812 UC Path: There are additional CWR codes in DDODSQPT that we weren't originally given
CNR-1813 UC Path: The "send to IHub" logic needs to become more complex to support multiple IHub endpoints for CS and UC Path
CNR-1814 UC Path: last_updates subquery is causing slowness of the per-EMPLID DDODS query
CNR-1816 UC Path: Make ucPathId a recognized account claim identifier in CAM and registry-service
CNR-1817 UC Path: Create a SQL query to compare UAT active employee list with legacy HCM active employee list
CNR-1818 UC Path: Modify reg-prov-scripts to have UCPath be prioritized over legacy HCM for payroll-related LDAP attributes
CNR-1819 UC Path: In match engine, make UCPATH_DDODS<->UCPATH_INTER_PERUPD primary key pairing a canonical match
CNR-1820 UC Path: Create a view from DDODS data that only contains I-280 data elements
CNR-1821 UC Path: Look at BOTH PPS_ID and PSFT_ID for a legacy HCM external identifier
CNR-1823 UC Path is sometimes incorrectly removing the leading zero from legacy HCM identifiers
CNR-1829 UC Path: last_updates inline view has a SQL bug in it

February 27, 2019, 9:00pm

On Wednesday evening (2/27) from 9-10 pm, we will be upgrading the ShibCAS plugin on the production Shibboleth servers. Since the servers are redundant, there will be no down time while the updates happen. This service is used by any campus member logging into an external service like bConnected. CMR: CHG0032328

Services Affected

  • Shibboleth

February 27, 2019, 7:00am

This is an update to the CAS / AD password sync filter. With the implementation of AD password sync in CAS on Sunday (CHG0032283) we are seeing a high number of errors for a specific account.  This change will alter the LDAP filter to exclude the account from the sync call. CMR: CHG0032323

Services Affected

  • CAS
  • Active Directory

February 24, 2019, 8:00am

We will upgrade CAS on the production auth.berkeley.edu cluster to 5.3.7. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-53-upgrade for more information. CMR: CHG0032283

Notable Changes Include

  • CalNet AD password synchronization
  • Improved surrogate/impersonation support for SPAs
  • Support for social guests
  • Accessibility improvements

Services Affected

  • CAS
  • Shibboleth

February 21, 2019, 6:00pm

We will reconfigure the httpd TLS settings on calnet.b.e and net-auth.b.e to follow OWASP recommendations for TLS security. A brief outage of less than 1 min will happen as the web servers are restarted. CMR: CHG0032301

Services Affected

  • Directory Update App
  • krbservice

February 17, 2019, 9:00am

In this release, we will extend the berkeleyEduPerson object class to include a new attribute named berkeleyEduUCPathID.  After conversion to UCPath, the berkeleyEduHCMID will contain the deprecated employee id.  Both berkeleyEduUCPathID and employeeNumber will contain the UC Path employee id. CMR: CHG0032274

Services Affected

  • LDAP

February 13, 2019, 7:00am

We will replace the certificate on the test/QA CAS instance (auth-test.berkeley.edu) to update the subject alternative names in preparation for DNS failover testing.  There will be a brief outage while CAS is restarted, from 7am-7:10am. CMR: CHG0032291

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

February 11, 2019, 9:00am

This release is an upgrade of the CAS test/QA service definition files to the latest format to prepare for the CAS 5.3.7 upgrade in prod later this month. 

We will also implement a new default authorization policy on CAS applications that have not registered with the CalNet team. The default authorization will enforce that any non-registered applications are restricted to student, staff, faculty and valid HCM affiliates. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-default-auth... for more information. CMR: CHG0032273

January 31, 2019, 8:00am

This release is the retirement of the nds.berkeley.edu LDAP service. CMR: CHG0032216.  All customers should use ldap.berkeley.edu as the primary LDAP service and ldap-test.berkeley.edu for test/qa purposes.

On October 31, 2018 ldap.berkeley.edu was upgraded to the latest directory server software, which is a major upgrade from nds.berkeley.edu.  With that service stable we are now retiring the legacy LDAP service.

If your service depends on LDAP, you can test the performance and functionality of the latest software using either ldap.berkeley.edu or ldap-test.berkeley.edu.  It is highly recommended that you test your applications as soon as possible and report any issues to calnet-admin@berkeley.edu.

If your application or TLS/SSL libraries do not accept the ldap.berkeley.edu certificates as trusted see this resource for developers.


January 3, 2019, 6:00pm

This is an emergency release primarily to address a regression bug affecting some accounts with conflicting affiliations. CMR: CHG0032199

Notable changes Include

  • Fix for employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time
  • Add LDAP mail attribute for social guests
  • Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.

Services Affected

  • Registry Service
  • Registry Provisioning
  • Cirrus Guest App
  • CalNet Account Manager
  • CalNet Guest Accounts

Tickets Resolved

Ticket Comment
CNR-1800
LDAP mail attribute with cirrus/social guests user email address
CNR-1804
Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.
CNR-1807
Employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time.
CNR-1808
Add additional exception handling in provisionUid and provisionUidBuilk (related to CNR-1804)