CalNet Releases

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University.  As technology is updated throughout the CalNet portfolio, updates will appear on this page.  

If you support technology that depends on CalNet tools, this is the best place to look to understand if something in the CalNet technology stack has changed and how it could be affecting your services. You can also sign up to receive notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases and click JOIN.

Upcoming Releases

March 23, 2023, 7 pm

This release involves patching of Red Hat Enterprise Linux servers to address errata published by Red Hat.  This includes bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we will apply patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036457

Services Affected:

  • CAS
  • Grouper
  • LDAP
  • Shibboleth

Recent Releases

March 16, 2023, 7 pm

This release upgraded our SAML IdP from 4.2.1 to 4.3.0 to address minor security vulnerabilities and ensure we are on the latest version. No outage was expected. CMR: CHG0036456

Services Affected:

  • Shibboleth

March 15, 2023, 7 am

This release moved the current CalNet Directory Update application to a new host to help decommission the existing host. This involved a temporary redirect of the current http://directory.berkeley.edu "Update your listing" link to the new URL. We requested that Public Affairs update that link at their leisure once we were confident the new host was working as expected with the temporary redirect. CMR: CHG0036451

Services Affected:

  • CalNet Directory Update Application

March 12, 2023, 7 am

This release included changes to the underlying algorithm for storing hashed passwords for LDAP service accounts in ldap.berkeley.edu. CMR: CHG0036431

Services Affected:

  • LDAP 

March 2, 2023, 7 pm 

This release included a configuration and restart for the new Cirrus API key. There was a brief outage associated with this release. CMR: CHG0036421

Services Affected:

  • Cirrus

February 9, 2023, 1 pm

This release involved an enhancement/bug fix release for the CalNet BIDMS application suite. CMR: CHG0036376

CNR-2232: Improve the access denied error message for SPAs
CNR-2242: Fix AD error when locking expired people
CNR-2243: Remove unneeded reconciliation page cache
CNR-2250: Add clarifying log entries about AD passphrases when locking accounts
CNR-2251: Expand list of reserved CalNetIDs to align with bConnected
CNR-2252: Fix recognition of certain AD errors in setting passphrase
CNR-2253: (Test environment) Fix GreenMail plugin
CNR-2255: Fix displaying error message when invalid identifier type is selected on passphrase reset page
CNR-2256: Cirrus is requesting new credentials for their API endpoint

Services Affected:

  • Special Purpose Accounts
  • Active Directory (AD)

January 29, 2023, 7 am

This release performed maintenance recommended by our vendor to address some lingering error messages in our logs.  The process was to reset the 'generation ID' of our replication domain to ensure any stale entries were not replicated. CMR: CHG0036342

Services Affected:

  • LDAP

January 23, 2023, 5 pm

This release applied a required certificate update on the Apache ActiveMQ server used by CalGroups and the Berkeley Person Registry. CMR: CHG0036289

Services Affected:

  • CalGroups
  • Berkeley Person Registry

January 10, 2023, 5 pm

This release involved cadds enhancements to the BIDMS lock API that is needed for locking accounts in large batches. CMR: CHG0036286

Services Affected:

  • CalNet Admin Tool (CAT)
  • LDAP
  • CalGroups API

November 13, 2022, 8 am

This release completed the upgrade of the EWH CalNet LDAP infrastructure to DS 7.2. This impacted LDAP services use by CAS, WiFi, and various other services across campus.  No impact to applications or customers is expected.  CMR: CHG0036096

Services Affected:

  • LDAP
  • CAS
  • Wifi Services

November 6, 2022, 8 pm

This release included an upgrade of the SDSC CalNet LDAP infrastructure to DS 7.2. This impacted the dir-auth-os.calnet.berkeley.edu VIP which is used by CAS services hosted at SDSC primarily for failover.  No impact to applications or customers expected.  CMR: CHG0036095

Services Affected:

  • LDAP
  • CAS
  • Berkeley Person Registry

October 20, 2022, 7 pm

This release included enhancements and bug fixes to Berkeley Person Registry and SPA provisioning. There may be a brief outage to Berkeley Person Registry and associated applications while the server restarts.  CMR: CHG0036067

Services Affected:

  • Berkeley Person Registry
  • Special Purpose Accounts (SPAs)
  • Active Directory (AD)

October 3, 2022, 5 pm

This release changed the ways that Special Purpose Accounts were provisioned to Berkeley Person Registry. No outage or impact to SPA users. Users of the CalNet Admin Tool noticed that SPAs have accurate status after this release. CMR: CHG0035986

Services Affected:

  • Berkeley Person Registry
  • CalNet Admin Tool

September 7, 2022, 7 pm

This release contained enhancements and bug fixes for CalNet identity management applications. CHG0035940

Services Affected:

  • CalNet Account Manager
  • LDAP
  • Provisioning

August 12, 2022, 11:00 am

This release was a debug for the recaptcha for account claiming. CHG0035872

Services Affected:

  • CalNet Account Manager
  • CHG0035940

August 10, 2022, 7:30 pm

This release was a minor configuration change to the Shibboleth IDP that requires a restart of the servers. There was no outage. CHG0035859

Services Affected:

  • Shibboleth

August 10, 2022, 7:00 pm

This release contained enhancements, bug fixes and dependency upgrades. Also with this release, expired Cirrus guests were moved to ou=Expired. CHG0035821

Services Affected:

  • Cirrus Sponsored Guests
  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry
  • Account provisioning

July 1, 2022, 3:00 pm

In this release, we patched CAS from the current version (6.5.4) to the latest version (6.5.6) to address a potential security vulnerability.CMR: CHG0035722

Services Affected:

  • CAS

July 1, 2022, 12:00 pm

On July 2, new department numbers will begin to flow from UCPath to Berkeley Person Registry to CalGroups and LDAP. CalGroups admins will need to make changes to their authorization / communication groups after July 2 to use the new groups. We will remove the old groups after July 15. CMR: CHG0035712


June 30, 2022, 9:00 am

We enabled the device management portal in the "new" Duo Prompt for applications using CalNet SSO. This allows users to add/remove 2-Step devices directly from the CAS/Duo prompt rather than having to use the legacy portal from https://mycalnet.berkeley.edu. The legacy portal will continue to work. This change added a menu item to the "Other Devices" option when the user is going through the 2-step process. The documentation here was updated: https://calnetweb.berkeley.edu/calnet-2-step/how-enroll-device. There was no planned outage associated with this release. CMR: CHG0035675

Services Affected:

  • CalNet 2-Step Authentication
  • CAS

June 7, 2022, 5:30 am

We patched CAS from the current version (6.5.2) to the latest version (6.5.4) to apply a bug-fix required to implement new functionality.  There was no planned outage associated with this release. CMR: CHG0035622

Services Affected:

  • CAS

May 24, 2022, 7:00 pm

We upgraded the production Shib IDP servers from 4.0.x to 4.1.x.  There was no planned outage associated with this release. CMR: CHG0035500

Services Affected:

  • Shibboleth

April 5, 2022, 8:00 pm

In this release, we enabled the Duo Universal Prompt which changed how Duo looks and behaves. https://calnetweb.berkeley.edu/news/new-changes-duo-browser-workflow. In addition, we upgraded CAS on the production auth.berkeley.edu cluster to 6.5. CMR: CHG0035435

Services Affected:

  • CalNet 2-Step Authentication

April 1, 2022, 1:00 pm

This release was patching for our production Shib clusters and upgrading Tomcat to the latest version. All other Shib environments were patched with latest versions. CMR: CHG0035451

Services Affected:

  • Shibboleth

March 31, 2022, 11:45 am

This release included patching our production CAS clusters.  All other CAS environments were patched with latest versions. CMR: CHG0035449

Services Affected:

  • CAS

March 31, 2022, 8:00 am

This release included patching for our backend services with the latest version of Spring, and changing the Java version our frontend is running. CMR: CHG0035448

Services Affected:

  • Berkeley Person Registry
  • Account Provisining
  • CalNet Admin Tool
  • CalNet Account Manager

March 24, 2022, 10:00 am

This emergency release fixed a bug that prevented CalNet accounts from expiring when they should. CMR: CHG0035425

Services Affected:

  • Berkeley Person Registry
  • LDAP

March 22, 2022, 7:00 pm

This release included additional tracking of UCPath primary jobs and a bug fix. CMR: CHG0035401

Services Affected:

  • Berkeley Person Registry
  • Account Claiming

March 22, 2022, 7:00 pm

In this release, we changed the firewall configuration for the CalNet LDAP cluster dedicated to authentication services.  CMR: CHG0035405

Services Affected:

  • LDAP
  • Firewall

February 17, 2022, 7:00 pm

In this CalGroups change, we refactored 2-Step groups and also added a new feature for some admins in CalGroups to view alumni both in their groups and in their searches. 2-Step users should not notice the change. CMR: CHG0035296

Services Affected:

  • CalGroups
  • CalNet 2-Step

February 17, 2022, 7:00 pm

This was a major upgrade of the identity management system that does data intake, identity matching, account provisioning, web services and data writing to LDAP and Active Directory. The significant changes can be summarized as: A refactoring onto the latest Spring Boot framework (numerous code changes as a result), an upgrade to using latest dependency libraries, an upgrade to using latest Java 17 LTS, an upgrade to the Tomcat 9 application server, and moving to new, upgraded virtual machines running RedHat. There was a short planned outage associated with this release. CMR: CHG0035238

Services Affected:

  • Berkeley Person Registry
  • CalNet Admin Tool 
  • CalNet Account Manager

January 30, 2022, 9:00 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. During this cycle we also upgraded our Nginx proxy servers. There was a short outage of bpr.calnet.berkeley.edu that affected CAT and CAM while that host rebooted. CMR: CHG0035220

Services Affected:

  • Berkeley Person Registry
  • CalNet Admin Tool 
  • CalNet Account Manager
  • CAS
  • Shibboleth
  • CalGroups
  • LDAP

December 21, 2021, 7:00 pm

We patched the Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. There was a short outage of bpr.calnet.berkeley.edu thereby affecting CAT and CAM while that host rebooted. CMR: CHG0035116

Services Affected:

  • Berkeley Person Registry
  • CAS
  • Grouper
  • LDAP
  • Shibboleth

December 2, 2021, 7:00 pm

In this release, CalNet is updating email templates used for account locking and for Stu-Delegate account creation. CMR: CHG0035062

Services Affected:

  • Berkeley Person Registry
  • Account Claiming

November 30, 2021, 7:00 pm

The CalNet team is implementing an emergency change. The IP address of shib.berkeley.edu will change. CMR: CHG0035046

IMPORTANT: If you currently enforce outbound firewall rules for web traffic, you must add an additional allow rule for the new Shibboleth virtual IP:

  • Port: 443

  • IP: 169.229.54.216

Services Affected:

  • SAML-based logins (bMail, ServiceNow, Adobe)

October 15, 2021, 6:00 am

We configured all Duo integrations to remove the phone callback option by default.  Existing telephone users were not impacted and were required to fill out an exception by January 12, 2022.  After January 12, 2022 only users with an exception / valid business case for using telephone with Duo are allowed to use the feature. There was no planned outage associated with this release. CMR: CHG0034869

Services Affected:

  • CalNet 2-Step Authentication

October 10, 2021, 8:30 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. There was a short planned outage for CAT/CAM within the release window. CMR: CHG0034879

Services Affected:

  • Shibboleth
  • LDAP
  • Berkeley Person Registry
  • CAS
  • Grouper
  • CalNet Admin Tool 
  • CalNet Account Manager

September 25, 2021, 6:00 am

The CalNet Postgres databases will be upgraded by the campus database team. This will result in an outage of some CalNet services of approximately 90 minutes. CalNet logins will not be impacted during this outage. CMR: CHG0034838

Services Affected:

  • CalNet Account Manager (including account claiming, changing passphrase or ID and managing 2-Step)
  • CalNet Admin Tool
  • Berkeley Person Registry
  • CalGroups
  • The identifiers web service used by CalCentral and iHub

September 1, 2021, 7:00 pm

We deployed code changes for CalNet Identity Management. There was a short planned outage for a few minutes within the release window. CMR:CHG0034797

Services Affected:

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool
  • Account Claiming

August 8, 2021, 6:00 am

We upgraded CAS on the production auth.berkeley.edu cluster to 6.3. This version of CAS is required to maintain support and future product enhancements and security patches. Other enhancements include: support for TLSv1.3, improved support for SAML and OIDC, support for newer Duo prompt, various upgrades to system software including Java, Tomcat, and Nginx. There was a planned outage associated with this release. CMR:CHG0034740

Services Affected:
  • CAS
  • Shibboleth

July 29, 2021, 6:45 pm

The CalNet Admin Tool got an update allowing support staff to use the Duo Application for user verification. There was a planned outage associated with this release. CMR:CHG0034736

Services Affected:
  • CalNet Admin Tool
  • CalNet Account Manager
  • Berkeley Person Registry

July 22, 2021, 7:00 pm

We updated CAT/CAM to implement a compatibility change for CAS 6 and Slate delegated logins. There was a brief outage while the server restarted. CMR:CHG0034593

Services Affected:
  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

June 17, 2021, 7:30 pm

This release included changes to identifierTypes, changes to the no recovery email address screen in CalNet Account Manager, and changes to roles in CalNet Admin Tool. There was a planned outage associated with this release. CMR: CHG0034593

Services Affected:

  • CalNet Admin Tool
  • CalNet Account Manager
  • Berkeley Person Registry

May 24, 2021, 11:05 am

Starting at approximately 11:05 am some clients may have seen errors when trying to log into a CAS-protected application. The issue was resolved fully by 12:36 pm. The java process running the Tomcat web application server had more open file handles than allowed by the operating system. In trouble-shooting we found that the CAS process opens that script for every user log in to the service, but never closes the file handle. Over the course of approximately 30 days the number of opened files for that process grew above the hard limit set by the OS. There was an unplanned outage associated with this release which took place intermittently across the release window. CMR: CHG0034546

Services Affected:

  • CAS

May 20, 2021, 7:00 am

The majority of the remaining deprecated attributes definitions (objectClasses and attributeTypes) were removed. These attributes are no longer maintained and have been marked for removal for several years. The list of attributes that were removed can be found at https://calnetweb.berkeley.edu/calnet-technologists/ldap-directory-servi.... There was no planned outage associated with this release. CMR: CHG0034495

Services Affected:

  • LDAP

May 20, 2021, 5:00 am

We configured DNS failover for the ldap.berkeley.edu cluster.  This allows the service to automatically fail over to San Diego in case of a major network or system outage at EWH. There was no planned outage associated with this release. CMR: CHG0034507. 

Services Affected:

  • LDAP

May 19, 2021, 7:00 pm

We issued a new certificate for the ldap cluster at ldap.berkeley.edu in preparation for enabling automated failover to our SDSC data center the following morning. We quiesced traffic to each node in turn to update the certificate. There was no planned outage associated with this release. CMR: CHG0034514. 

Services Affected:

  • LDAP

May 5, 2021, 9:00 pm

This change allows campus postdocs to have a longer grace period. There was no planned outage associated with this release. CMR: CHG0034476

Services Affected:

  • Berkeley Person Registry

May 2, 2021, 6:00 am

We changed the load balancing direct routing method used by ldap.berkeley.edu to stop using ARP tables and instead use iptables. The ldap.berkeley.edu cluster configuration for direct routing was not working as intended. Some applications were experiencing loss of connectivity to ldap when we performed maintenance that should otherwise be transparent. This change was intended to correct this issue and allow us to perform maintenance without impacting customers in the future. There was a planned LDAP outage of 10 minutes within the release window. CMR: CHG0034444

Services Affected:

  • LDAP

April 25, 2021, 6:30 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat.  This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition, we applied patches as needed from custom repositories for Zabbix and Duo. We patched to address OS bugs and vulnerabilities.  There was a 5 minute outage for Manage My CalNet while that system rebooted. CMR: CHG0034443

Services Affected:

  • BPR systems
  • CAS
  • Grouper
  • LDAP
  • Shibboleth

April 21, 2021, 9:00 am

We issued a new certificate for the ldap cluster at ldap.berkeley.edu in preparation for enabling automated failover to our SDSC data center. We quiesced traffic to each node in turn to update the certificate.  Application owners and developers using non-system keystores should ensure they are only referencing the root and intermediate certificates, and not the leaf node. There were no planned outages associated with this release.  CMR: CHG0034209

No Services Affected


April 15, 2021, 7:00 pm

We upgraded the SDSC production Shibboleth servers to the same version we are now running in EWH. We did a quick failover test to confirm them afterwards. There were no planned outages associated with this release.  CMR: CHG0034424. 

Services Affected:

  • Shibboleth

March 31, 2021, 7:00 pm

We have upgraded the Shibboleth IDP to version 4x in order to stay current with the most recent release. There were no planned outages associated with this release.  CMR: CHG0034375

Services Affected: 

  • Shibboleth

March 22, 2021, 7:00 pm

This CalNet release included changes to the CalNet Account Manager Forgot Passphrase tool and added additional functionality to handle Potential Hire Academic POIs from UCPath. There was a brief outage during the specified release window. CMR: CHG0034359

Services Affected:

  • CalNet Account Manager
  • Berkeley Person Registry 

March 4, 2021, 6:30pm

CalNet restarted registry-p1 Tomcat for a DDODS database host change. There was a brief outage during the half-hour release window.  CMR: CHG0034321

Services Affected:

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

February 23, 2021, 6:00 am

We replaced the certificate on the CAS instance (auth.berkeley.edu). The new certificate has a different issuer. We deprecated the Extended Validation certificates in favor of standard InCommon SHA-2 certificates. Certain applications, such as those using Java key stores or other non-operating system certificate stores, may require providing the root certificate in addition to the intermediate certificates. Obtain certificates from a trusted source like the certificate store on your local computer or directly from the Root CA. There were no planned outages associated with this release.  CMR: CHG0034268

Services Affected: 

  • CAS

February 11, 2021, 7:00 am

We replaced the certificate on the test CAS instance (auth-test.berkeley.edu). The new certificate has a different issuer. We deprecated the Extended Validation certificates in favor of standard InCommon SHA-2 certificates. Certain applications, such as those using Java key stores or other non-operating system certificate stores, may require providing the root certificate in addition to the intermediate certificates. Obtain certificates from a trusted source like the certificate store on your local computer or directly from the Root CA. There were no planned outages associated with this release.  CMR: CHG0034267

Services Affected: 

  • CAS

January 1, 2021, 9:00 am

We increased LDAP replication retention from 3 days to 5 days to ensure changes made while EWH DC is unavailable are retained in the event that the outage is longer than expected. These changes were pushed to LDAP-test on December 21, 2020. There were no planned outages associated with this release.  CMR: CHG0034176

Services Affected

  • LDAP

December 21, 2020, 8:00 am

We removed the deprecated attribute values from CalNet LDAP directory (access to these attributes was revoked on Oct 29th). A list of those attributes can be found at https://calnetweb.berkeley.edu/calnet-technologists/ldap-directory-servi.... There were no planned outages associated with this release. CMR: CHG0034140

Services Affected

  • LDAP

December 3, 2020, 6:30 pm

We changed the production DDODS connection string, no longer recognizing academic potential hire POI type, and changed how effective rows are calculated from DDODS POI table. There was a brief outage that occurred between 6:30pm - 7:00pm. CMR: CHG0034129

Services Affected

  • Berkeley Person Registry

November 30, 2020, 7:00 pm

We had about 1200 old-style departmental accounts that were expired. We moved them from ou=people to ou=expired people in LDAP. We have made attempts to contact these account owners, but there may still be some users who are using these old-style accounts. If that is the case, then we can roll back the change for that particular account. There was no planned outage associated with this release. CMR: CHG0034115

Services Affected

  • LDAP

November 30, 2020, 6:30 pm

We have set up new servers for the SPA Admin app. CNAME changes for the idc.berkeley.edu will point to these new servers. We added a new server name, spa.berkeley.edu, that idc.berkeley.edu will redirect to. This release included a planned outage, however the outage was momentary, and only impacted users logged in at that moment. If users were using the application at that time, they needed to refresh their browser. CMR: CHG0034119

Services Affected

  • SPA Admin Application

November 30, 2020, 6:00 pm

To make it easier to determine if one has the current person when adding a member to a group in CalGroups, we added more attributes to the display value for member lookups. Previously, it was displayName. It was changed to uid - displayName - department name or "non-FSA". This release included a planned outage, however the outage was momentary, and only impacted users logged in at that moment. If they were using the application at that time, they needed to refresh their browser. For more information regarding this release, please click here. CMR: CHG0034116

Services Affected

  • CalGroups

November 17, 2020, 8:00 pm

Informational Update - in this release, the Windows and bConnected teams switched the authentication page from ADFS to CAS for some campus services (eg Sharepoint). This release included a planned outage, however the outage was less than a minute and only impacted authentication attempts for applications using ADFS during that minute. CMR: CHG0034088

Services Affected

  • CAS
  • Sharepoint
  • O365
  • Azure
  • ADFS

November 12, 2020, 10:00 pm

We are pointing BPR to a different back-end LDAP cluster. This required a server restart. There was a planned outage for 5 minutes during the 60 minute time frame of this release. CMR: CHG0034016

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry 

November 8, 2020, 9:00 am

We brought two new LDAP hosts online to replace our remaining RHEL6 LDAP hosts.  These hosts are dedicated to the BPR application but participate in the multi-master synchronization topology for all production LDAP servers. There was no planned outage associated with the release. CMR: CHG0034014

Services Affected

  • LDAP

October 29, 2020, 7:00 pm

SPAs were showing up in departmental groups in CalGroups after the recent changes. Since these departmental groups are employee groups, we removed the SPAs from these groups. There was no planned outage associated with the release. CMR: CHG0034037

Services Affected

  • SPA Admin Application
  • CalGroups

October 29, 2020, 7:00 am

We removed access to the CalNet LDAP/directory deprecated attributes. Those attributes can be found at https://calnetweb.berkeley.edu/calnet-technologists/ldap-directory-servi...There was no planned outage associated with the release. CMR: CHG0033993

Services Affected

  • LDAP

October 17, 2020, 9:00 am

We made modifications to SPA group names to allow both the group and the SPA to be added to groups. Multiple application owners would like to add SPAs to their groups since the accounts show up in their account list rather than the personal account.

Services Affected

  • CalGroups
  • LDAP
  • SPA Admin Application
  • CalNet AD

September 25, 2020, 2:00 pm

We updated the language found at mycalnet.berkeley.edu. This required a restart of CalNet Account Manager, so account claiming, passphrase resets, and other CAM functions were briefly unavailable. 

Services Affected

  • CalNet Account Manager

September 19, 2020, 9:00 am

We made changes to property files in production Shibboleth by adding a new scripted attribute for the Library. CMR: CHG0033929

No Services Affected


September 19, 2020, 7:00 am

We reconfigured the LDAP cluster to use a different type of load balancing. This will enable us to track remote client IPs better. CMR: CHG0033928

Services Affected

  • LDAP

September 10, 2020, 7:00 pm

We renewed the certificate for the ldap cluster at ldap.berkeley.edu before it expires. We quiesced traffic to each node in turn to update the certificate.  Application owners and developers using non-system keystores should ensure they are only referencing the root and intermediate certificates, and not the expiring leaf node.  CMR: CHG0033895

No Services Affected


September 9, 2020, 7:00 am

We reconfigured the offsite LDAP clusters used for Shibboleth/CAS DR as well as general LDAP services to use a different type of load balancing. This enables us to track remote client IPs better.  CMR: CHG0033896

Services Affected

  • LDAP at SDSC

September 2, 2020, 9:00 am

CalNet shutdown the CalAccess service at https:/idc.berkeley.edu/ca since the application is no longer in use.  CMR: CHG0033880

No Services Affected


September 1, 2020, 10:30 am

We moved CalNet's Production Shared Services AWS account from the current AWS organization to the newer control tower-enabled central payer account organization.   CMR: CHG0033881

No Services Affected


September 1, 2020, 7:00 am

CalNet will remove approximately 50 unused and deprecated attributes from the berkeleyEdu objectclass(es) and delete the attribute definitions from the schema. We will be applying this change to LDAP Test on August 11th. CMR: CHG0033825

Services Affected

  • LDAP

September 1, 2020, 7:00am

The passphrase complexity changes scheduled for August 17 have been rescheduled to September 1, 7am. 

CalNet is updating the passphrase complexity requirement standards. Updated password complexity requirements will only affect *newly* created accounts or passphrases changed after the implementation. CMR: CHG0033821

Services Affected

  • BPR
  • CalNetAD

July 23, 2020, 7:30 am

Updated the certificate for the CalNet ActiveMQ instance because it was due for renewal. CMR: CHG0033781

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

July 22, 2020, 8:00 pm

Removed the "Entity not found" entries from CalGroups. Entity not found entries in CalGroups are of two types. They are from either ou=expired or ou=advcon. We will remove those from ou=expired from all groups. We cleaned-up the advcon entries from any official groups, but not app or org groups. CMR: CHG0033797

Services Affected

  • CalGroups

July 8, 2020, 7:00 am

We are making updates to the LDAP schema in preparation for the new CalNet Directory Update tool.  This includes modifications that should only be visible to internal CalNet processes. 

CMR: CHG0033749

No Outages 


July 4, 2020, 7:00 am

Additional settings to ensure a secure operating system.  These settings have already been applied to the production CAS systems since April and have been in our test environment for a month.  There will be a 10-minute outage of BPR while the server restarts after patching.  Other services are load-balanced and no outage is expected. CMR: CHG0033719

Services Affected

  • BPR / CalNet Account Manager
  • Shibboleth
  • CalGroups
  • Manage My Keys
  • LDAP 

July 1, 2020, 6:30 am

The PostgreSQL instance 'calnetbprprod' was migrated to a new RHEL7 VM dba-postgres-prod-55, as the RHEL6 VMs will soon be out of support. This database supports Calnet-BPR/IDM application.  CMR: CHG0033740

Services Affected

  • BPR / CalNet Account Manager
  • CalNet Admin Tool 

May 25, 2020, 7:30 am

We have upgraded CalGroups production servers to Grouper version 2.4. CMR: CHG0033624

Services Affected

  • CalGroups 

May 23, 2020, 8:00 am

This change updates the CAS configuration to allow the release of the mail attribute for Sponsored Guests. CMR: CHG0033623

Services Affected

  • LDAP
  • CAS
  • CalNet Sponsored Guests 

May 14, 2020, 6:00pm

This release includes the following bug fix and feature enhancements, and will include a brief outage (less than 5 minutes) of BPR apps while the servers restart. CMR: CHG0033589

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool
  • CalNet Namespace
  • Berkeley Person Registry

Tickets Resolved

TicketComment
CAT-172 Add Status and Expiration Date to CAT
CNR-2011  Changes to ou and berkeleyEduExpDate calculation for some students
CNR-2013  New Changes to Account Locked Emails
CNR-2010 User with CAT Role: ROLE_IHUB_TRIGGER is not able to trigger iHub message
CNR-2012 Create new person info registry-service endpoint for Directory Update app

April 29, 2020, 9:55pm

This release will change the method of download for the InCommon Metadata. We have been doing nightly downloads of the entire list of InCommon SPs. A new method, Metadata Query service (MDQ), allows us to only download the SPs we need to access.
We will also begin the IDP cert change process. It involves adding the replacement cert to the metadata along with the original cert, allowing time for SPs to pick up the new cert, and eventually removing the original cert from the metadata. CMR: CHG0033559

Services Affected

  • Cloud based services including bConnected
  • Shibboleth

April 28, 2020, 7:16am

This release is the removal of assured replication from the CalNet LDAP replication domains.CMR: CHG0033523

Services Affected

  • LDAP

April 28, 2020, 7:16am

This release applies additional OS security settings to our systems. This change is to configure the level 1 and 2 CIS benchmark settings.CMR: CHG0033480


April 17, 2020, 2:08pm

This release updates BPR and changes the managing of expired STU-DELEGATEs. When a student affiliation is expired, the delegate's stu-delegate affiliation will also expire.
When a student has extended SIS access, the delegate's affiliation should expire when the student's extended SIS access affiliation expires. There is no grace period for STU-DELEGATE affiliations. CMR: CHG0033488

Services Affected

  • BPR

April 14, 2020, 6:44am

This release will enable hostname whitelisting to the CAS Duo integration in production. This was done for auth-test several months ago.CMR: CHG0033474
Services Affected

  • CAS

April 3, 2020, 8:55am

This release adds an additional cipher to our LDAP servers' configuration to support older hosts using openssl.CMR: CHG0033453
Services Affected

  • LDAP

March 18, 2020, 6:30pm

This release disables TLS 1.0 and 1.1 so that clients/integrations must use at least TLS 1.2.CMR: CHG0033356
Services Affected

  • BPR
  • CalNet Account Manager
  • CalNet Admin Tool
  • CalGroups
  • CAS
  • LDAP
  • Shibboleth

 March 18, 2020, 6:30pm

In this release, we will be applying a text change to the Berkeley Person Registry (BPR), specifically the CalNet Account Manager. Most public-facing BPR functions, like the CalNet Account Manager and CalNet Admin Tool, will be offline for a minute or two while the server restarts. CMR: CHG0033431

Services Affected

  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

March 16, 2020, 6:00am

This release is the removal of the expiring AddTrust root certificate is in the SSL template used for the EWH CAS load balanced VIP. CMR: CHG0033399


March 3, 2020, 9:30pm

We will be changing the source for the org tree data found in production LDAP on Wednesday 3/4 from 9:30 - 10. There is no expected downtime. CMR: CHG0033388


March 3, 2020, 9:00pm

We will change the certs for IDC servers on Wednesday 3/4 at 9 pm (30 min window). There will be no downtime, as the servers are HA. The services, SPA admin and Manage My Keys, will continue to be accessible during the change. CMR: CHG0033387


March 3, 2020, 5:30pm

This code release for Berkeley Person Registry includes Grails upgrade, modifications to logic, and bug fixes. CMR: CHG0033384

Tickets Resolved

Ticket Comment
CNR-1990 Upgrade to Grails 3.3.11
CNR-1989 Upgrade Grails Spring Security plugin to 3.3.1
CNR-441 Implement security on ucb-match and registry-match-service
CNR-1992  Modify match engine and match service configurations to use auth
CNR-1984 Restrict length of new CalNetIDs to 19 characters
CNR-1987  Change CalnetID requirements page to show max of 19 instead of 20
CNR-2003 Content change for source for i371 requests sent to iHub
CNR-1995  User is active but should not be

February 27, 2020, 8:00pm

This release is an upgrade of CAS (auth.berkeley.edu) to 5.3.15.  It includes minor bug fixes as well as CalNet specific changes to improve some error messages as well as an updated URL for forgotten passphrases. No outage is expected. CMR: CHG0033329


February 19, 2020, 8:00pm

This release changes the way that Special Purpose Accounts are provisioned. We will no longer be using OpenIDM. No downtime is expected. CMR: CHG0033331


February 18, 2020, 7:00am

At 7am on Tuesday, Feb 18, we will enforce AuthZ on CAS-enabled applications using the wildcard (*.berkeley.edu) registration. The purpose of this change is to ensure that, by default, only CalNet users with 2-step verification are permitted to authenticate. This includes all active and in-grace students, employees and affiliates, logging in as themselves or using SPAs or rSPAs. CMR: CHG0033199

See https://calnetweb.berkeley.edu/calnet-technologists/single-sign/cas/cas-... for more information.


February 13, 2020, 7:00am

This release is an update of the certs for CalGroups. There will be no downtime. CMR: CHG0033332


January 28, 2020, 7:30am

A new version of CAS (5.3.15) will be released to auth-test on January 28. The update includes:

  • Update to the forgot CalNet ID or passphrase link on the CAS screen
  • Add 2-step help link and better language to the MFA error page
  • Various minor fixes in the base CAS project

December 17, 2019, 8:00pm

This release is a certificate update for bpr.calnet.berkeley.edu. There will be a brief outage of BPR as the service restarts. CMR: CHG0033161

Services Affected

  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

December 6, 2019, 5:30pm

This release includes bug fixes and feature enhancements to Berkeley Person Registry, CalNet Admin Tool and CalNet Account Manager. CMR: CHG0033126

Services Affected

  • CalNet Account Manager
  • LDAP
  • CalNet Admin Tool
  • CalNet Namespace
  • Berkeley Person Registry

Tickets Resolved

Ticket Comment
CAT-162 UIDOld and UIDOldConsolidationDate not getting written in consolidation
CAT-169 Namespace folders do not get moved from expired records in LDAP upon consolidation
CAT-170 ConsolidationDate and CalNetUidOld do not get written
CNR-1961 Detect and delete VOID VOID records
CNR-1962 Change Locked Account Email
CNR-1969 Update passphrase requirements text
CNR-1975 problem with BUSN email getting to UCPath
CNR-1978 Multiple new SORObjects partially matching to a UID
CNR-1979 Change the Rank Order used for Names from SORs
CNR-1980 Fix hash code bug when two DDODS email addresses swap PREF_EMAIL_FLAG values.
CNR-1981 Recognize PREF_EMAIL_FLAG='N' UCPath emails.

December 4, 2019, 9:00pm

This release retires the legacy CalNet Guest application. CMR: CHG0033137

Services Affected

  • CalNet Guest application

Tickets Resolved

Ticket Comment
CG-187 Retire Legacy Guest App

November 21, 2019, 8:30am

We will be launching the process that enables the policy of requiring an employee as part of a SPA user group starting Thursday morning, Nov. 21 at 8:30 am. There is no down time. 

Services Affected

  • Special Purpose Accounts

November 21, 2019, 7:00am

We are making two changes to our LDAP access logs.

1. Add milliseconds to the timestamp format. 
2. Switch to a combined log format to simplify log parsing and reduce log size.

Services Affected

  • LDAP

November 15, 2019, 8:00am - November 22, 2019

We will decommission net-auth-p1 and calnet-p2 servers.

Both servers will be powered off and then deleted after 7 days.

Services Affected

  • Open IDM
  • SPA Admin App

November 13, 2019, 9:00pm

We need to restart openidm on idm-p1 to remove a dependence on the krbservice/net-auth. The service affected is the SPA Admin app which is available to employees only.  2 minute outage of SPA App expected. CMR: CHG0033079

Services Affected

  • Open IDM
  • SPA Admin App

November 12, 2019, 7:00am

We will update CAS registrations to specifically ensure sponsored guests cannot access services that have not directly been enabled for sponsored guests by the application owner.  In some cases it is possible for a sponsored guest who has an existing and valid SSO session to access an application that has not specifically been enabled for guest access.  This is due to an issue in CAS that affected the migration of service registrations and was fixed in the last CAS upgrade. CMR: CHG0033075

Services Affected

  • CAS

October 29, 2019, 8pm

We will upgrade CAS (auth.berkeley.edu) to 5.3.12.1 and Tomcat server to 8.5.46.  Both contain numerous bug and security fixes.  Hazelcast is bundled with CAS and will receive a version bump as well. Auth-test and auth.berkeley.edu will be upgraded as follows:

Monday, 10/7 @0800 - Implement in auth-test.berkeley.edu
Tuesday, 10/29 @2000 - Implement in auth.berkeley.edu

We encourage developers to test their applications thoroughly against https://auth-test.berkeley.edu.  A separate announcement will be sent for the production upgrade toward the end of October. CMR: CHG0032985

Services Affected

  • CAS

October 24, 2019, 9:00pm

This release is a minor change to the idc.b.e/mmk app. We are removing the user defined option for bConnected keys. Given the idc.b.e system is HA, there is no expected downtime. CHG0033031

Services Affected

  • Manage My Keys

October 22, 2019, 5:30pm

In this release, we add known bad passwords to ucb-dictionary. CMR: CHG0033024

Services Affected

  • ucb-dictionary
  • bidms-downstream
  • registry-service
  • account-manager

October 7, 2019, 8pm

This release includes configuration adjustments and cosmetic changes to CAS. It was released to auth-test.berkeley.edu on 9/30/19 to allow time for testing. There are no major changes to CAS code in this release. CMR: CHG0032969

Services Affected

  • CAS

Sept. 13, 2019, 6pm - Sept. 16, 2019, 8pm

This release includes substantial changes to the CalNet stack. The MIT Kerberos authentication servers are being retired in favor of Active Directory. Reorganization of the AD structure follows security best practices and allows CalNet to be system of record for all user objects.

In addition, this release contains feature enhancements and bug fixes for CalNet Account Manager and CalNet Admin Tool; removal of legacy HCM and SIS processes; and an upgrade to Grails 3.3.10.

There may be brief periods of instability in the CalNet suite of services over the weekend while user account reprovisioning occurs. We expect all systems to return to their normal functions by 8pm on Monday, Sept. 16.

This release also retires the CalNet Sync Tool.

CMR: CHG0032879

Services Affected

  • All CalNet and Berkeley Person Registry Applications
  • CalNetAD
  • CAS
  • CalNet Sync Tool

Tickets Resolved

Ticket

Comment

CNR-1899

Change to match rule #2

CNR-1903

Remove legacy HCM account claiming entirely from CAM (Was: Delete extra employee account claim in CAM admin view)

CNR-1909

Fix UCPath LdapSync'ing in test environment

CNR-1904

Changes to CalNet ID creation - confirmation email

CNR-1938

Create a "Super Canonical" match engine config rule type

CNR-1939

registry-sor-gateway Quartz jobs stop working after some amount of time in production

CNR-1937

There is a CAM cache bug when a user changes calnetId

CNR-1926

Make it configurable to switch between sendgrid and greenmail for registry-service quartz jobs that send out email

CNR-1936

Not able to change CalNet ID to something I already own

CNR-1924

Need a way to identify "presirs with calnetIds" using roles

CNR-1922

AD provisioning: Changes to who gets provisioned to AD

CNR-1921

AD provisioning: OU changes based on primary affiliation

CNR-1920

AD provisioning: primaryGroupID changes based on primary affiliation

CNR-1919

Create new provisioning groups in my local AD

CNR-1918

AD provisioning: Active userAccountControl for in-grace people

CNR-1914

AD provisioning: OU and primaryGroupID changes for different primary affiliations and keeping in-grace people active

CNR-1516

Modify bidms-downstream change password endpoint to recognize certain AD passphrase validation errors codes

CNR-1911

Modify BPR tools to use AD Kerberos and not krbservice

CNR-1927

Enhancement to bidms-connectors/bidms-downstream to add and remove a person from directory groups

CNR-1917

When doing password change, use an user bind rather than an administrative bind

CNR-1928

Enable sendgrid (to test mailbox) in test for reg-serv end-of-life jobs

CNR-1496

Remove sisStudentSorKeyDataExtractor from sor-key-data-service

CNR-1944

bidms-downstream memory leak

CNR-1945

bidms-connectors isn't detecting a change when userAccountControl bits should be changing so no write is performed

CNR-1947

No longer referencing SYSADM.PS_TERM_TBL in any BPR queries to SIS databases

CNR-1946

Add CWR004 Staff Intern and CWR012 Traveling Nurse to official affiliatons in BPR

CNR-1910

Remove legacy hcm from SOR Gateway Service

CNR-1891

Remove defunct legacy HCM provisioning code from registry-provisioning-scripts

CNR-1949

Upgrade BIDMS web apps to Grails 3.3.10

CNR-1951

Add Deposit Pending to Campus Solutions query

CNR-1941

Provision BPR-managed SPAs to LDAP

CNR-1950

Update content on CAM welcome page

CNR-1956

Additional audit logging for CAT split/merge/reconciliation

CNR-1957

Additional audit logging for CAT split/merge/reconciliation

CNR-1958

Additional audit logging for CAT split/merge/reconciliation

CNR-1959

CalNet ID naming requirements need to be more restrictive temporarily


September 12, 2019, 8pm

In this release, we will add new authentication profile to the shibcas plugin. This is very minor change. Service won't be affected because the servers are in an HA configuration. CMR: CHG0032909

Services Affected

  • Shibboleth

September 12, 2019, 8:15pm

This is a minor change to CalGroups, CalGroups that changes the large group limit for AD and LDAP provisioning from CalGroups. There will be a short break (15 sec) in provisioning to AD and LDAP when the provisioning service is restarted.  CMR: CHG0032908

Services Affected

  • CalGroups

August 1, 2019, 6am

This release will update CAS logging and A10 health checks. CMR: CHG0032767

Services Affected

  • CAS

July 4, 2019, 8am

This is a test of DNS failover for auth.berkeley.edu and shib.berkeley.edu starting the morning of Thursday, July 4th at 08:00 AM PT. CMR: CHG0032674

The test period is expected to last for approximately 1 hour. During this period DNS requests for auth.berkeley.edu and shib.berkeley.edu will return the addresses for our DR site. 

If you currently enforce outbound firewall rules for web traffic, you should add additional allow rules for the SDSC virtual IPs:

CAS:
Port: 443
IP: 192.107.102.203

Shib:
Port: 443
IP: 192.107.102.199

This should be transparent to your applications. If you experience any issues please contact calnet-admin@berkeley.edu with a thorough description of your problem.

Services Affected

  • CAS
  • Shibboleth

July 3, 2019, 7pm

This release will prevent Student Volunteers from creating CalNet accounts, per instruction from UCPath. There will be a brief outage when the servers are restarted. CMR: CHG0032702

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

July 2, 2019, 7am

DNS change for the Shibboleth production hostnames to allow us engage in HA with our SDSC servers. There will be an outage of Shibboleth of up to 10 minutes during this time. CMR: CHG0032671

Services Affected

  • Shibboleth

June 20, 2019, 8am

We will upgrade CAS on the test auth-test.berkeley.edu cluster to 5.3.11.  The CAS release contains bug fixes for delegated authentication.  The CalNet-specific changes include enabling authentication and ticket issuance throttling.  No downtime expected, we will fail over to SDSC and back to EWH. CMR: CHG0032637

Services Affected

  • auth-test.berkeley.edu

June 13, 2019, 9pm

In this release, we will remove the passphrase synchronization feature from auth.berkeley.edu in preparation for the migration to AD Kerberos.  This is not a user-facing function of CAS and is not to be confused with the passphrase reset features of CalNet Account Manager. CMR: CHG0032603

Services Affected

  • CAS

June 13, 2019, 7am

In this release, we will configure DNS failover for the shib-test.berkeley.edu Shibboleth cluster.  This will allow Shibboleth to fail over to San Diego in case of a major network or systems outage at EWH.  There will be an outage to shib-test as DNS records will be deleted and re-created as new record types. CMR: CHG0032614

Services Affected

  • shib-test

June 6, 2019, 7am

This release is a patch of RHEL 6.x and the JVM for the idc.berkeley.edu application cluster. CMR: CHG0032587

Services Affected

  • idc.berkeley.edu, including:
    • Legacy Guests
    • MMK

June 1, 2019, 10am

This release will enable WebAuthn/FIDO2 and Touch ID for Duo users and devices. See https://guide.duo.com/security-keys and https://guide.duo.com/touch-id for details on these new options for Duo devices. Existing Duo U2F users will be prompted to re-register their devices. CMR: CHG0032567

Services Affected

  • CalNet 2-Step

May 28, 2019, 9pm

We will modify the CAS principal lookup filter to be more exclusive by only returning berkeleyEduPerson objects.  This is necessary to address an issue discovered while validating new Sponsored Guests with a specific application. CMR: CHG0032578

Services Affected

  • CAS
  • Shibboleth

May 23, 2019, 6:30pm

This expedited change includes changes to UCPath and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

  • SOR Gateway Service
  • Registry Provisioning Scripts
  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1898

UCPATH_DDODS hash query 
CNR-1894 CWR020 Student Volunteer

CNR-1887 

Cirrus Guest Account provisioning populate beKPS

CNR-1876

Set LDAP ucNetId value from UCPath external identifiers

May 23, 2019, 6:30pm

This expedited change includes changes to UCPath and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

  • SOR Gateway Service
  • Registry Provisioning Scripts
  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1898

UCPATH_DDODS hash query 
CNR-1894 CWR020 Student Volunteer

CNR-1887 

Cirrus Guest Account provisioning populate beKPS

CNR-1876

Set LDAP ucNetId value from UCPath external identifiers

May 12, 2019, 10:00am

This release will modify the queries used for department and title code groups within CalGroups to only use UCPath data. Some users may gain or lose access to systems that use those groups. CMR: CHG0032522

Services Affected

  • Any system utilizing department / title code groups, such as:
    • LDAP
    • Active Directory
    • Google
    • CalGroups API

Tickets Resolved

Ticket Comment
CG-173 Modify Department and title code groups in CalGroups

May 10, 2019, 6:30pm

This release will upgrade all Berkeley Identity Management Suite apps to Grails 3.3.9.

It will also remove HCM as a system of record for job data and LDAP affiliations.

Employees and Affiliates that are in HCM but are not yet in UCPath may enter their grace period (https://calnetweb.berkeley.edu/calnet-me/info-new-users/grace-periods) and are likely to get an account expiration notice. Employees and Affiliates who receive an unexpected expiration notice should review their UCPath HR status with their HR support staff.

LDAP affiliations for expired HCM and UCPath Affiliates will undergo a change to ensure backwards compatibility:

  • HCM Affiliates who enter their grace period will get the FORMER-HCM-AFFILIATE  affiliation.

  • UCPath Affiliates who enter their grace period will get the FORMER-AFFILIATE  affiliation.

  • In 3-4 months, CalNet will transition to using FORMER-AFFILIATE, only.  

  • Developers will receive additional communications when this change is made, and when the FORMER-HCM-AFFILIATE will be deprecated.

All affiliate records should only ever have either a FORMER affiliation or an active AFFILIATE-TYPE- affiliation, but not both at the same time.

See UCPath Affiliation Changes for additional affiliation information.

CMR: CHG0032500

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • SOR Gateway Service
  • Match Service
  • CalNet Account Tool
  • CalNet Account Manager
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1859 Upgrade all BIDMS apps to Grails 3.3.9
CNR-1879 Create replacement roles for Manager/Supervisor in UCPath
CNR-1880 Recognize UCPath "PRF" coded names as sorPreferredName
CNR-1881 Minor changes to match engine logging output
CNR-1884 Assert FORMER-AFFILIATE for former UCPath affiliates.  Don’t assert FORMER-HCM-AFFILIATE for active UCPath affiliates.
CNR-1883 Remove legacy HCM job data
CM-445 Edit error message for CAM
CM-447 Error message for twoStepClaim
CM-448 Redirect Slate-authenticated users
CM-449 List of AFFILIATE-TYPE- values for authorization need to be updated in CAM

April 24, 2019, 9:00pm

In this release, CAS operating system patches will be applied. CMR: CHG0032465.

Services Affected

  • CAS
  • Shibboleth

April 24, 2019, 7:00pm

This release includes work on the CalNet Sponsored Guest project, and some continuing UCPath cleanup. CMR: CHG0032481

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • LDAP
  • SOR Gateway Service
  • Match Service
  • CalNet Sponsored Guests

Tickets Resolved

Ticket Comment
CNR-1860 Ensure CAM restricts users from creating CalNet IDs that start with UID
CNR-1862 Cirrus reporting http 403 error
CNR-1864 Add REST endpoints to registry-service that talk to Cirrus API to create invitations for existing UIDs
CNR-1865 Write a program that creates Cirrus invitations for existing UIDs through registry-service endpoints
CNR-1863 Convert existing guests into Cirrus guests using pre-sent Cirrus invitations
CNR-1870 Remove legacy SIS (pre-CS) from LdapSync process
CNR-1869 Remove legacy HCM sor from LdapSync process
CNR-1868 Add ucpath to LdapSync now that dev/test have prod ucpath EMPLIDs
CNR-1867 Rename ldapAffilGuestTypeSocial role to be consistent with the new string value in LDAP
CNR-1849 Add sorObjKey to registry-match-service NewSORConsumerService response log message
CNR-1874 

Claim token can be used twice

 CNR-1875 Trigger IHub button in CAT should send message to both CS and UCPath, if it isn't already

April 14, 2019, 8:00am

This is an update to the Slate theme of the Duo login page. Related to: CHG0032441.

CMR: CHG0032458

Services Affected

  • CAS
  • Shibboleth

April 9, 2019, 8:00pm

This is an update to a new version of the Duo websdk and includes changes to the CAS login view, to change how the Duo iframe is generated. Some users may now see the 2-Step page rendered as smaller-than-normal. See Known Issues for steps to fix this issue. CMR: CHG0032441

Services Affected

  • CAS
  • Shibboleth

April 1, 2019, 4:45pm

This code is an update to the logic BPR uses regarding UCPath messages; specifically, to ignore ActionReason 'VOI' jobs in I-280 and DDODS. CMR: CHG0032422

Services Affected

  • Berkeley Person Registry

April 1, 2019, 8:45am

This code fixes timeout exceptions when provisioning large quantities from Berkeley Person Registry to Active Directory. CMR: CHG0032419

Services Affected

  • Berkeley Person Registry
  • Active Directory

March 28, 2019, 3:00pm

This release fixes a bug in provisioning in which berkeleyEduExpDate got improperly reset for some legacy HCM former employees CMR: CHG0032416

Services Affected

  • LDAP
  • Berkeley Person Registry

March 27, 2019, 11:00pm

With this release, we will replace the EV TLS cert for auth.berkeley.edu.  Additional alternative names will be included to support future DNS failover. CMR: CHG0032402

Services Affected

  • CAS
  • Shibboleth

March 27, 2019, 3:10pm

This CalNet release updates logic used to populate employeeNumber attribute in LDAP as well as the way CalNet looks at POIs from UCPath. CMR: CHG0032413

Services Affected

  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1851 UCPath POIs aren't getting masterActive role if their only active affiliation is UCPath POI
CNR - 1852 Delete employeeNumber from LDAP if active UCPath POI/CWR but not an employee, even if active emp in legacy HCM

March 25, 2019, 10:40am

This deployment is for new code to handle new information from UCPath DDODS tables. This deployment required a restart on registry-p1, which led to a brief outage. This deployment is already complete. CMR: CHG0032404

Services Affected

  • Berkeley Person Registry

Tickets Resolved

Ticket Comment
CNR-1847 New info from UCPath: DML_INDICATOR='D' in DDODS tables indicates a DELETED row

March 25, 2019, 7:00am

In this release, we will configure DNS failover for the auth-test.berkeley.edu CAS cluster.  This will allow CAS to fail over to San Diego in case of a major network or systems outage at EWH.  There should be no noticeable outage, this is just a transparent DNS change from the perspective of CAS clients. CMR: CHG0032379

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 22, 2019, 7:00am

This change is an upgrade to CAS on the test auth-test.berkeley.edu cluster to version 5.3.9. The CAS release contains minor bug fixes. This changes also includes cosmetic updates to support CalNet Sponsored Guest accounts. The TLS certificate for auth-test will also be updated to add additional SAN records for DNS failover and to use an EV certificate to mirror production.

The service will be down for less than 5 minutes for a restart. CMR: CHG0032374

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 20, 2019, 6:00am

CalNet will begin UCPath Go-Live and reprovisioning activities on or after 3/20/2019.

During the go-live process, there may be restarts needed that will affect CalNet Admin Tool and CalNet Account Manager for ~5 minutes. Reprovisioning could cause delays in real time messaging and updates to LDAP, Active Directory and API Integration Hub.

LDAP attributes will be updated with UCPath data (most notably: employeeNumber, berkeleyEduAffID, berkeleyEduAffiliations, title codes). Users using these attributes should refer to https://ucpath.berkeley.edu/ucpath-cal/tech-talk or https://ucpath.berkeley.edu/faq/technical for additional information.

There is no planned outage for SSO, CAS, Shibboleth, or LDAP.

This change date is tentative, and may be delayed by 1 or more days if UCPath conversion is behind schedule. CMR: CHG0032350

Services Affected

  • LDAP - attributes only
  • CalNet Admin Tool
  • CalNet Account Manager

March 20, 2019, 12:00pm

During this change, legacy apps using Rails are no longer needed and are vulnerable will be retired. CMR: CHG0032376

Services Affected

  • Manage Your Identity Applications
  • CalNet Deputy Application
  • UAS Portal

Tickets Resolved

Ticket Comment
OPS-409           Deprecate MYI/UAS - calnet-p2/net-auth-p2

March 6, 2019, 6:00pm

This release will add notices/warnings on the directory update pages hosted on calnet-p1. These warn about the potential for public exposure of addresses and phone numbers entered via the Directory Update app when published to the Campus CalNet Directory.

A brief outage of less than 1 minute will occur when the app is restarted. CMR: CHG0032344

Services Affected

  • CalNet Directory Update Application

March 6, 2019, 6:45am

This release includes code changes in support of the UCPath implementation and server patches. There will be two short outages, about one minute each, as the server is restarted. CMR: CHG0032340

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • CalNet Account Manager
  • CalNet Admin Tool
  • Active Directory
  • LDAP

Tickets Resolved

Ticket Comment
CNR-1667             UCPath: If personal email address becomes available via UCPath, modify sor-key-data-extractor to parse out and modify registry-provisioning-scripts to provision as personal email address
CNR-1741 UCPath: Need to understand how "UCB" POIs are identified in DDODS
CNR-1785 UCPath: Gain access to the DDODS UAT instance
CNR-1801 Modify bidms-connectors to reuse same LDAP connection within a call to persist()
CNR-1803 UCPath: Integrate with the new "delete EMPLID" queue once it becomes available (yet to happen, but code is there to support it)
CNR-1805 UCPath: Quartz job to find old emplids in i-280 sor that aren't in DDODS anymore
CNR-1806 UCPath: dev DDODS hash query throwing an string concatenation exception
CNR-1809 UCPath: DDODS query needs to handle POI-only people with no jobs
CNR-1810 UCPath: The test I-371 IHub REST endpoint is not working
CNR-1811 UCPath: POI_TYPE codes have changed in DDODSQPT
CNR-1812 UCPath: There are additional CWR codes in DDODSQPT that we weren't originally given
CNR-1813 UCPath: The "send to IHub" logic needs to become more complex to support multiple IHub endpoints for CS and UCPath
CNR-1814 UCPath: last_updates subquery is causing slowness of the per-EMPLID DDODS query
CNR-1816 UCPath: Make ucPathId a recognized account claim identifier in CAM and registry-service
CNR-1817 UCPath: Create a SQL query to compare UAT active employee list with legacy HCM active employee list
CNR-1818 UCPath: Modify reg-prov-scripts to have UCPath be prioritized over legacy HCM for payroll-related LDAP attributes
CNR-1819 UCPath: In match engine, make UCPATH_DDODS<->UCPATH_INTER_PERUPD primary key pairing a canonical match
CNR-1820 UCPath: Create a view from DDODS data that only contains I-280 data elements
CNR-1821 UCPath: Look at BOTH PPS_ID and PSFT_ID for a legacy HCM external identifier
CNR-1823 UCPath is sometimes incorrectly removing the leading zero from legacy HCM identifiers
CNR-1829 UCPath: last_updates inline view has a SQL bug in it

February 27, 2019, 9:00pm

On Wednesday evening (2/27) from 9-10 pm, we will be upgrading the ShibCAS plugin on the production Shibboleth servers. Since the servers are redundant, there will be no down time while the updates happen. This service is used by any campus member logging into an external service like bConnected. CMR: CHG0032328

Services Affected

  • Shibboleth

February 27, 2019, 7:00am

This is an update to the CAS / AD password sync filter. With the implementation of AD password sync in CAS on Sunday (CHG0032283) we are seeing a high number of errors for a specific account.  This change will alter the LDAP filter to exclude the account from the sync call. CMR: CHG0032323

Services Affected

  • CAS
  • Active Directory

February 24, 2019, 8:00am

We will upgrade CAS on the production auth.berkeley.edu cluster to 5.3.7. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-53-upgrade for more information. CMR: CHG0032283

Notable Changes Include

  • CalNet AD password synchronization
  • Improved surrogate/impersonation support for SPAs
  • Support for social guests
  • Accessibility improvements

Services Affected

  • CAS
  • Shibboleth

February 21, 2019, 6:00pm

We will reconfigure the httpd TLS settings on calnet.b.e and net-auth.b.e to follow OWASP recommendations for TLS security. A brief outage of less than 1 min will happen as the web servers are restarted. CMR: CHG0032301

Services Affected

  • Directory Update App
  • krbservice

February 17, 2019, 9:00am

In this release, we will extend the berkeleyEduPerson object class to include a new attribute named berkeleyEduUCPathID.  After conversion to UCPath, the berkeleyEduHCMID will contain the deprecated employee id.  Both berkeleyEduUCPathID and employeeNumber will contain the UCPath employee id. CMR: CHG0032274

Services Affected

  • LDAP

February 13, 2019, 7:00am

We will replace the certificate on the test/QA CAS instance (auth-test.berkeley.edu) to update the subject alternative names in preparation for DNS failover testing.  There will be a brief outage while CAS is restarted, from 7am-7:10am. CMR: CHG0032291

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

February 11, 2019, 9:00am

This release is an upgrade of the CAS test/QA service definition files to the latest format to prepare for the CAS 5.3.7 upgrade in prod later this month. 

We will also implement a new default authorization policy on CAS applications that have not registered with the CalNet team. The default authorization will enforce that any non-registered applications are restricted to student, staff, faculty and valid HCM affiliates. See https://calnetweb.berkeley.edu/calnet-technologists/cas/cas-default-auth... for more information. CMR: CHG0032273

January 31, 2019, 8:00am

This release is the retirement of the nds.berkeley.edu LDAP service. CMR: CHG0032216.  All customers should use ldap.berkeley.edu as the primary LDAP service and ldap-test.berkeley.edu for test/qa purposes.

On October 31, 2018 ldap.berkeley.edu was upgraded to the latest directory server software, which is a major upgrade from nds.berkeley.edu.  With that service stable we are now retiring the legacy LDAP service.

If your service depends on LDAP, you can test the performance and functionality of the latest software using either ldap.berkeley.edu or ldap-test.berkeley.edu.  It is highly recommended that you test your applications as soon as possible and report any issues to calnet-admin@berkeley.edu

If your application or TLS/SSL libraries do not accept the ldap.berkeley.edu certificates as trusted see this resource for developers.


January 3, 2019, 6:00pm

This is an emergency release primarily to address a regression bug affecting some accounts with conflicting affiliations. CMR: CHG0032199

Notable changes Include

  • Fix for employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time
  • Add LDAP mail attribute for social guests
  • Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.

Services Affected

  • Registry Service
  • Registry Provisioning
  • Cirrus Guest App
  • CalNet Account Manager
  • CalNet Guest Accounts

Tickets Resolved

Ticket Comment
CNR-1800
LDAP mail attribute with cirrus/social guests user email address
CNR-1804
Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.
CNR-1807
Employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time.
CNR-1808
Add additional exception handling in provisionUid and provisionUidBuilk (related to CNR-1804)