If you support technology that depends on CalNet tools, this is the best place to look to understand if something in the CalNet technology stack has changed and how it could be affecting your services. You can also sign up to receive notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases and click JOIN.
Upcoming Releases
March 23, 2023, 7 pm
This release involves patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This includes bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we will apply patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036457
Services Affected:
- CAS
- Grouper
- LDAP
- Shibboleth
Recent Releases
March 16, 2023, 7 pm
This release upgraded our SAML IdP from 4.2.1 to 4.3.0 to address minor security vulnerabilities and ensure we are on the latest version. No outage was expected. CMR: CHG0036456
Services Affected:
- Shibboleth
March 15, 2023, 7 am
This release moved the current CalNet Directory Update application to a new host to help decommission the existing host. This involved a temporary redirect of the current http://directory.berkeley.edu "Update your listing" link to the new URL. We requested that Public Affairs update that link at their leisure once we were confident the new host was working as expected with the temporary redirect. CMR: CHG0036451
Services Affected:
- CalNet Directory Update Application
March 12, 2023, 7 am
This release included changes to the underlying algorithm for storing hashed passwords for LDAP service accounts in ldap.berkeley.edu. CMR: CHG0036431
Services Affected:
- LDAP
March 2, 2023, 7 pm
This release included a configuration and restart for the new Cirrus API key. There was a brief outage associated with this release. CMR: CHG0036421
Services Affected:
- Cirrus
February 9, 2023, 1 pm
This release involved an enhancement/bug fix release for the CalNet BIDMS application suite. CMR: CHG0036376
CNR-2232: Improve the access denied error message for SPAs
CNR-2242: Fix AD error when locking expired people
CNR-2243: Remove unneeded reconciliation page cache
CNR-2250: Add clarifying log entries about AD passphrases when locking accounts
CNR-2251: Expand list of reserved CalNetIDs to align with bConnected
CNR-2252: Fix recognition of certain AD errors in setting passphrase
CNR-2253: (Test environment) Fix GreenMail plugin
CNR-2255: Fix displaying error message when invalid identifier type is selected on passphrase reset page
CNR-2256: Cirrus is requesting new credentials for their API endpoint
Services Affected:
- Special Purpose Accounts
- Active Directory (AD)
January 29, 2023, 7 am
This release performed maintenance recommended by our vendor to address some lingering error messages in our logs. The process was to reset the 'generation ID' of our replication domain to ensure any stale entries were not replicated. CMR: CHG0036342
Services Affected:
- LDAP
January 23, 2023, 5 pm
This release applied a required certificate update on the Apache ActiveMQ server used by CalGroups and the Berkeley Person Registry. CMR: CHG0036289
Services Affected:
- CalGroups
- Berkeley Person Registry
January 10, 2023, 5 pm
This release involved cadds enhancements to the BIDMS lock API that is needed for locking accounts in large batches. CMR: CHG0036286
Services Affected:
- CalNet Admin Tool (CAT)
- LDAP
- CalGroups API
November 13, 2022, 8 am
This release completed the upgrade of the EWH CalNet LDAP infrastructure to DS 7.2. This impacted LDAP services use by CAS, WiFi, and various other services across campus. No impact to applications or customers is expected. CMR: CHG0036096
Services Affected:
- LDAP
- CAS
- Wifi Services
November 6, 2022, 8 pm
This release included an upgrade of the SDSC CalNet LDAP infrastructure to DS 7.2. This impacted the dir-auth-os.calnet.berkeley.edu VIP which is used by CAS services hosted at SDSC primarily for failover. No impact to applications or customers expected. CMR: CHG0036095
Services Affected:
- LDAP
- CAS
- Berkeley Person Registry
October 20, 2022, 7 pm
This release included enhancements and bug fixes to Berkeley Person Registry and SPA provisioning. There may be a brief outage to Berkeley Person Registry and associated applications while the server restarts. CMR: CHG0036067
Services Affected:
- Berkeley Person Registry
- Special Purpose Accounts (SPAs)
- Active Directory (AD)
October 3, 2022, 5 pm
This release changed the ways that Special Purpose Accounts were provisioned to Berkeley Person Registry. No outage or impact to SPA users. Users of the CalNet Admin Tool noticed that SPAs have accurate status after this release. CMR: CHG0035986
Services Affected:
- Berkeley Person Registry
- CalNet Admin Tool
September 7, 2022, 7 pm
This release contained enhancements and bug fixes for CalNet identity management applications. CHG0035940
Services Affected:
- CalNet Account Manager
- LDAP
- Provisioning
August 12, 2022, 11:00 am
This release was a debug for the recaptcha for account claiming. CHG0035872
Services Affected:
- CalNet Account Manager
- CHG0035940
August 10, 2022, 7:30 pm
This release was a minor configuration change to the Shibboleth IDP that requires a restart of the servers. There was no outage. CHG0035859
Services Affected:
- Shibboleth
August 10, 2022, 7:00 pm
This release contained enhancements, bug fixes and dependency upgrades. Also with this release, expired Cirrus guests were moved to ou=Expired. CHG0035821
Services Affected:
- Cirrus Sponsored Guests
- CalNet Account Manager
- CalNet Admin Tool
- Berkeley Person Registry
- Account provisioning
July 1, 2022, 3:00 pm
In this release, we patched CAS from the current version (6.5.4) to the latest version (6.5.6) to address a potential security vulnerability.CMR: CHG0035722
Services Affected:
- CAS
July 1, 2022, 12:00 pm
On July 2, new department numbers will begin to flow from UCPath to Berkeley Person Registry to CalGroups and LDAP. CalGroups admins will need to make changes to their authorization / communication groups after July 2 to use the new groups. We will remove the old groups after July 15. CMR: CHG0035712
June 30, 2022, 9:00 am
We enabled the device management portal in the "new" Duo Prompt for applications using CalNet SSO. This allows users to add/remove 2-Step devices directly from the CAS/Duo prompt rather than having to use the legacy portal from https://mycalnet.berkeley.edu. The legacy portal will continue to work. This change added a menu item to the "Other Devices" option when the user is going through the 2-step process. The documentation here was updated: https://calnetweb.berkeley.edu/calnet-2-step/how-enroll-device. There was no planned outage associated with this release. CMR: CHG0035675
Services Affected:
- CalNet 2-Step Authentication
- CAS
June 7, 2022, 5:30 am
We patched CAS from the current version (6.5.2) to the latest version (6.5.4) to apply a bug-fix required to implement new functionality. There was no planned outage associated with this release. CMR: CHG0035622
Services Affected:
- CAS
May 24, 2022, 7:00 pm
We upgraded the production Shib IDP servers from 4.0.x to 4.1.x. There was no planned outage associated with this release. CMR: CHG0035500
Services Affected:
- Shibboleth
April 5, 2022, 8:00 pm
In this release, we enabled the Duo Universal Prompt which changed how Duo looks and behaves. https://calnetweb.berkeley.edu/news/new-changes-duo-browser-workflow. In addition, we upgraded CAS on the production auth.berkeley.edu cluster to 6.5. CMR: CHG0035435
Services Affected:
- CalNet 2-Step Authentication
April 1, 2022, 1:00 pm
This release was patching for our production Shib clusters and upgrading Tomcat to the latest version. All other Shib environments were patched with latest versions. CMR: CHG0035451
Services Affected:
- Shibboleth
March 31, 2022, 11:45 am
This release included patching our production CAS clusters. All other CAS environments were patched with latest versions. CMR: CHG0035449
Services Affected:
- CAS
March 31, 2022, 8:00 am
This release included patching for our backend services with the latest version of Spring, and changing the Java version our frontend is running. CMR: CHG0035448
Services Affected:
- Berkeley Person Registry
- Account Provisining
- CalNet Admin Tool
- CalNet Account Manager
March 24, 2022, 10:00 am
This emergency release fixed a bug that prevented CalNet accounts from expiring when they should. CMR: CHG0035425
Services Affected:
- Berkeley Person Registry
- LDAP
March 22, 2022, 7:00 pm
This release included additional tracking of UCPath primary jobs and a bug fix. CMR: CHG0035401
Services Affected:
- Berkeley Person Registry
- Account Claiming
March 22, 2022, 7:00 pm
In this release, we changed the firewall configuration for the CalNet LDAP cluster dedicated to authentication services. CMR: CHG0035405
Services Affected:
- LDAP
- Firewall
February 17, 2022, 7:00 pm
In this CalGroups change, we refactored 2-Step groups and also added a new feature for some admins in CalGroups to view alumni both in their groups and in their searches. 2-Step users should not notice the change. CMR: CHG0035296
Services Affected:
- CalGroups
- CalNet 2-Step
February 17, 2022, 7:00 pm
This was a major upgrade of the identity management system that does data intake, identity matching, account provisioning, web services and data writing to LDAP and Active Directory. The significant changes can be summarized as: A refactoring onto the latest Spring Boot framework (numerous code changes as a result), an upgrade to using latest dependency libraries, an upgrade to using latest Java 17 LTS, an upgrade to the Tomcat 9 application server, and moving to new, upgraded virtual machines running RedHat. There was a short planned outage associated with this release. CMR: CHG0035238
Services Affected:
- Berkeley Person Registry
- CalNet Admin Tool
- CalNet Account Manager
January 30, 2022, 9:00 am
We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. During this cycle we also upgraded our Nginx proxy servers. There was a short outage of bpr.calnet.berkeley.edu that affected CAT and CAM while that host rebooted. CMR: CHG0035220
Services Affected:
- Berkeley Person Registry
- CalNet Admin Tool
- CalNet Account Manager
- CAS
- Shibboleth
- CalGroups
- LDAP
December 21, 2021, 7:00 pm
We patched the Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. There was a short outage of bpr.calnet.berkeley.edu thereby affecting CAT and CAM while that host rebooted. CMR: CHG0035116
Services Affected:
- Berkeley Person Registry
- CAS
- Grouper
- LDAP
- Shibboleth
December 2, 2021, 7:00 pm
In this release, CalNet is updating email templates used for account locking and for Stu-Delegate account creation. CMR: CHG0035062
Services Affected:
- Berkeley Person Registry
- Account Claiming
November 30, 2021, 7:00 pm
The CalNet team is implementing an emergency change. The IP address of shib.berkeley.edu will change. CMR: CHG0035046
IMPORTANT: If you currently enforce outbound firewall rules for web traffic, you must add an additional allow rule for the new Shibboleth virtual IP:
-
Port: 443
-
IP: 169.229.54.216
Services Affected:
- SAML-based logins (bMail, ServiceNow, Adobe)
October 15, 2021, 6:00 am
We configured all Duo integrations to remove the phone callback option by default. Existing telephone users were not impacted and were required to fill out an exception by January 12, 2022. After January 12, 2022 only users with an exception / valid business case for using telephone with Duo are allowed to use the feature. There was no planned outage associated with this release. CMR: CHG0034869
Services Affected:
- CalNet 2-Step Authentication
October 10, 2021, 8:30 am
We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. There was a short planned outage for CAT/CAM within the release window. CMR: CHG0034879
Services Affected:
- Shibboleth
- LDAP
- Berkeley Person Registry
- CAS
- Grouper
- CalNet Admin Tool
- CalNet Account Manager
September 25, 2021, 6:00 am
The CalNet Postgres databases will be upgraded by the campus database team. This will result in an outage of some CalNet services of approximately 90 minutes. CalNet logins will not be impacted during this outage. CMR: CHG0034838
Services Affected:
- CalNet Account Manager (including account claiming, changing passphrase or ID and managing 2-Step)
- CalNet Admin Tool
- Berkeley Person Registry
- CalGroups
- The identifiers web service used by CalCentral and iHub
September 1, 2021, 7:00 pm
We deployed code changes for CalNet Identity Management. There was a short planned outage for a few minutes within the release window. CMR:CHG0034797
Services Affected:
- Berkeley Person Registry
- CalNet Account Manager
- CalNet Admin Tool
- Account Claiming
August 8, 2021, 6:00 am
We upgraded CAS on the production auth.berkeley.edu cluster to 6.3. This version of CAS is required to maintain support and future product enhancements and security patches. Other enhancements include: support for TLSv1.3, improved support for SAML and OIDC, support for newer Duo prompt, various upgrades to system software including Java, Tomcat, and Nginx. There was a planned outage associated with this release. CMR:CHG0034740
Services Affected:- CAS
- Shibboleth
July 29, 2021, 6:45 pm
The CalNet Admin Tool got an update allowing support staff to use the Duo Application for user verification. There was a planned outage associated with this release. CMR:CHG0034736
Services Affected:- CalNet Admin Tool
- CalNet Account Manager
- Berkeley Person Registry
July 22, 2021, 7:00 pm
We updated CAT/CAM to implement a compatibility change for CAS 6 and Slate delegated logins. There was a brief outage while the server restarted. CMR:CHG0034593
Services Affected:- Berkeley Person Registry
- CalNet Admin Tool
- CalNet Account Manager
June 17, 2021, 7:30 pm
This release included changes to identifierTypes, changes to the no recovery email address screen in CalNet Account Manager, and changes to roles in CalNet Admin Tool. There was a planned outage associated with this release. CMR: CHG0034593
Services Affected:
- CalNet Admin Tool
- CalNet Account Manager
- Berkeley Person Registry
May 24, 2021, 11:05 am
Starting at approximately 11:05 am some clients may have seen errors when trying to log into a CAS-protected application. The issue was resolved fully by 12:36 pm. The java process running the Tomcat web application server had more open file handles than allowed by the operating system. In trouble-shooting we found that the CAS process opens that script for every user log in to the service, but never closes the file handle. Over the course of approximately 30 days the number of opened files for that process grew above the hard limit set by the OS. There was an unplanned outage associated with this release which took place intermittently across the release window. CMR: CHG0034546
Services Affected:
- CAS
May 20, 2021, 7:00 am
The majority of the remaining deprecated attributes definitions (objectClasses and attributeTypes) were removed. These attributes are no longer maintained and have been marked for removal for several years. The list of attributes that were removed can be found at https://calnetweb.berkeley.edu/calnet-technologists/ldap-directory-servi.... There was no planned outage associated with this release. CMR: CHG0034495
Services Affected:
- LDAP
May 20, 2021, 5:00 am
We configured DNS failover for the ldap.berkeley.edu cluster. This allows the service to automatically fail over to San Diego in case of a major network or system outage at EWH. There was no planned outage associated with this release. CMR: CHG0034507.
Services Affected:
- LDAP
May 19, 2021, 7:00 pm
We issued a new certificate for the ldap cluster at ldap.berkeley.edu in preparation for enabling automated failover to our SDSC data center the following morning. We quiesced traffic to each node in turn to update the certificate. There was no planned outage associated with this release. CMR: CHG0034514.
Services Affected:
- LDAP
May 5, 2021, 9:00 pm
This change allows campus postdocs to have a longer grace period. There was no planned outage associated with this release. CMR: CHG0034476
Services Affected:
- Berkeley Person Registry
May 2, 2021, 6:00 am
We changed the load balancing direct routing method used by ldap.berkeley.edu to stop using ARP tables and instead use iptables. The ldap.berkeley.edu cluster configuration for direct routing was not working as intended. Some applications were experiencing loss of connectivity to ldap when we performed maintenance that should otherwise be transparent. This change was intended to correct this issue and allow us to perform maintenance without impacting customers in the future. There was a planned LDAP outage of 10 minutes within the release window. CMR: CHG0034444
Services Affected:
- LDAP
April 25, 2021, 6:30 am
We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition, we applied patches as needed from custom repositories for Zabbix and Duo. We patched to address OS bugs and vulnerabilities. There was a 5 minute outage for Manage My CalNet while that system rebooted. CMR: CHG0034443
Services Affected:
- BPR systems
- CAS
- Grouper
- LDAP
- Shibboleth
April 21, 2021, 9:00 am
We issued a new certificate for the ldap cluster at ldap.berkeley.edu in preparation for enabling automated failover to our SDSC data center. We quiesced traffic to each node in turn to update the certificate. Application owners and developers using non-system keystores should ensure they are only referencing the root and intermediate certificates, and not the leaf node. There were no planned outages associated with this release. CMR: CHG0034209
No Services Affected
April 15, 2021, 7:00 pm
We upgraded the SDSC production Shibboleth servers to the same version we are now running in EWH. We did a quick failover test to confirm them afterwards. There were no planned outages associated with this release. CMR: CHG0034424.
Services Affected:
- Shibboleth
March 31, 2021, 7:00 pm
We have upgraded the Shibboleth IDP to version 4x in order to stay current with the most recent release. There were no planned outages associated with this release. CMR: CHG0034375
Services Affected:
- Shibboleth
March 22, 2021, 7:00 pm
This CalNet release included changes to the CalNet Account Manager Forgot Passphrase tool and added additional functionality to handle Potential Hire Academic POIs from UCPath. There was a brief outage during the specified release window. CMR: CHG0034359
Services Affected:
- CalNet Account Manager
- Berkeley Person Registry
March 4, 2021, 6:30pm
CalNet restarted registry-p1 Tomcat for a DDODS database host change. There was a brief outage during the half-hour release window. CMR: CHG0034321
Services Affected:
- Berkeley Person Registry
- CalNet Account Manager
- CalNet Admin Tool
February 23, 2021, 6:00 am
We replaced the certificate on the CAS instance (auth.berkeley.edu). The new certificate has a different issuer. We deprecated the Extended Validation certificates in favor of standard InCommon SHA-2 certificates. Certain applications, such as those using Java key stores or other non-operating system certificate stores, may require providing the root certificate in addition to the intermediate certificates. Obtain certificates from a trusted source like the certificate store on your local computer or directly from the Root CA. There were no planned outages associated with this release. CMR: CHG0034268
Services Affected:
- CAS
February 11, 2021, 7:00 am
We replaced the certificate on the test CAS instance (auth-test.berkeley.edu). The new certificate has a different issuer. We deprecated the Extended Validation certificates in favor of standard InCommon SHA-2 certificates. Certain applications, such as those using Java key stores or other non-operating system certificate stores, may require providing the root certificate in addition to the intermediate certificates. Obtain certificates from a trusted source like the certificate store on your local computer or directly from the Root CA. There were no planned outages associated with this release. CMR: CHG0034267
Services Affected:
- CAS
January 1, 2021, 9:00 am
We increased LDAP replication retention from 3 days to 5 days to ensure changes made while EWH DC is unavailable are retained in the event that the outage is longer than expected. These changes were pushed to LDAP-test on December 21, 2020. There were no planned outages associated with this release. CMR: CHG0034176
Services Affected
- LDAP
December 21, 2020, 8:00 am
We removed the deprecated attribute values from CalNet LDAP directory (access to these attributes was revoked on Oct 29th). A list of those attributes can be found at https://calnetweb.berkeley.edu/calnet-technologists/ldap-directory-servi.... There were no planned outages associated with this release. CMR: CHG0034140
Services Affected
- LDAP
December 3, 2020, 6:30 pm
We changed the production DDODS connection string, no longer recognizing academic potential hire POI type, and changed how effective rows are calculated from DDODS POI table. There was a brief outage that occurred between 6:30pm - 7:00pm. CMR: CHG0034129
Services Affected
- Berkeley Person Registry
November 30, 2020, 7:00 pm
We had about 1200 old-style departmental accounts that were expired. We moved them from ou=people to ou=expired people in LDAP. We have made attempts to contact these account owners, but there may still be some users who are using these old-style accounts. If that is the case, then we can roll back the change for that particular account. There was no planned outage associated with this release. CMR: CHG0034115
Services Affected
- LDAP
November 30, 2020, 6:30 pm
We have set up new servers for the SPA Admin app. CNAME changes for the idc.berkeley.edu will point to these new servers. We added a new server name, spa.berkeley.edu, that idc.berkeley.edu will redirect to. This release included a planned outage, however the outage was momentary, and only impacted users logged in at that moment. If users were using the application at that time, they needed to refresh their browser. CMR: CHG0034119
Services Affected
- SPA Admin Application
November 30, 2020, 6:00 pm
To make it easier to determine if one has the current person when adding a member to a group in CalGroups, we added more attributes to the display value for member lookups. Previously, it was displayName. It was changed to uid - displayName - department name or "non-FSA". This release included a planned outage, however the outage was momentary, and only impacted users logged in at that moment. If they were using the application at that time, they needed to refresh their browser. For more information regarding this release, please click here. CMR: CHG0034116
Services Affected
- CalGroups
November 17, 2020, 8:00 pm
Informational Update - in this release, the Windows and bConnected teams switched the authentication page from ADFS to CAS for some campus services (eg Sharepoint). This release included a planned outage, however the outage was less than a minute and only impacted authentication attempts for applications using ADFS during that minute. CMR: CHG0034088
Services Affected
- CAS
- Sharepoint
- O365
- Azure
- ADFS
November 12, 2020, 10:00 pm
We are pointing BPR to a different back-end LDAP cluster. This required a server restart. There was a planned outage for 5 minutes during the 60 minute time frame of this release. CMR: CHG0034016
Services Affected
- CalNet Account Manager
- CalNet Admin Tool
- Berkeley Person Registry
November 8, 2020, 9:00 am
We brought two new LDAP hosts online to replace our remaining RHEL6 LDAP hosts. These hosts are dedicated to the BPR application but participate in the multi-master synchronization topology for all production LDAP servers. There was no planned outage associated with the release. CMR: CHG0034014
Services Affected
- LDAP
October 29, 2020, 7:00 pm
SPAs were showing up in departmental groups in CalGroups after the recent changes. Since these departmental groups are employee groups, we removed the SPAs from these groups. There was no planned outage associated with the release. CMR: CHG0034037
Services Affected
- SPA Admin Application
- CalGroups
October 29, 2020, 7:00 am
We removed access to the CalNet LDAP/directory deprecated attributes. Those attributes can be found at https://calnetweb.berkeley.edu/calnet-technologists/ldap-directory-servi.... There was no planned outage associated with the release. CMR: CHG0033993
Services Affected
- LDAP
October 17, 2020, 9:00 am
We made modifications to SPA group names to allow both the group and the SPA to be added to groups. Multiple application owners would like to add SPAs to their groups since the accounts show up in their account list rather than the personal account.
Services Affected
- CalGroups
- LDAP
- SPA Admin Application
- CalNet AD
September 25, 2020, 2:00 pm
We updated the language found at mycalnet.berkeley.edu. This required a restart of CalNet Account Manager, so account claiming, passphrase resets, and other CAM functions were briefly unavailable.
Services Affected
- CalNet Account Manager
September 19, 2020, 9:00 am
We made changes to property files in production Shibboleth by adding a new scripted attribute for the Library. CMR: CHG0033929
No Services Affected
September 19, 2020, 7:00 am
We reconfigured the LDAP cluster to use a different type of load balancing. This will enable us to track remote client IPs better. CMR: CHG0033928
Services Affected
- LDAP
September 10, 2020, 7:00 pm
We renewed the certificate for the ldap cluster at ldap.berkeley.edu before it expires. We quiesced traffic to each node in turn to update the certificate. Application owners and developers using non-system keystores should ensure they are only referencing the root and intermediate certificates, and not the expiring leaf node. CMR: CHG0033895
No Services Affected
September 9, 2020, 7:00 am
We reconfigured the offsite LDAP clusters used for Shibboleth/CAS DR as well as general LDAP services to use a different type of load balancing. This enables us to track remote client IPs better. CMR: CHG0033896
Services Affected
- LDAP at SDSC
September 2, 2020, 9:00 am
CalNet shutdown the CalAccess service at https:/idc.berkeley.edu/ca since the application is no longer in use. CMR: CHG0033880
No Services Affected
September 1, 2020, 10:30 am
We moved CalNet's Production Shared Services AWS account from the current AWS organization to the newer control tower-enabled central payer account organization. CMR: CHG0033881
No Services Affected
September 1, 2020, 7:00 am
CalNet will remove approximately 50 unused and deprecated attributes from the berkeleyEdu objectclass(es) and delete the attribute definitions from the schema. We will be applying this change to LDAP Test on August 11th. CMR: CHG0033825
Services Affected
- LDAP
September 1, 2020, 7:00am
CalNet is updating the passphrase complexity requirement standards. Updated password complexity requirements will only affect *newly* created accounts or passphrases changed after the implementation. CMR: CHG0033821
Services Affected
- BPR
- CalNetAD
July 23, 2020, 7:30 am
Updated the certificate for the CalNet ActiveMQ instance because it was due for renewal. CMR: CHG0033781
Services Affected
- CalNet Account Manager
- CalNet Admin Tool
July 22, 2020, 8:00 pm
Removed the "Entity not found" entries from CalGroups. Entity not found entries in CalGroups are of two types. They are from either ou=expired or ou=advcon. We will remove those from ou=expired from all groups. We cleaned-up the advcon entries from any official groups, but not app or org groups. CMR: CHG0033797
Services Affected
- CalGroups
July 8, 2020, 7:00 am
We are making updates to the LDAP schema in preparation for the new CalNet Directory Update tool. This includes modifications that should only be visible to internal CalNet processes.
CMR: CHG0033749
No Outages
July 4, 2020, 7:00 am
Additional settings to ensure a secure operating system. These settings have already been applied to the production CAS systems since April and have been in our test environment for a month. There will be a 10-minute outage of BPR while the server restarts after patching. Other services are load-balanced and no outage is expected. CMR: CHG0033719
Services Affected
- BPR / CalNet Account Manager
- Shibboleth
- CalGroups
- Manage My Keys
- LDAP
July 1, 2020, 6:30 am
The PostgreSQL instance 'calnetbprprod' was migrated to a new RHEL7 VM dba-postgres-prod-55, as the RHEL6 VMs will soon be out of support. This database supports Calnet-BPR/IDM application. CMR: CHG0033740
Services Affected
- BPR / CalNet Account Manager
- CalNet Admin Tool
May 25, 2020, 7:30 am
We have upgraded CalGroups production servers to Grouper version 2.4. CMR: CHG0033624
Services Affected
- CalGroups
May 23, 2020, 8:00 am
This change updates the CAS configuration to allow the release of the mail attribute for Sponsored Guests. CMR: CHG0033623
Services Affected
- LDAP
- CAS
- CalNet Sponsored Guests
May 14, 2020, 6:00pm
This release includes the following bug fix and feature enhancements, and will include a brief outage (less than 5 minutes) of BPR apps while the servers restart. CMR: CHG0033589
Services Affected
- CalNet Account Manager
- CalNet Admin Tool
- CalNet Namespace
- Berkeley Person Registry
Tickets Resolved
Ticket | Comment |
---|---|
CAT-172 | Add Status and Expiration Date to CAT |
CNR-2011 | Changes to ou and berkeleyEduExpDate calculation for some students |
CNR-2013 | New Changes to Account Locked Emails |
CNR-2010 | User with CAT Role: ROLE_IHUB_TRIGGER is not able to trigger iHub message |
CNR-2012 | Create new person info registry-service endpoint for Directory Update app |
April 29, 2020, 9:55pm
This release will change the method of download for the InCommon Metadata. We have been doing nightly downloads of the entire list of InCommon SPs. A new method, Metadata Query service (MDQ), allows us to only download the SPs we need to access.
We will also begin the IDP cert change process. It involves adding the replacement cert to the metadata along with the original cert, allowing time for SPs to pick up the new cert, and eventually removing the original cert from the metadata. CMR: CHG0033559
Services Affected
- Cloud based services including bConnected
- Shibboleth
April 28, 2020, 7:16am
This release is the removal of assured replication from the CalNet LDAP replication domains.CMR: CHG0033523
Services Affected
- LDAP
April 28, 2020, 7:16am
This release applies additional OS security settings to our systems. This change is to configure the level 1 and 2 CIS benchmark settings.CMR: CHG0033480
April 17, 2020, 2:08pm
This release updates BPR and changes the managing of expired STU-DELEGATEs. When a student affiliation is expired, the delegate's stu-delegate affiliation will also expire.
When a student has extended SIS access, the delegate's affiliation should expire when the student's extended SIS access affiliation expires. There is no grace period for STU-DELEGATE affiliations. CMR: CHG0033488
Services Affected
- BPR
April 14, 2020, 6:44am
This release will enable hostname whitelisting to the CAS Duo integration in production. This was done for auth-test several months ago.CMR: CHG0033474
Services Affected
- CAS
April 3, 2020, 8:55am
This release adds an additional cipher to our LDAP servers' configuration to support older hosts using openssl.CMR: CHG0033453
Services Affected
- LDAP
March 18, 2020, 6:30pm
This release disables TLS 1.0 and 1.1 so that clients/integrations must use at least TLS 1.2.CMR: CHG0033356
Services Affected
- BPR
- CalNet Account Manager
- CalNet Admin Tool
- CalGroups
- CAS
- LDAP
- Shibboleth
March 18, 2020, 6:30pm
In this release, we will be applying a text change to the Berkeley Person Registry (BPR), specifically the CalNet Account Manager. Most public-facing BPR functions, like the CalNet Account Manager and CalNet Admin Tool, will be offline for a minute or two while the server restarts. CMR: CHG0033431
Services Affected
- Berkeley Person Registry
- CalNet Admin Tool
- CalNet Account Manager
March 16, 2020, 6:00am
This release is the removal of the expiring AddTrust root certificate is in the SSL template used for the EWH CAS load balanced VIP. CMR: CHG0033399
March 3, 2020, 9:30pm
We will be changing the source for the org tree data found in production LDAP on Wednesday 3/4 from 9:30 - 10. There is no expected downtime. CMR: CHG0033388
March 3, 2020, 9:00pm
We will change the certs for IDC servers on Wednesday 3/4 at 9 pm (30 min window). There will be no downtime, as the servers are HA. The services, SPA admin and Manage My Keys, will continue to be accessible during the change. CMR: CHG0033387
March 3, 2020, 5:30pm
This code release for Berkeley Person Registry includes Grails upgrade, modifications to logic, and bug fixes. CMR: CHG0033384
Tickets Resolved
Ticket | Comment |
CNR-1990 | Upgrade to Grails 3.3.11 |
CNR-1989 | Upgrade Grails Spring Security plugin to 3.3.1 |
CNR-441 | Implement security on ucb-match and registry-match-service |
CNR-1992 | Modify match engine and match service configurations to use auth |
CNR-1984 | Restrict length of new CalNetIDs to 19 characters |
CNR-1987 | Change CalnetID requirements page to show max of 19 instead of 20 |
CNR-2003 | Content change for source for i371 requests sent to iHub |
CNR-1995 | User is active but should not be |
February 27, 2020, 8:00pm
This release is an upgrade of CAS (auth.berkeley.edu) to 5.3.15. It includes minor bug fixes as well as CalNet specific changes to improve some error messages as well as an updated URL for forgotten passphrases. No outage is expected. CMR: CHG0033329
February 19, 2020, 8:00pm
This release changes the way that Special Purpose Accounts are provisioned. We will no longer be using OpenIDM. No downtime is expected. CMR: CHG0033331
February 18, 2020, 7:00am
At 7am on Tuesday, Feb 18, we will enforce AuthZ on CAS-enabled applications using the wildcard (*.berkeley.edu) registration. The purpose of this change is to ensure that, by default, only CalNet users with 2-step verification are permitted to authenticate. This includes all active and in-grace students, employees and affiliates, logging in as themselves or using SPAs or rSPAs. CMR: CHG0033199
See https://calnetweb.berkeley.edu/calnet-technologists/single-sign/cas/cas-... for more information.
February 13, 2020, 7:00am
This release is an update of the certs for CalGroups. There will be no downtime. CMR: CHG0033332
January 28, 2020, 7:30am
A new version of CAS (5.3.15) will be released to auth-test on January 28. The update includes:
- Update to the forgot CalNet ID or passphrase link on the CAS screen
- Add 2-step help link and better language to the MFA error page
- Various minor fixes in the base CAS project
December 17, 2019, 8:00pm
This release is a certificate update for bpr.calnet.berkeley.edu. There will be a brief outage of BPR as the service restarts. CMR: CHG0033161
Services Affected
- Berkeley Person Registry
- CalNet Admin Tool
- CalNet Account Manager
December 6, 2019, 5:30pm
This release includes bug fixes and feature enhancements to Berkeley Person Registry, CalNet Admin Tool and CalNet Account Manager. CMR: CHG0033126
Services Affected
- CalNet Account Manager
- LDAP
- CalNet Admin Tool
- CalNet Namespace
- Berkeley Person Registry
Tickets Resolved
Ticket | Comment |
CAT-162 | UIDOld and UIDOldConsolidationDate not getting written in consolidation |
CAT-169 | Namespace folders do not get moved from expired records in LDAP upon consolidation |
CAT-170 | ConsolidationDate and CalNetUidOld do not get written |
CNR-1961 | Detect and delete VOID VOID records |
CNR-1962 | Change Locked Account Email |
CNR-1969 | Update passphrase requirements text |
CNR-1975 | problem with BUSN email getting to UCPath |
CNR-1978 | Multiple new SORObjects partially matching to a UID |
CNR-1979 | Change the Rank Order used for Names from SORs |
CNR-1980 | Fix hash code bug when two DDODS email addresses swap PREF_EMAIL_FLAG values. |
CNR-1981 | Recognize PREF_EMAIL_FLAG='N' UCPath emails. |
December 4, 2019, 9:00pm
This release retires the legacy CalNet Guest application. CMR: CHG0033137
Services Affected
- CalNet Guest application
Tickets Resolved
Ticket | Comment |
CG-187 | Retire Legacy Guest App |
November 21, 2019, 8:30am
We will be launching the process that enables the policy of requiring an employee as part of a SPA user group starting Thursday morning, Nov. 21 at 8:30 am. There is no down time.
Services Affected
- Special Purpose Accounts
November 21, 2019, 7:00am
We are making two changes to our LDAP access logs.
1. Add milliseconds to the timestamp format.
2. Switch to a combined log format to simplify log parsing and reduce log size.
Services Affected
- LDAP
November 15, 2019, 8:00am - November 22, 2019
We will decommission net-auth-p1 and calnet-p2 servers.
Both servers will be powered off and then deleted after 7 days.
Services Affected
- Open IDM
- SPA Admin App
November 13, 2019, 9:00pm
We need to restart openidm on idm-p1 to remove a dependence on the krbservice/net-auth. The service affected is the SPA Admin app which is available to employees only. 2 minute outage of SPA App expected. CMR: CHG0033079
Services Affected
- Open IDM
- SPA Admin App
November 12, 2019, 7:00am
We will update CAS registrations to specifically ensure sponsored guests cannot access services that have not directly been enabled for sponsored guests by the application owner. In some cases it is possible for a sponsored guest who has an existing and valid SSO session to access an application that has not specifically been enabled for guest access. This is due to an issue in CAS that affected the migration of service registrations and was fixed in the last CAS upgrade. CMR: CHG0033075
Services Affected
- CAS
October 29, 2019, 8pm
We will upgrade CAS (auth.berkeley.edu) to 5.3.12.1 and Tomcat server to 8.5.46. Both contain numerous bug and security fixes. Hazelcast is bundled with CAS and will receive a version bump as well. Auth-test and auth.berkeley.edu will be upgraded as follows:
Monday, 10/7 @0800 - Implement in auth-test.berkeley.edu
Tuesday, 10/29 @2000 - Implement in auth.berkeley.edu
We encourage developers to test their applications thoroughly against https://auth-test.berkeley.edu. A separate announcement will be sent for the production upgrade toward the end of October. CMR: CHG0032985
Services Affected
- CAS
October 24, 2019, 9:00pm
This release is a minor change to the idc.b.e/mmk app. We are removing the user defined option for bConnected keys. Given the idc.b.e system is HA, there is no expected downtime. CHG0033031
Services Affected
- Manage My Keys
October 22, 2019, 5:30pm
In this release, we add known bad passwords to ucb-dictionary. CMR: CHG0033024
Services Affected
- ucb-dictionary
- bidms-downstream
- registry-service
- account-manager
October 7, 2019, 8pm
This release includes configuration adjustments and cosmetic changes to CAS. It was released to auth-test.berkeley.edu on 9/30/19 to allow time for testing. There are no major changes to CAS code in this release. CMR: CHG0032969
Services Affected
- CAS
Sept. 13, 2019, 6pm - Sept. 16, 2019, 8pm
This release includes substantial changes to the CalNet stack. The MIT Kerberos authentication servers are being retired in favor of Active Directory. Reorganization of the AD structure follows security best practices and allows CalNet to be system of record for all user objects.
In addition, this release contains feature enhancements and bug fixes for CalNet Account Manager and CalNet Admin Tool; removal of legacy HCM and SIS processes; and an upgrade to Grails 3.3.10.
There may be brief periods of instability in the CalNet suite of services over the weekend while user account reprovisioning occurs. We expect all systems to return to their normal functions by 8pm on Monday, Sept. 16.
This release also retires the CalNet Sync Tool.
CMR: CHG0032879
Services Affected
- All CalNet and Berkeley Person Registry Applications
- CalNetAD
- CAS
- CalNet Sync Tool
Tickets Resolved
Ticket |
Comment |
CNR-1899 |
Change to match rule #2 |
CNR-1903 |
Remove legacy HCM account claiming entirely from CAM (Was: Delete extra employee account claim in CAM admin view) |
CNR-1909 |
Fix UCPath LdapSync'ing in test environment |
CNR-1904 |
Changes to CalNet ID creation - confirmation email |
CNR-1938 |
Create a "Super Canonical" match engine config rule type |
CNR-1939 |
registry-sor-gateway Quartz jobs stop working after some amount of time in production |
CNR-1937 |
There is a CAM cache bug when a user changes calnetId |
CNR-1926 |
Make it configurable to switch between sendgrid and greenmail for registry-service quartz jobs that send out email |
CNR-1936 |
Not able to change CalNet ID to something I already own |
CNR-1924 |
Need a way to identify "presirs with calnetIds" using roles |
CNR-1922 |
AD provisioning: Changes to who gets provisioned to AD |
CNR-1921 |
AD provisioning: OU changes based on primary affiliation |
CNR-1920 |
AD provisioning: primaryGroupID changes based on primary affiliation |
CNR-1919 |
Create new provisioning groups in my local AD |
CNR-1918 |
AD provisioning: Active userAccountControl for in-grace people |
CNR-1914 |
AD provisioning: OU and primaryGroupID changes for different primary affiliations and keeping in-grace people active |
CNR-1516 |
Modify bidms-downstream change password endpoint to recognize certain AD passphrase validation errors codes |
CNR-1911 |
Modify BPR tools to use AD Kerberos and not krbservice |
CNR-1927 |
Enhancement to bidms-connectors/bidms-downstream to add and remove a person from directory groups |
CNR-1917 |
When doing password change, use an user bind rather than an administrative bind |
CNR-1928 |
Enable sendgrid (to test mailbox) in test for reg-serv end-of-life jobs |
CNR-1496 |
Remove sisStudentSorKeyDataExtractor from sor-key-data-service |
CNR-1944 |
bidms-downstream memory leak |
CNR-1945 |
bidms-connectors isn't detecting a change when userAccountControl bits should be changing so no write is performed |
CNR-1947 |
No longer referencing SYSADM.PS_TERM_TBL in any BPR queries to SIS databases |
CNR-1946 |
Add CWR004 Staff Intern and CWR012 Traveling Nurse to official affiliatons in BPR |
CNR-1910 |
Remove legacy hcm from SOR Gateway Service |
CNR-1891 |
Remove defunct legacy HCM provisioning code from registry-provisioning-scripts |
CNR-1949 |
Upgrade BIDMS web apps to Grails 3.3.10 |
CNR-1951 |
Add Deposit Pending to Campus Solutions query |
CNR-1941 |
Provision BPR-managed SPAs to LDAP |
CNR-1950 |
Update content on CAM welcome page |
CNR-1956 |
Additional audit logging for CAT split/merge/reconciliation |
CNR-1957 |
Additional audit logging for CAT split/merge/reconciliation |
CNR-1958 |
Additional audit logging for CAT split/merge/reconciliation |
CNR-1959 |
CalNet ID naming requirements need to be more restrictive temporarily |
September 12, 2019, 8pm
In this release, we will add new authentication profile to the shibcas plugin. This is very minor change. Service won't be affected because the servers are in an HA configuration. CMR: CHG0032909
Services Affected
- Shibboleth
September 12, 2019, 8:15pm
This is a minor change to CalGroups, CalGroups that changes the large group limit for AD and LDAP provisioning from CalGroups. There will be a short break (15 sec) in provisioning to AD and LDAP when the provisioning service is restarted. CMR: CHG0032908
Services Affected
- CalGroups
August 1, 2019, 6am
This release will update CAS logging and A10 health checks. CMR: CHG0032767
Services Affected
- CAS
July 4, 2019, 8am
This is a test of DNS failover for auth.berkeley.edu and shib.berkeley.edu starting the morning of Thursday, July 4th at 08:00 AM PT. CMR: CHG0032674
The test period is expected to last for approximately 1 hour. During this period DNS requests for auth.berkeley.edu and shib.berkeley.edu will return the addresses for our DR site.
If you currently enforce outbound firewall rules for web traffic, you should add additional allow rules for the SDSC virtual IPs:
CAS:
Port: 443
IP: 192.107.102.203
Shib:
Port: 443
IP: 192.107.102.199
This should be transparent to your applications. If you experience any issues please contact calnet-admin@berkeley.edu with a thorough description of your problem.
Services Affected
- CAS
- Shibboleth
July 3, 2019, 7pm
This release will prevent Student Volunteers from creating CalNet accounts, per instruction from UCPath. There will be a brief outage when the servers are restarted. CMR: CHG0032702
Services Affected
- CalNet Account Manager
- CalNet Admin Tool
July 2, 2019, 7am
DNS change for the Shibboleth production hostnames to allow us engage in HA with our SDSC servers. There will be an outage of Shibboleth of up to 10 minutes during this time. CMR: CHG0032671
Services Affected
- Shibboleth
June 20, 2019, 8am
We will upgrade CAS on the test auth-test.berkeley.edu cluster to 5.3.11. The CAS release contains bug fixes for delegated authentication. The CalNet-specific changes include enabling authentication and ticket issuance throttling. No downtime expected, we will fail over to SDSC and back to EWH. CMR: CHG0032637
Services Affected
- auth-test.berkeley.edu
June 13, 2019, 9pm
In this release, we will remove the passphrase synchronization feature from auth.berkeley.edu in preparation for the migration to AD Kerberos. This is not a user-facing function of CAS and is not to be confused with the passphrase reset features of CalNet Account Manager. CMR: CHG0032603
Services Affected
- CAS
June 13, 2019, 7am
In this release, we will configure DNS failover for the shib-test.berkeley.edu Shibboleth cluster. This will allow Shibboleth to fail over to San Diego in case of a major network or systems outage at EWH. There will be an outage to shib-test as DNS records will be deleted and re-created as new record types. CMR: CHG0032614
Services Affected
- shib-test
June 6, 2019, 7am
This release is a patch of RHEL 6.x and the JVM for the idc.berkeley.edu application cluster. CMR: CHG0032587
Services Affected
- idc.berkeley.edu, including:
- Legacy Guests
- MMK
June 1, 2019, 10am
This release will enable WebAuthn/FIDO2 and Touch ID for Duo users and devices. See https://guide.duo.com/security-keys and https://guide.duo.com/touch-id for details on these new options for Duo devices. Existing Duo U2F users will be prompted to re-register their devices. CMR: CHG0032567
Services Affected
- CalNet 2-Step
May 28, 2019, 9pm
We will modify the CAS principal lookup filter to be more exclusive by only returning berkeleyEduPerson objects. This is necessary to address an issue discovered while validating new Sponsored Guests with a specific application. CMR: CHG0032578
Services Affected
- CAS
- Shibboleth
May 23, 2019, 6:30pm
This expedited change includes changes to UCPath and Sponsored Guests provisioning. CMR: CHG0032577
Services Affected
- SOR Gateway Service
- Registry Provisioning Scripts
- Berkeley Person Registry
Tickets Resolved
Ticket | Comment |
---|---|
CNR-1898 |
UCPATH_DDODS hash query |
CNR-1894 | CWR020 Student Volunteer |
CNR-1887 |
Cirrus Guest Account provisioning populate beKPS |
CNR-1876 |
Set LDAP ucNetId value from UCPath external identifiers |
May 23, 2019, 6:30pm
This expedited change includes changes to UCPath and Sponsored Guests provisioning. CMR: CHG0032577
Services Affected
- SOR Gateway Service
- Registry Provisioning Scripts
- Berkeley Person Registry
Tickets Resolved
Ticket | Comment |
---|---|
CNR-1898 |
UCPATH_DDODS hash query |
CNR-1894 | CWR020 Student Volunteer |
CNR-1887 |
Cirrus Guest Account provisioning populate beKPS |
CNR-1876 |
Set LDAP ucNetId value from UCPath external identifiers |
May 12, 2019, 10:00am
This release will modify the queries used for department and title code groups within CalGroups to only use UCPath data. Some users may gain or lose access to systems that use those groups. CMR: CHG0032522
Services Affected
- Any system utilizing department / title code groups, such as:
- LDAP
- Active Directory
- CalGroups API
Tickets Resolved
Ticket | Comment |
CG-173 | Modify Department and title code groups in CalGroups |
May 10, 2019, 6:30pm
This release will upgrade all Berkeley Identity Management Suite apps to Grails 3.3.9.
It will also remove HCM as a system of record for job data and LDAP affiliations.
Employees and Affiliates that are in HCM but are not yet in UCPath may enter their grace period (https://calnetweb.berkeley.edu/calnet-me/info-new-users/grace-periods) and are likely to get an account expiration notice. Employees and Affiliates who receive an unexpected expiration notice should review their UCPath HR status with their HR support staff.
LDAP affiliations for expired HCM and UCPath Affiliates will undergo a change to ensure backwards compatibility:
-
HCM Affiliates who enter their grace period will get the FORMER-HCM-AFFILIATE affiliation.
-
UCPath Affiliates who enter their grace period will get the FORMER-AFFILIATE affiliation.
-
In 3-4 months, CalNet will transition to using FORMER-AFFILIATE, only.
-
Developers will receive additional communications when this change is made, and when the FORMER-HCM-AFFILIATE will be deprecated.
All affiliate records should only ever have either a FORMER affiliation or an active AFFILIATE-TYPE- affiliation, but not both at the same time.
See UCPath Affiliation Changes for additional affiliation information.
CMR: CHG0032500
Services Affected
- Berkeley Person Registry
- Registry Service
- Registry Provisioning
- SOR Gateway Service
- Match Service
- CalNet Account Tool
- CalNet Account Manager
- LDAP
Tickets Resolved
Ticket | Comment |
CNR-1859 | Upgrade all BIDMS apps to Grails 3.3.9 |
CNR-1879 | Create replacement roles for Manager/Supervisor in UCPath |
CNR-1880 | Recognize UCPath "PRF" coded names as sorPreferredName |
CNR-1881 | Minor changes to match engine logging output |
CNR-1884 | Assert FORMER-AFFILIATE for former UCPath affiliates. Don’t assert FORMER-HCM-AFFILIATE for active UCPath affiliates. |
CNR-1883 | Remove legacy HCM job data |
CM-445 | Edit error message for CAM |
CM-447 | Error message for twoStepClaim |
CM-448 | Redirect Slate-authenticated users |
CM-449 | List of AFFILIATE-TYPE- values for authorization need to be updated in CAM |
April 24, 2019, 9:00pm
In this release, CAS operating system patches will be applied. CMR: CHG0032465.
Services Affected
- CAS
- Shibboleth
April 24, 2019, 7:00pm
This release includes work on the CalNet Sponsored Guest project, and some continuing UCPath cleanup. CMR: CHG0032481
Services Affected
- Berkeley Person Registry
- Registry Service
- Registry Provisioning
- LDAP
- SOR Gateway Service
- Match Service
- CalNet Sponsored Guests
Tickets Resolved
Ticket | Comment |
CNR-1860 | Ensure CAM restricts users from creating CalNet IDs that start with UID |
CNR-1862 | Cirrus reporting http 403 error |
CNR-1864 | Add REST endpoints to registry-service that talk to Cirrus API to create invitations for existing UIDs |
CNR-1865 | Write a program that creates Cirrus invitations for existing UIDs through registry-service endpoints |
CNR-1863 | Convert existing guests into Cirrus guests using pre-sent Cirrus invitations |
CNR-1870 | Remove legacy SIS (pre-CS) from LdapSync process |
CNR-1869 | Remove legacy HCM sor from LdapSync process |
CNR-1868 | Add ucpath to LdapSync now that dev/test have prod ucpath EMPLIDs |
CNR-1867 | Rename ldapAffilGuestTypeSocial role to be consistent with the new string value in LDAP |
CNR-1849 | Add sorObjKey to registry-match-service NewSORConsumerService response log message |
CNR-1874 |
Claim token can be used twice |
CNR-1875 | Trigger IHub button in CAT should send message to both CS and UCPath, if it isn't already |
April 14, 2019, 8:00am
This is an update to the Slate theme of the Duo login page. Related to: CHG0032441.
CMR: CHG0032458
Services Affected
- CAS
- Shibboleth
April 9, 2019, 8:00pm
This is an update to a new version of the Duo websdk and includes changes to the CAS login view, to change how the Duo iframe is generated. Some users may now see the 2-Step page rendered as smaller-than-normal. See Known Issues for steps to fix this issue. CMR: CHG0032441
Services Affected
- CAS
- Shibboleth
April 1, 2019, 4:45pm
This code is an update to the logic BPR uses regarding UCPath messages; specifically, to ignore ActionReason 'VOI' jobs in I-280 and DDODS. CMR: CHG0032422
Services Affected
- Berkeley Person Registry
April 1, 2019, 8:45am
This code fixes timeout exceptions when provisioning large quantities from Berkeley Person Registry to Active Directory. CMR: CHG0032419
Services Affected
- Berkeley Person Registry
- Active Directory
March 28, 2019, 3:00pm
This release fixes a bug in provisioning in which berkeleyEduExpDate got improperly reset for some legacy HCM former employees CMR: CHG0032416
Services Affected
- LDAP
- Berkeley Person Registry
March 27, 2019, 11:00pm
With this release, we will replace the EV TLS cert for auth.berkeley.edu. Additional alternative names will be included to support future DNS failover. CMR: CHG0032402
Services Affected
- CAS
- Shibboleth
March 27, 2019, 3:10pm
This CalNet release updates logic used to populate employeeNumber attribute in LDAP as well as the way CalNet looks at POIs from UCPath. CMR: CHG0032413
Services Affected
- Berkeley Person Registry
- LDAP
Tickets Resolved
Ticket | Comment |
CNR-1851 | UCPath POIs aren't getting masterActive role if their only active affiliation is UCPath POI |
CNR - 1852 | Delete employeeNumber from LDAP if active UCPath POI/CWR but not an employee, even if active emp in legacy HCM |
March 25, 2019, 10:40am
This deployment is for new code to handle new information from UCPath DDODS tables. This deployment required a restart on registry-p1, which led to a brief outage. This deployment is already complete. CMR: CHG0032404
Services Affected
- Berkeley Person Registry
Tickets Resolved
Ticket | Comment |
CNR-1847 | New info from UCPath: DML_INDICATOR='D' in DDODS tables indicates a DELETED row |
March 25, 2019, 7:00am
In this release, we will configure DNS failover for the auth-test.berkeley.edu CAS cluster. This will allow CAS to fail over to San Diego in case of a major network or systems outage at EWH. There should be no noticeable outage, this is just a transparent DNS change from the perspective of CAS clients. CMR: CHG0032379
Services Affected
- auth-test.berkeley.edu
- CAS-test
March 22, 2019, 7:00am
This change is an upgrade to CAS on the test auth-test.berkeley.edu cluster to version 5.3.9. The CAS release contains minor bug fixes. This changes also includes cosmetic updates to support CalNet Sponsored Guest accounts. The TLS certificate for auth-test will also be updated to add additional SAN records for DNS failover and to use an EV certificate to mirror production.
The service will be down for less than 5 minutes for a restart. CMR: CHG0032374
Services Affected
- auth-test.berkeley.edu
- CAS-test
March 20, 2019, 6:00am
CalNet will begin UCPath Go-Live and reprovisioning activities on or after 3/20/2019.
During the go-live process, there may be restarts needed that will affect CalNet Admin Tool and CalNet Account Manager for ~5 minutes. Reprovisioning could cause delays in real time messaging and updates to LDAP, Active Directory and API Integration Hub.
LDAP attributes will be updated with UCPath data (most notably: employeeNumber, berkeleyEduAffID, berkeleyEduAffiliations, title codes). Users using these attributes should refer to https://ucpath.berkeley.edu/ucpath-cal/tech-talk or https://ucpath.berkeley.edu/faq/technical for additional information.
There is no planned outage for SSO, CAS, Shibboleth, or LDAP.
This change date is tentative, and may be delayed by 1 or more days if UCPath conversion is behind schedule. CMR: CHG0032350
Services Affected
- LDAP - attributes only
- CalNet Admin Tool
- CalNet Account Manager
March 20, 2019, 12:00pm
During this change, legacy apps using Rails are no longer needed and are vulnerable will be retired. CMR: CHG0032376
Services Affected
- Manage Your Identity Applications
- CalNet Deputy Application
- UAS Portal
Tickets Resolved
Ticket | Comment |
OPS-409 | Deprecate MYI/UAS - calnet-p2/net-auth-p2 |
March 6, 2019, 6:00pm
This release will add notices/warnings on the directory update pages hosted on calnet-p1. These warn about the potential for public exposure of addresses and phone numbers entered via the Directory Update app when published to the Campus CalNet Directory.
A brief outage of less than 1 minute will occur when the app is restarted. CMR: CHG0032344
Services Affected
- CalNet Directory Update Application
March 6, 2019, 6:45am
This release includes code changes in support of the UCPath implementation and server patches. There will be two short outages, about one minute each, as the server is restarted. CMR: CHG0032340
Services Affected
- Berkeley Person Registry
- Registry Service
- Registry Provisioning
- CalNet Account Manager
- CalNet Admin Tool
- Active Directory
- LDAP
Tickets Resolved
Ticket | Comment |
CNR-1667 | UCPath: If personal email address becomes available via UCPath, modify sor-key-data-extractor to parse out and modify registry-provisioning-scripts to provision as personal email address |
CNR-1741 | UCPath: Need to understand how "UCB" POIs are identified in DDODS |
CNR-1785 | UCPath: Gain access to the DDODS UAT instance |
CNR-1801 | Modify bidms-connectors to reuse same LDAP connection within a call to persist() |
CNR-1803 | UCPath: Integrate with the new "delete EMPLID" queue once it becomes available (yet to happen, but code is there to support it) |
CNR-1805 | UCPath: Quartz job to find old emplids in i-280 sor that aren't in DDODS anymore |
CNR-1806 | UCPath: dev DDODS hash query throwing an string concatenation exception |
CNR-1809 | UCPath: DDODS query needs to handle POI-only people with no jobs |
CNR-1810 | UCPath: The test I-371 IHub REST endpoint is not working |
CNR-1811 | UCPath: POI_TYPE codes have changed in DDODSQPT |
CNR-1812 | UCPath: There are additional CWR codes in DDODSQPT that we weren't originally given |
CNR-1813 | UCPath: The "send to IHub" logic needs to become more complex to support multiple IHub endpoints for CS and UCPath |
CNR-1814 | UCPath: last_updates subquery is causing slowness of the per-EMPLID DDODS query |
CNR-1816 | UCPath: Make ucPathId a recognized account claim identifier in CAM and registry-service |
CNR-1817 | UCPath: Create a SQL query to compare UAT active employee list with legacy HCM active employee list |
CNR-1818 | UCPath: Modify reg-prov-scripts to have UCPath be prioritized over legacy HCM for payroll-related LDAP attributes |
CNR-1819 | UCPath: In match engine, make UCPATH_DDODS<->UCPATH_INTER_PERUPD primary key pairing a canonical match |
CNR-1820 | UCPath: Create a view from DDODS data that only contains I-280 data elements |
CNR-1821 | UCPath: Look at BOTH PPS_ID and PSFT_ID for a legacy HCM external identifier |
CNR-1823 | UCPath is sometimes incorrectly removing the leading zero from legacy HCM identifiers |
CNR-1829 | UCPath: last_updates inline view has a SQL bug in it |
February 27, 2019, 9:00pm
On Wednesday evening (2/27) from 9-10 pm, we will be upgrading the ShibCAS plugin on the production Shibboleth servers. Since the servers are redundant, there will be no down time while the updates happen. This service is used by any campus member logging into an external service like bConnected. CMR: CHG0032328
Services Affected
- Shibboleth
February 27, 2019, 7:00am
This is an update to the CAS / AD password sync filter. With the implementation of AD password sync in CAS on Sunday (CHG0032283) we are seeing a high number of errors for a specific account. This change will alter the LDAP filter to exclude the account from the sync call. CMR: CHG0032323
Services Affected
- CAS
- Active Directory
February 24, 2019, 8:00am
We will upgrade CAS on the production auth.berkeley.edu cluster to 5.3.7. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-53-upgrade for more information. CMR: CHG0032283
Notable Changes Include
- CalNet AD password synchronization
- Improved surrogate/impersonation support for SPAs
- Support for social guests
- Accessibility improvements
Services Affected
- CAS
- Shibboleth
February 21, 2019, 6:00pm
We will reconfigure the httpd TLS settings on calnet.b.e and net-auth.b.e to follow OWASP recommendations for TLS security. A brief outage of less than 1 min will happen as the web servers are restarted. CMR: CHG0032301
Services Affected
- Directory Update App
- krbservice
February 17, 2019, 9:00am
In this release, we will extend the berkeleyEduPerson object class to include a new attribute named berkeleyEduUCPathID. After conversion to UCPath, the berkeleyEduHCMID will contain the deprecated employee id. Both berkeleyEduUCPathID and employeeNumber will contain the UCPath employee id. CMR: CHG0032274
Services Affected
- LDAP
February 13, 2019, 7:00am
We will replace the certificate on the test/QA CAS instance (auth-test.berkeley.edu) to update the subject alternative names in preparation for DNS failover testing. There will be a brief outage while CAS is restarted, from 7am-7:10am. CMR: CHG0032291
Services Affected
- auth-test.berkeley.edu
- CAS-test
February 11, 2019, 9:00am
This release is an upgrade of the CAS test/QA service definition files to the latest format to prepare for the CAS 5.3.7 upgrade in prod later this month.
We will also implement a new default authorization policy on CAS applications that have not registered with the CalNet team. The default authorization will enforce that any non-registered applications are restricted to student, staff, faculty and valid HCM affiliates. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-default-auth... for more information. CMR: CHG0032273
January 31, 2019, 8:00am
This release is the retirement of the nds.berkeley.edu LDAP service. CMR: CHG0032216. All customers should use ldap.berkeley.edu as the primary LDAP service and ldap-test.berkeley.edu for test/qa purposes.
On October 31, 2018 ldap.berkeley.edu was upgraded to the latest directory server software, which is a major upgrade from nds.berkeley.edu. With that service stable we are now retiring the legacy LDAP service.
If your service depends on LDAP, you can test the performance and functionality of the latest software using either ldap.berkeley.edu or ldap-test.berkeley.edu. It is highly recommended that you test your applications as soon as possible and report any issues to calnet-admin@berkeley.edu
If your application or TLS/SSL libraries do not accept the ldap.berkeley.edu certificates as trusted see this resource for developers.
January 3, 2019, 6:00pm
This is an emergency release primarily to address a regression bug affecting some accounts with conflicting affiliations. CMR: CHG0032199
Notable changes Include
- Fix for employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time
- Add LDAP mail attribute for social guests
-
Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.
Services Affected
- Registry Service
- Registry Provisioning
- Cirrus Guest App
- CalNet Account Manager
- CalNet Guest Accounts
Tickets Resolved
Ticket | Comment |
CNR-1800
|
LDAP mail attribute with cirrus/social guests user email address
|
CNR-1804 |
Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.
|
CNR-1807 |
Employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time.
|
CNR-1808 |
Add additional exception handling in provisionUid and provisionUidBuilk (related to CNR-1804)
|