CalNet Releases

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University.  As technology is updated throughout the CalNet portfolio, updates will appear on this page.  

If you support technology that depends on CalNet tools, this is the best place to look to understand if something in the CalNet technology stack has changed and how it could be affecting your services. You can also sign up to receive notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases and click JOIN.
 

                


Upcoming Releases


March 20, 2019, 6:00am

CalNet will begin UCPath Go-Live and reprovisioning activities on or after 3/20/2019.

During the go-live process, there may be restarts needed that will affect CalNet Admin Tool and CalNet Account Manager for ~5 minutes. Reprovisioning could cause delays in real time messaging and updates to LDAP, Active Directory and API Integration Hub.

LDAP attributes will be updated with UCPath data (most notably: employeeNumber, berkeleyEduAffID, berkeleyEduAffiliations, title codes). Users using these attributes should refer to https://ucpath.berkeley.edu/ucpath-cal/tech-talk or https://ucpath.berkeley.edu/faq/technical for additional information.

There is no planned outage for SSO, CAS, Shibboleth, or LDAP.

This change date is tentative, and may be delayed by 1 or more days if UCPath conversion is behind schedule. CMR: CHG0032350

Services Affected

  • LDAP - attributes only
  • CalNet Admin Tool
  • CalNet Account Manager

March 22, 2019, 7:00am

This change is an upgrade to CAS on the test auth-test.berkeley.edu cluster to version 5.3.9. The CAS release contains minor bug fixes. This changes also includes cosmetic updates to support CalNet Sponsored Guest accounts. The TLS certificate for auth-test will also be updated to add additional SAN records for DNS failover and to use an EV certificate to mirror production.

The service will be down for less than 5 minutes for a restart. CMR: CHG0032374

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 25, 2019, 7:00am

In this release, we will configure DNS failover for the auth-test.berkeley.edu CAS cluster.  This will allow CAS to fail over to San Diego in case of a major network or systems outage at EWH.  There should be no noticeable outage, this is just a transparent DNS change from the perspective of CAS clients. CMR: CHG0032379

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

Recent Releases


March 20, 2019, 12:00pm

During this change, legacy apps using Rails are no longer needed and are vulnerable will be retired. CMR: CHG0032376

Services Affected

  • Manage Your Identity Applications
  • CalNet Deputy Application
  • UAS Portal

Tickets Resolved

Ticket Comment
OPS-409           Deprecate MYI/UAS - calnet-p2/net-auth-p2

March 6, 2019, 6:00pm

This release will add notices/warnings on the directory update pages hosted on calnet-p1. These warn about the potential for public exposure of addresses and phone numbers entered via the Directory Update app when published to the Campus CalNet Directory.

A brief outage of less than 1 minute will occur when the app is restarted. CMR: CHG0032344

Services Affected

  • CalNet Directory Update Application

March 6, 2019, 6:45am

This release includes code changes in support of the UC Path implementation and server patches. There will be two short outages, about one minute each, as the server is restarted. CMR: CHG0032340

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • CalNet Account Manager
  • CalNet Admin Tool
  • Active Directory
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1667             UC Path: If personal email address becomes available via UC Path, modify sor-key-data-extractor to parse out and modify registry-provisioning-scripts to provision as personal email address
CNR-1741 UC Path: Need to understand how "UCB" POIs are identified in DDODS
CNR-1785 UC Path: Gain access to the DDODS UAT instance
CNR-1801 Modify bidms-connectors to reuse same LDAP connection within a call to persist()
CNR-1803 UC Path: Integrate with the new "delete EMPLID" queue once it becomes available (yet to happen, but code is there to support it)
CNR-1805 UC Path: Quartz job to find old emplids in i-280 sor that aren't in DDODS anymore
CNR-1806 UC Path: dev DDODS hash query throwing an string concatenation exception
CNR-1809 UC Path: DDODS query needs to handle POI-only people with no jobs
CNR-1810 UC Path: The test I-371 IHub REST endpoint is not working
CNR-1811 UC Path: POI_TYPE codes have changed in DDODSQPT
CNR-1812 UC Path: There are additional CWR codes in DDODSQPT that we weren't originally given
CNR-1813 UC Path: The "send to IHub" logic needs to become more complex to support multiple IHub endpoints for CS and UC Path
CNR-1814 UC Path: last_updates subquery is causing slowness of the per-EMPLID DDODS query
CNR-1816 UC Path: Make ucPathId a recognized account claim identifier in CAM and registry-service
CNR-1817 UC Path: Create a SQL query to compare UAT active employee list with legacy HCM active employee list
CNR-1818 UC Path: Modify reg-prov-scripts to have UCPath be prioritized over legacy HCM for payroll-related LDAP attributes
CNR-1819 UC Path: In match engine, make UCPATH_DDODS<->UCPATH_INTER_PERUPD primary key pairing a canonical match
CNR-1820 UC Path: Create a view from DDODS data that only contains I-280 data elements
CNR-1821 UC Path: Look at BOTH PPS_ID and PSFT_ID for a legacy HCM external identifier
CNR-1823 UC Path is sometimes incorrectly removing the leading zero from legacy HCM identifiers
CNR-1829 UC Path: last_updates inline view has a SQL bug in it

February 27, 2019, 9:00pm

On Wednesday evening (2/27) from 9-10 pm, we will be upgrading the ShibCAS plugin on the production Shibboleth servers. Since the servers are redundant, there will be no down time while the updates happen. This service is used by any campus member logging into an external service like bConnected. CMR: CHG0032328

Services Affected

  • Shibboleth

February 27, 2019, 7:00am

This is an update to the CAS / AD password sync filter. With the implementation of AD password sync in CAS on Sunday (CHG0032283) we are seeing a high number of errors for a specific account.  This change will alter the LDAP filter to exclude the account from the sync call. CMR: CHG0032323

Services Affected

  • CAS
  • Active Directory

February 24, 2019, 8:00am

We will upgrade CAS on the production auth.berkeley.edu cluster to 5.3.7. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-53-upgrade for more information. CMR: CHG0032283

Notable Changes Include

  • CalNet AD password synchronization
  • Improved surrogate/impersonation support for SPAs
  • Support for social guests
  • Accessibility improvements

Services Affected

  • CAS
  • Shibboleth

February 21, 2019, 6:00pm

We will reconfigure the httpd TLS settings on calnet.b.e and net-auth.b.e to follow OWASP recommendations for TLS security. A brief outage of less than 1 min will happen as the web servers are restarted. CMR: CHG0032301

Services Affected

  • Directory Update App
  • krbservice

February 17, 2019, 9:00am

In this release, we will extend the berkeleyEduPerson object class to include a new attribute named berkeleyEduUCPathID.  After conversion to UCPath, the berkeleyEduHCMID will contain the deprecated employee id.  Both berkeleyEduUCPathID and employeeNumber will contain the UC Path employee id. CMR: CHG0032274

Services Affected

  • LDAP

February 13, 2019, 7:00am

We will replace the certificate on the test/QA CAS instance (auth-test.berkeley.edu) to update the subject alternative names in preparation for DNS failover testing.  There will be a brief outage while CAS is restarted, from 7am-7:10am. CMR: CHG0032291

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

February 11, 2019, 9:00am

This release is an upgrade of the CAS test/QA service definition files to the latest format to prepare for the CAS 5.3.7 upgrade in prod later this month. 

We will also implement a new default authorization policy on CAS applications that have not registered with the CalNet team. The default authorization will enforce that any non-registered applications are restricted to student, staff, faculty and valid HCM affiliates. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-default-auth... for more information. CMR: CHG0032273

January 31, 2019, 8:00am

This release is the retirement of the nds.berkeley.edu LDAP service. CMR: CHG0032216.  All customers should use ldap.berkeley.edu as the primary LDAP service and ldap-test.berkeley.edu for test/qa purposes.

On October 31, 2018 ldap.berkeley.edu was upgraded to the latest directory server software, which is a major upgrade from nds.berkeley.edu.  With that service stable we are now retiring the legacy LDAP service.

If your service depends on LDAP, you can test the performance and functionality of the latest software using either ldap.berkeley.edu or ldap-test.berkeley.edu.  It is highly recommended that you test your applications as soon as possible and report any issues to calnet-admin@berkeley.edu.

If your application or TLS/SSL libraries do not accept the ldap.berkeley.edu certificates as trusted see this resource for developers.


January 3, 2019, 6:00pm

This is an emergency release primarily to address a regression bug affecting some accounts with conflicting affiliations. CMR: CHG0032199

Notable changes Include

  • Fix for employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time
  • Add LDAP mail attribute for social guests
  • Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.

Services Affected

  • Registry Service
  • Registry Provisioning
  • Cirrus Guest App
  • CalNet Account Manager
  • CalNet Guest Accounts

Tickets Resolved

Ticket Comment
CNR-1800
LDAP mail attribute with cirrus/social guests user email address
CNR-1804
Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.
CNR-1807
Employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time.
CNR-1808
Add additional exception handling in provisionUid and provisionUidBuilk (related to CNR-1804)