CalNet Releases

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University.  As technology is updated throughout the CalNet portfolio, updates will appear on this page.  

If you support technology that depends on CalNet tools, this is the best place to look to understand if something in the CalNet technology stack has changed and how it could be affecting your services. You can also sign up to receive notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases and click JOIN.
 

                


Upcoming Releases


Sept. 13, 2019, 6pm - Sept. 16, 2019, 8pm

This release includes substantial changes to the CalNet stack. The MIT Kerberos authentication servers are being retired in favor of Active Directory. Reorganization of the AD structure follows security best practices and allows CalNet to be system of record for all user objects.

In addition, this release contains feature enhancements and bug fixes for CalNet Account Manager and CalNet Admin Tool; removal of legacy HCM and SIS processes; and an upgrade to Grails 3.3.10.

There may be brief periods of instability in the CalNet suite of services over the weekend while user account reprovisioning occurs. We expect all systems to return to their normal functions by 8pm on Monday, Sept. 16.

This release also retires the CalNet Sync Tool.

CMR: CHG0032879

Services Affected

  • All CalNet and Berkeley Person Registry Applications
  • CalNetAD
  • CAS
  • CalNet Sync Tool

Tickets Resolved

Issue key

Summary

CNR-1899

Change to match rule #2

CNR-1903

Remove legacy HCM account claiming entirely from CAM (Was: Delete extra employee account claim in CAM admin view)

CNR-1909

Fix UC Path LdapSync'ing in test environment

CNR-1904

Changes to CalNet ID creation - confirmation email

CNR-1938

Create a "Super Canonical" match engine config rule type

CNR-1939

registry-sor-gateway Quartz jobs stop working after some amount of time in production

CNR-1937

There is a CAM cache bug when a user changes calnetId

CNR-1926

Make it configurable to switch between sendgrid and greenmail for registry-service quartz jobs that send out email

CNR-1936

Not able to change CalNet ID to something I already own

CNR-1924

Need a way to identify "presirs with calnetIds" using roles

CNR-1922

AD provisioning: Changes to who gets provisioned to AD

CNR-1921

AD provisioning: OU changes based on primary affiliation

CNR-1920

AD provisioning: primaryGroupID changes based on primary affiliation

CNR-1919

Create new provisioning groups in my local AD

CNR-1918

AD provisioning: Active userAccountControl for in-grace people

CNR-1914

AD provisioning: OU and primaryGroupID changes for different primary affiliations and keeping in-grace people active

CNR-1516

Modify bidms-downstream change password endpoint to recognize certain AD passphrase validation errors codes

CNR-1911

Modify BPR tools to use AD Kerberos and not krbservice

CNR-1927

Enhancement to bidms-connectors/bidms-downstream to add and remove a person from directory groups

CNR-1917

When doing password change, use an user bind rather than an administrative bind

CNR-1928

Enable sendgrid (to test mailbox) in test for reg-serv end-of-life jobs

CNR-1496

Remove sisStudentSorKeyDataExtractor from sor-key-data-service

CNR-1944

bidms-downstream memory leak

CNR-1945

bidms-connectors isn't detecting a change when userAccountControl bits should be changing so no write is performed

CNR-1947

No longer referencing SYSADM.PS_TERM_TBL in any BPR queries to SIS databases

CNR-1946

Add CWR004 Staff Intern and CWR012 Traveling Nurse to official affiliatons in BPR

CNR-1910

Remove legacy hcm from SOR Gateway Service

CNR-1891

Remove defunct legacy HCM provisioning code from registry-provisioning-scripts

CNR-1949

Upgrade BIDMS web apps to Grails 3.3.10

CNR-1951

Add Deposit Pending to Campus Solutions query

CNR-1941

Provision BPR-managed SPAs to LDAP

CNR-1950

Update content on CAM welcome page

CNR-1956

Additional audit logging for CAT split/merge/reconciliation

CNR-1957

Additional audit logging for CAT split/merge/reconciliation

CNR-1958

Additional audit logging for CAT split/merge/reconciliation

CNR-1959

CalNet ID naming requirements need to be more restrictive temporarily


Recent Releases


August 1, 2019, 6am

This release will update CAS logging and A10 health checks. CMR: CHG0032767

Services Affected

  • CAS

July 4, 2019, 8am

This is a test of DNS failover for auth.berkeley.edu and shib.berkeley.edu starting the morning of Thursday, July 4th at 08:00 AM PT. CMR: CHG0032674

The test period is expected to last for approximately 1 hour. During this period DNS requests for auth.berkeley.edu and shib.berkeley.edu will return the addresses for our DR site. 

If you currently enforce outbound firewall rules for web traffic, you should add additional allow rules for the SDSC virtual IPs:

CAS:
Port: 443
IP: 192.107.102.203

Shib:
Port: 443
IP: 192.107.102.199

This should be transparent to your applications. If you experience any issues please contact calnet-admin@berkeley.edu with a thorough description of your problem.

Services Affected

  • CAS
  • Shibboleth

July 3, 2019, 7pm

This release will prevent Student Volunteers from creating CalNet accounts, per instruction from UC Path. There will be a brief outage when the servers are restarted. CMR: CHG0032702

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

July 2, 2019, 7am

DNS change for the Shibboleth production hostnames to allow us engage in HA with our SDSC servers. There will be an outage of Shibboleth of up to 10 minutes during this time. CMR: CHG0032671

Services Affected

  • Shibboleth

June 20, 2019, 8am

We will upgrade CAS on the test auth-test.berkeley.edu cluster to 5.3.11.  The CAS release contains bug fixes for delegated authentication.  The CalNet-specific changes include enabling authentication and ticket issuance throttling.  No downtime expected, we will fail over to SDSC and back to EWH. CMR: CHG0032637

Services Affected

  • auth-test.berkeley.edu

June 13, 2019, 9pm

In this release, we will remove the passphrase synchronization feature from auth.berkeley.edu in preparation for the migration to AD Kerberos.  This is not a user-facing function of CAS and is not to be confused with the passphrase reset features of CalNet Account Manager. CMR: CHG0032603

Services Affected

  • CAS

June 13, 2019, 7am

In this release, we will configure DNS failover for the shib-test.berkeley.edu Shibboleth cluster.  This will allow Shibboleth to fail over to San Diego in case of a major network or systems outage at EWH.  There will be an outage to shib-test as DNS records will be deleted and re-created as new record types. CMR: CHG0032614

Services Affected

  • shib-test

June 6, 2019, 7am

This release is a patch of RHEL 6.x and the JVM for the idc.berkeley.edu application cluster. CMR: CHG0032587

Services Affected

  • idc.berkeley.edu, including:
    • Legacy Guests
    • MMK

June 1, 2019, 10am

This release will enable WebAuthn/FIDO2 and Touch ID for Duo users and devices. See https://guide.duo.com/security-keys and https://guide.duo.com/touch-id for details on these new options for Duo devices. Existing Duo U2F users will be prompted to re-register their devices. CMR: CHG0032567

Services Affected

  • CalNet 2-Step

May 28, 2019, 9pm

We will modify the CAS principal lookup filter to be more exclusive by only returning berkeleyEduPerson objects.  This is necessary to address an issue discovered while validating new Sponsored Guests with a specific application. CMR: CHG0032578

Services Affected

  • CAS
  • Shibboleth

May 23, 2019, 6:30pm

This expedited change includes changes to UC Path and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

  • SOR Gateway Service
  • Registry Provisioning Scripts
  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1898

UCPATH_DDODS hash query 
CNR-1894 CWR020 Student Volunteer

CNR-1887 

Cirrus Guest Account provisioning populate beKPS

CNR-1876

Set LDAP ucNetId value from UCPath external identifiers

May 23, 2019, 6:30pm

This expedited change includes changes to UC Path and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

  • SOR Gateway Service
  • Registry Provisioning Scripts
  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1898

UCPATH_DDODS hash query 
CNR-1894 CWR020 Student Volunteer

CNR-1887 

Cirrus Guest Account provisioning populate beKPS

CNR-1876

Set LDAP ucNetId value from UCPath external identifiers

May 12, 2019, 10:00am

This release will modify the queries used for department and title code groups within CalGroups to only use UCPath data. Some users may gain or lose access to systems that use those groups. CMR: CHG0032522

Services Affected

  • Any system utilizing department / title code groups, such as:
    • LDAP
    • Active Directory
    • Google
    • CalGroups API

Tickets Resolved

Ticket Comment
CG-173 Modify Department and title code groups in CalGroups

May 10, 2019, 6:30pm

This release will upgrade all Berkeley Identity Management Suite apps to Grails 3.3.9.

It will also remove HCM as a system of record for job data and LDAP affiliations.

Employees and Affiliates that are in HCM but are not yet in UCPath may enter their grace period (https://calnetweb.berkeley.edu/calnet-me/info-new-users/grace-periods) and are likely to get an account expiration notice. Employees and Affiliates who receive an unexpected expiration notice should review their UCPath HR status with their HR support staff.

LDAP affiliations for expired HCM and UCPath Affiliates will undergo a change to ensure backwards compatibility:

  • HCM Affiliates who enter their grace period will get the FORMER-HCM-AFFILIATE  affiliation.

  • UCPath Affiliates who enter their grace period will get the FORMER-AFFILIATE  affiliation.

  • In 3-4 months, CalNet will transition to using FORMER-AFFILIATE, only.  

  • Developers will receive additional communications when this change is made, and when the FORMER-HCM-AFFILIATE will be deprecated.

All affiliate records should only ever have either a FORMER affiliation or an active AFFILIATE-TYPE- affiliation, but not both at the same time.

See UCPath Affiliation Changes for additional affiliation information.

CMR: CHG0032500

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • SOR Gateway Service
  • Match Service
  • CalNet Account Tool
  • CalNet Account Manager
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1859 Upgrade all BIDMS apps to Grails 3.3.9
CNR-1879 Create replacement roles for Manager/Supervisor in UCPath
CNR-1880 Recognize UCPath "PRF" coded names as sorPreferredName
CNR-1881 Minor changes to match engine logging output
CNR-1884 Assert FORMER-AFFILIATE for former UC Path affiliates.  Don’t assert FORMER-HCM-AFFILIATE for active UC Path affiliates.
CNR-1883 Remove legacy HCM job data
CM-445 Edit error message for CAM
CM-447 Error message for twoStepClaim
CM-448 Redirect Slate-authenticated users
CM-449 List of AFFILIATE-TYPE- values for authorization need to be updated in CAM

April 24, 2019, 9:00pm

In this release, CAS operating system patches will be applied. CMR: CHG0032465.

Services Affected

  • CAS
  • Shibboleth

April 24, 2019, 7:00pm

This release includes work on the CalNet Sponsored Guest project, and some continuing UCPath cleanup. CMR: CHG0032481

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • LDAP
  • SOR Gateway Service
  • Match Service
  • CalNet Sponsored Guests

Tickets Resolved

Ticket Comment
CNR-1860 Ensure CAM restricts users from creating CalNet IDs that start with UID
CNR-1862 Cirrus reporting http 403 error
CNR-1864 Add REST endpoints to registry-service that talk to Cirrus API to create invitations for existing UIDs
CNR-1865 Write a program that creates Cirrus invitations for existing UIDs through registry-service endpoints
CNR-1863 Convert existing guests into Cirrus guests using pre-sent Cirrus invitations
CNR-1870 Remove legacy SIS (pre-CS) from LdapSync process
CNR-1869 Remove legacy HCM sor from LdapSync process
CNR-1868 Add ucpath to LdapSync now that dev/test have prod ucpath EMPLIDs
CNR-1867 Rename ldapAffilGuestTypeSocial role to be consistent with the new string value in LDAP
CNR-1849 Add sorObjKey to registry-match-service NewSORConsumerService response log message
CNR-1874 

Claim token can be used twice

 CNR-1875 Trigger IHub button in CAT should send message to both CS and UCPath, if it isn't already

April 14, 2019, 8:00am

This is an update to the Slate theme of the Duo login page. Related to: CHG0032441.

CMR: CHG0032458

Services Affected

  • CAS
  • Shibboleth

April 9, 2019, 8:00pm

This is an update to a new version of the Duo websdk and includes changes to the CAS login view, to change how the Duo iframe is generated. Some users may now see the 2-Step page rendered as smaller-than-normal. See Known Issues for steps to fix this issue. CMR: CHG0032441

Services Affected

  • CAS
  • Shibboleth

April 1, 2019, 4:45pm

This code is an update to the logic BPR uses regarding UCPath messages; specifically, to ignore ActionReason 'VOI' jobs in I-280 and DDODS. CMR: CHG0032422

Services Affected

  • Berkeley Person Registry

April 1, 2019, 8:45am

This code fixes timeout exceptions when provisioning large quantities from Berkeley Person Registry to Active Directory. CMR: CHG0032419

Services Affected

  • Berkeley Person Registry
  • Active Directory

March 28, 2019, 3:00pm

This release fixes a bug in provisioning in which berkeleyEduExpDate got improperly reset for some legacy HCM former employees CMR: CHG0032416

Services Affected

  • LDAP
  • Berkeley Person Registry

March 27, 2019, 11:00pm

With this release, we will replace the EV TLS cert for auth.berkeley.edu.  Additional alternative names will be included to support future DNS failover. CMR: CHG0032402

Services Affected

  • CAS
  • Shibboleth

March 27, 2019, 3:10pm

This CalNet release updates logic used to populate employeeNumber attribute in LDAP as well as the way CalNet looks at POIs from UCPath. CMR: CHG0032413

Services Affected

  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1851 UCPath POIs aren't getting masterActive role if their only active affiliation is UCPath POI
CNR - 1852 Delete employeeNumber from LDAP if active UCPath POI/CWR but not an employee, even if active emp in legacy HCM

March 25, 2019, 10:40am

This deployment is for new code to handle new information from UCPath DDODS tables. This deployment required a restart on registry-p1, which led to a brief outage. This deployment is already complete. CMR: CHG0032404

Services Affected

  • Berkeley Person Registry

Tickets Resolved

Ticket Comment
CNR-1847 New info from UC Path: DML_INDICATOR='D' in DDODS tables indicates a DELETED row

March 25, 2019, 7:00am

In this release, we will configure DNS failover for the auth-test.berkeley.edu CAS cluster.  This will allow CAS to fail over to San Diego in case of a major network or systems outage at EWH.  There should be no noticeable outage, this is just a transparent DNS change from the perspective of CAS clients. CMR: CHG0032379

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 22, 2019, 7:00am

This change is an upgrade to CAS on the test auth-test.berkeley.edu cluster to version 5.3.9. The CAS release contains minor bug fixes. This changes also includes cosmetic updates to support CalNet Sponsored Guest accounts. The TLS certificate for auth-test will also be updated to add additional SAN records for DNS failover and to use an EV certificate to mirror production.

The service will be down for less than 5 minutes for a restart. CMR: CHG0032374

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 20, 2019, 6:00am

CalNet will begin UCPath Go-Live and reprovisioning activities on or after 3/20/2019.

During the go-live process, there may be restarts needed that will affect CalNet Admin Tool and CalNet Account Manager for ~5 minutes. Reprovisioning could cause delays in real time messaging and updates to LDAP, Active Directory and API Integration Hub.

LDAP attributes will be updated with UCPath data (most notably: employeeNumber, berkeleyEduAffID, berkeleyEduAffiliations, title codes). Users using these attributes should refer to https://ucpath.berkeley.edu/ucpath-cal/tech-talk or https://ucpath.berkeley.edu/faq/technical for additional information.

There is no planned outage for SSO, CAS, Shibboleth, or LDAP.

This change date is tentative, and may be delayed by 1 or more days if UCPath conversion is behind schedule. CMR: CHG0032350

Services Affected

  • LDAP - attributes only
  • CalNet Admin Tool
  • CalNet Account Manager

March 20, 2019, 12:00pm

During this change, legacy apps using Rails are no longer needed and are vulnerable will be retired. CMR: CHG0032376

Services Affected

  • Manage Your Identity Applications
  • CalNet Deputy Application
  • UAS Portal

Tickets Resolved

Ticket Comment
OPS-409           Deprecate MYI/UAS - calnet-p2/net-auth-p2

March 6, 2019, 6:00pm

This release will add notices/warnings on the directory update pages hosted on calnet-p1. These warn about the potential for public exposure of addresses and phone numbers entered via the Directory Update app when published to the Campus CalNet Directory.

A brief outage of less than 1 minute will occur when the app is restarted. CMR: CHG0032344

Services Affected

  • CalNet Directory Update Application

March 6, 2019, 6:45am

This release includes code changes in support of the UC Path implementation and server patches. There will be two short outages, about one minute each, as the server is restarted. CMR: CHG0032340

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • CalNet Account Manager
  • CalNet Admin Tool
  • Active Directory
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1667             UC Path: If personal email address becomes available via UC Path, modify sor-key-data-extractor to parse out and modify registry-provisioning-scripts to provision as personal email address
CNR-1741 UC Path: Need to understand how "UCB" POIs are identified in DDODS
CNR-1785 UC Path: Gain access to the DDODS UAT instance
CNR-1801 Modify bidms-connectors to reuse same LDAP connection within a call to persist()
CNR-1803 UC Path: Integrate with the new "delete EMPLID" queue once it becomes available (yet to happen, but code is there to support it)
CNR-1805 UC Path: Quartz job to find old emplids in i-280 sor that aren't in DDODS anymore
CNR-1806 UC Path: dev DDODS hash query throwing an string concatenation exception
CNR-1809 UC Path: DDODS query needs to handle POI-only people with no jobs
CNR-1810 UC Path: The test I-371 IHub REST endpoint is not working
CNR-1811 UC Path: POI_TYPE codes have changed in DDODSQPT
CNR-1812 UC Path: There are additional CWR codes in DDODSQPT that we weren't originally given
CNR-1813 UC Path: The "send to IHub" logic needs to become more complex to support multiple IHub endpoints for CS and UC Path
CNR-1814 UC Path: last_updates subquery is causing slowness of the per-EMPLID DDODS query
CNR-1816 UC Path: Make ucPathId a recognized account claim identifier in CAM and registry-service
CNR-1817 UC Path: Create a SQL query to compare UAT active employee list with legacy HCM active employee list
CNR-1818 UC Path: Modify reg-prov-scripts to have UCPath be prioritized over legacy HCM for payroll-related LDAP attributes
CNR-1819 UC Path: In match engine, make UCPATH_DDODS<->UCPATH_INTER_PERUPD primary key pairing a canonical match
CNR-1820 UC Path: Create a view from DDODS data that only contains I-280 data elements
CNR-1821 UC Path: Look at BOTH PPS_ID and PSFT_ID for a legacy HCM external identifier
CNR-1823 UC Path is sometimes incorrectly removing the leading zero from legacy HCM identifiers
CNR-1829 UC Path: last_updates inline view has a SQL bug in it

February 27, 2019, 9:00pm

On Wednesday evening (2/27) from 9-10 pm, we will be upgrading the ShibCAS plugin on the production Shibboleth servers. Since the servers are redundant, there will be no down time while the updates happen. This service is used by any campus member logging into an external service like bConnected. CMR: CHG0032328

Services Affected

  • Shibboleth

February 27, 2019, 7:00am

This is an update to the CAS / AD password sync filter. With the implementation of AD password sync in CAS on Sunday (CHG0032283) we are seeing a high number of errors for a specific account.  This change will alter the LDAP filter to exclude the account from the sync call. CMR: CHG0032323

Services Affected

  • CAS
  • Active Directory

February 24, 2019, 8:00am

We will upgrade CAS on the production auth.berkeley.edu cluster to 5.3.7. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-53-upgrade for more information. CMR: CHG0032283

Notable Changes Include

  • CalNet AD password synchronization
  • Improved surrogate/impersonation support for SPAs
  • Support for social guests
  • Accessibility improvements

Services Affected

  • CAS
  • Shibboleth

February 21, 2019, 6:00pm

We will reconfigure the httpd TLS settings on calnet.b.e and net-auth.b.e to follow OWASP recommendations for TLS security. A brief outage of less than 1 min will happen as the web servers are restarted. CMR: CHG0032301

Services Affected

  • Directory Update App
  • krbservice

February 17, 2019, 9:00am

In this release, we will extend the berkeleyEduPerson object class to include a new attribute named berkeleyEduUCPathID.  After conversion to UCPath, the berkeleyEduHCMID will contain the deprecated employee id.  Both berkeleyEduUCPathID and employeeNumber will contain the UC Path employee id. CMR: CHG0032274

Services Affected

  • LDAP

February 13, 2019, 7:00am

We will replace the certificate on the test/QA CAS instance (auth-test.berkeley.edu) to update the subject alternative names in preparation for DNS failover testing.  There will be a brief outage while CAS is restarted, from 7am-7:10am. CMR: CHG0032291

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

February 11, 2019, 9:00am

This release is an upgrade of the CAS test/QA service definition files to the latest format to prepare for the CAS 5.3.7 upgrade in prod later this month. 

We will also implement a new default authorization policy on CAS applications that have not registered with the CalNet team. The default authorization will enforce that any non-registered applications are restricted to student, staff, faculty and valid HCM affiliates. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-default-auth... for more information. CMR: CHG0032273

January 31, 2019, 8:00am

This release is the retirement of the nds.berkeley.edu LDAP service. CMR: CHG0032216.  All customers should use ldap.berkeley.edu as the primary LDAP service and ldap-test.berkeley.edu for test/qa purposes.

On October 31, 2018 ldap.berkeley.edu was upgraded to the latest directory server software, which is a major upgrade from nds.berkeley.edu.  With that service stable we are now retiring the legacy LDAP service.

If your service depends on LDAP, you can test the performance and functionality of the latest software using either ldap.berkeley.edu or ldap-test.berkeley.edu.  It is highly recommended that you test your applications as soon as possible and report any issues to calnet-admin@berkeley.edu.

If your application or TLS/SSL libraries do not accept the ldap.berkeley.edu certificates as trusted see this resource for developers.


January 3, 2019, 6:00pm

This is an emergency release primarily to address a regression bug affecting some accounts with conflicting affiliations. CMR: CHG0032199

Notable changes Include

  • Fix for employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time
  • Add LDAP mail attribute for social guests
  • Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.

Services Affected

  • Registry Service
  • Registry Provisioning
  • Cirrus Guest App
  • CalNet Account Manager
  • CalNet Guest Accounts

Tickets Resolved

Ticket Comment
CNR-1800
LDAP mail attribute with cirrus/social guests user email address
CNR-1804
Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.
CNR-1807
Employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time.
CNR-1808
Add additional exception handling in provisionUid and provisionUidBuilk (related to CNR-1804)