Axiad Conductor for Airgap Release Notes
- 08 Jun 2026
- 37 Minutes to read
- Print
- DarkLight
- Download PDF
Axiad Conductor for Airgap Release Notes
- Updated on 08 Jun 2026
- 37 Minutes to read
- Print
- DarkLight
- Download PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
June 5th 2026
Conductor HI
Components included in this version
UCMS 4.32.1
UP 2.27.1
Database Schema
4.32.1 - Requires update, please refer to the upgrade paths to identity what updates are required based on your version.
Upgrading to UCMS 4.32.1 / UP 2.27.1
Check out the upgrade considerations for this new version here
Synchronous user status, multi-identity, and credential lifecycle
PM-17245 – Automated Credential Enforcement on User Status
Conductor now automatically suspends or revokes all credentials and associated devices when a user is disabled or deleted in the authoritative identity source. Administrators can configure per-status and per-credential-type actions (suspend, revoke, no action), set retry behavior for transient failures, and optionally notify the affected user. All enforcement events — including the previous and new state, triggering source, and any failures or retries — are written to the audit log. Enforcement is applied within minutes of the upstream status change, replacing the manual processes previously required to keep credential state aligned with identity source state.
PM-18622 – Expired Credential Status and Per-Slot Revoke Options
Credentials and devices now reflect an "Expired" status that is evaluated dynamically based on their certificate expiration dates, providing a more accurate view of credential validity in the Unified Portal and in revoke decision logic. Credential workflows also expose two new per-PKI-slot configuration options — Revoke when expired and Revoke on update — that let administrators tailor revocation behavior for each slot. Default values preserve existing behavior for legacy workflows while applying the safer, more explicit defaults to newly created workflows.
Role management
PM-16894 – Dynamic Role Management with Fine-Grained Access Control
The Axiad Conductor Role Management framework now supports fine-grained access control with dynamic, rule-based role assignment and context-aware scoping using attribute-driven logic. Administrators can define Role Mapping Rules (which users receive a given role, based on SCIM attributes, directory attributes, or group membership), Scope Rules (which users an operator role grants access to manage), and Priority values that control evaluation order when multiple rules apply. Key capabilities include logical AND/OR operators for complex rule criteria, automatic rule evaluation at login for real-time role and scope assignment, manual assignments that override rule-based assignments, and an updated permission model that prevents self-privileged actions.
FIPS 140-3 Level 3 HSM support
PM-18624 – FIPS 140-3 Level 3 HSM Support for Thales IDPrime MD 830/MD831 and Virtual Smart Card Operations
Axiad Conductor now supports FIPS 140-3 Level 3 Hardware Security Modules for Thales IDPrime MD 830/MD831 and Virtual Smart Card credential flows. Legacy 3DES/TDES cryptographic operations have been eliminated and replaced with AES-based key derivation, bringing these card types into compliance with current FIPS standards. Existing Thales IDPrime MD 830/MD831 and Virtual Smart Card devices remain fully operational through a backward-compatible fallback mechanism. New Virtual Smart Cards use AES-based key derivation and are fully FIPS 140-3 compliant. Thales IDPrime MD 830/MD831 hardware does not support AES, so issuance of new cards of this type will no longer be supported after the migration is complete.
Device identification and PIN
PM-18314 – Globally Unique Card Identification (CUUID) for IDEMIA OCSv8
IDEMIA OCSv8 cards can now be identified using CUUID (a globally unique identifier per physical card) instead of the legacy CUID derived from CPLC. Because CUID is not guaranteed to be unique across cards, customers issuing IDEMIA OCSv8 at scale could occasionally encounter collisions during enrollment; CUUID eliminates this class of issue. A new Legacy Unique Identifier (CUID) checkbox has been added to the OCSv8 Credential Profile configuration: existing Credential Profiles have it checked by default (legacy CUID behavior preserved); new OCSv8 Credential Profiles have it unchecked by default (new enrollments use CUUID). The toggle is one-way — once a Credential Profile is saved in CUUID mode it cannot be reverted to legacy CUID mode. When CUUID mode is enabled, card-present interactions perform CUUID-first resolution with CUID fallback to preserve compatibility with existing inventory.
PM-16556 – Virtual Smart Card 6-Character Minimum PIN
The Virtual Smart Card (VSC) Credential Profile now supports a minimum PIN length of 6 characters (previously restricted to 8), aligning VSC PIN policy with other device types and supporting Windows compatibility scenarios.
Prerequisites: Conductor OS Bridge v1.9.0 or later and Conductor Browser Extension v1.9.0 or later. Both components must be upgraded for 6-digit PIN issuance to work end-to-end. Existing Credential Profiles configured with PIN length 8 or above are unaffected.
Identity verification, account recovery, and Axiad Confirm
PM-16451 – Secure, Privacy-Preserving Self-Service Account Recovery
A public, unauthenticated recovery entry point allows users to securely initiate account recovery without revealing whether an account exists. Users submit a configured identifier and, if valid, receive an email that triggers a standard Axiad Confirm identity verification flow. The experience is intentionally privacy-preserving: the same response is shown regardless of identifier validity, preventing account enumeration. Upon successful verification, users can recover access through administrator-defined mechanisms (such as temporary access credentials or password resets), with all expiration, retry limits, and verification rules enforced by existing Confirm configurations.
PM-16470 – Active Directory Parity for Axiad Confirm
Axiad Confirm now supports Active Directory as a first-class identity source, achieving functional parity with Entra ID where technically feasible. Administrators can configure AD as a direct datasource integration, map attributes, and use AD-sourced users across Confirm onboarding, verification, and recovery workflows. Where permitted, workflows can generate Temporary Access Passes for Entra-synced users and reset Active Directory passwords, including enforcing password policy and "change at next logon" behavior.
PM-16463 – Help Desk Visibility and Control Over Identity Verification State
Help Desk operators now have actionable visibility into a user's identity verification (IDV) status directly from the Unified Portal's User Details page. Operators can view current IDV state, initiation and completion timestamps, and — based on permissions — take controlled actions such as initiating verification, reconfirming identity, or deleting confirmation data. All actions are fully audited.
PM-16459 – Workflow-Driven Identity Verification Outcomes in Conductor
Conductor workflows can now natively incorporate Axiad Confirm with configurable post-verification outcomes, turning identity verification into an enforceable, reusable workflow primitive rather than a one-off step. Administrators can enable Confirm per workflow, define success/failure messaging, and configure post-verification actions such as generating Temporary Access Credentials or issuing initial Active Directory passwords. These actions can be combined and tailored per workflow type, allowing identity verification to directly drive secure onboarding, recovery, and access enablement.
Enhancements
PM-18626 – Safe Expiration Defaults Enforced During Database Upgrade
The UCMS database upgrade now systematically aligns all existing credential workflows to safe expiration defaults — CARD_VALID_MONTHS is set to NULL and SKIP_EXPIRED_CARD_REVOCATION is set to Y — to prevent unintended device expirations or revocations following an upgrade. The previous and new values are written to a per-workflow audit record so administrators can review and, if needed, adjust the configuration after the upgrade. This change does not require any manual action.
PM-17945 – Always Redirect to IdP on Expired SSO Session
When a user's SSO session expires inside the Unified Portal, UP now consistently redirects them to the configured Identity Provider for re-authentication and returns them to the screen they were on. This applies to GET, POST, PATCH, and GraphQL calls (including credential search), removing prior cases where an expired session surfaced as an error or stale state instead of a clean re-auth.
PM-19136 – Configurable Master Key for Virtual Smart Card Offline PUK Generation
The Virtual Smart Card (VSC) Credential Profile now exposes a new Offline unlock key option that controls which master customer-admin key is used to generate the PUK for the offline unlock challenge/response flow. The option is only presented and applied when both a TDES master customer-admin key and an AES master customer-admin key are configured on the Credential Profile, and accepts two values: AES (default, preserves existing behavior) and TDES (uses the TDES-derived customer-admin key to generate the PUK). Credential Profiles configured with only one master key are unaffected, and existing Credential Profiles continue to behave as before until the new option is set.
PM-17425 – Default Country Fallback for Identity Verification
A new Default Country field has been added to the Verification Server configuration (Configuration > Verification Server). Administrators can define an organization-wide fallback country using a 3-letter ISO 3166-1 alpha-3 country code (e.g., USA, GBR, DEU), eliminating identity verification failures for users who are missing a country attribute in their profile.
PM-17220 – Branding-Based Table Column Visibility
The Unified Portal now supports configuring default table column visibility through branding.json. Administrators can define which columns are shown or hidden by default for each table across the portal, enabling a tailored interface experience aligned with organizational preferences.
PM-16181 – Selective SID/Custom SID per Certificate Type
It is now possible to configure, for each certificate type, whether to include the SID X.509 extension, which directory/SCIM attribute to use for its value, and whether that attribute is mandatory or optional.
Bug Fixes
Identity and access management
PM-18304 – LDAP Synchronization Failure Due to Duplicate User Identifier.
Resolved an issue where LDAP synchronization could fail with a unique-constraint violation on the user identifier column. Duplicate-identifier scenarios are now handled gracefully and synchronization completes as expected.
PM-19113 – Batch LDAP Membership Query Failure on Microsoft SQL Server.
Resolved an issue where the batch LDAP membership query could fail on Microsoft SQL Server because of incorrect recursive-query syntax. The query has been adjusted to use SQL Server–compatible recursive CTE syntax.
PM-19112 – SAML Redirect Loop for a Non-Existent User.
Resolved an issue where a SAML authentication request for a user that did not exist in Conductor could trigger a continuous redirect loop, eventually producing a "Bad Request — Header Too Long" error. Unknown users are now handled cleanly without an authentication loop.
Credential issuance and workflows
PM-19080 – Credential Issuance Failed with an Internal Error.
Resolved an issue where credential issuance could fail with an internal null-pointer error under specific workflow configurations.
PM-16832 – Intermittent Null-Pointer Error During Certificate Issuance.
Resolved an intermittent problem which previously led to null-pointer errors during certificate issuance.
PM-19145 – Device Lifecycle Setting Ignored for Key-Management Certificates When User is Disabled.
Resolved an issue where the Skip Device Life Cycle configuration was not honored for Key Management certificates when the associated user was disabled. The setting is now respected for all certificate types.
PM-19146 – Device and Certificate States Not Updated When the CA Was Unreachable.
Resolved an issue where device and certificate states were not refreshed when the certificate authority was temporarily unreachable. State is now reconciled once connectivity is restored.
PM-19114 – Credential Workflow Page Stuck Loading After an Authorization Error.
Resolved an issue where the Credential Workflow page could remain in a perpetual loading state when the underlying request returned an authorization error. The page now surfaces the error and recovers cleanly.
PM-19382 – Workflow Cloning Failed With an Authorization Error.
Resolved an issue where cloning a credential workflow could leave the page in a loading state because of an authorization error. Workflow cloning now completes successfully.
PM-19172 – Credential Profile Creation Page Failed to Load.
Resolved an issue where the Credential Profile creation page could fail to load with a view-expired error after a period of inactivity.
PM-19109 – EJBCA Credential Server Authority ID Not Preserved.
Resolved an issue where the Authority ID value was not preserved when editing an EJBCA Credential Server configuration, and could appear pre-populated when creating a new EJBCA Credential Server. The Authority ID now persists exactly as entered and is empty by default for new configurations.
PM-16667 – PIN Length Exceeded Policy Maximum.
Resolved an issue where users could enter PINs exceeding the maximum length defined in the PIN Policy, causing verification failures.
PM-18041 – Axiad ID iOS Credential Profile Save Error.
Resolved an issue where the Axiad ID iOS Credential Profile could not be saved because a permission validation failure and a duplicate name conflict occurred simultaneously.
FIDO2 / Passkey
PM-17674 – FIDO2 Credential Issuance Reported a Spurious Error.
Resolved an issue where FIDO2 credential issuance failed with the error "The Identity Provider was unable to process the request," preventing the credential from appearing under the user's identities even when the underlying registration in Entra ID had completed.
PM-17596 – FIDO2 / Passkey Registration Reported a Spurious Error.
Resolved an issue where FIDO2 / Passkey registration failed with the error "The Identity Provider was unable to process the request," even when the passkey was successfully registered in Entra ID. The credential was not being reflected in the My Identities view.
Cards
PM-15972 – IDEMIA Legible ID Mismatch on Enrollment.
Resolved an IDEMIA Legible ID mismatch that caused enrollment failures.
Notifications
PM-19119 – Enforcement Notification Email Not Sent for LDAP-Disabled Users.
Resolved an issue where the enforcement notification email was not delivered for users disabled in LDAP. Notifications are now sent consistently for all configured user status changes.
PM-19163 – Enforcement Notification Email Used the Wrong User-Name Placeholder.
Resolved an issue where the enforcement notification email greeting included the literal placeholder %username% instead of resolving the recipient's first name.
PM-19164 – Enforcement Notification Email Sent for Deleted Users.
Resolved an issue where the enforcement notification email was sent to users whose accounts had been deleted. Notifications are now suppressed for deleted users.
Portal and Help Desk
PM-17150 – Refreshing the Unified Portal Returned a Forbidden Error.
Resolved an issue where refreshing the Help Desk page incorrectly showed a "Forbidden" error. The page now reloads smoothly and works as expected.
PM-17153 – Help Desk Portal Missing or Unexpected UI Elements.
Resolved an issue in the Help Desk Portal where some expected UI elements were missing and others appeared unexpectedly. The page now displays clearly and works as intended.
Operational
PM-17995 – Excessive Temporary Database Storage Consumption During Cleanup.
Resolved an issue where an internal cleanup query could consume excessive temporary database storage on Microsoft SQL Server, occasionally degrading performance under sustained load. The query has been rewritten to bound its working set.
PM-17866 – Internal Logging Component Upgrade.
Upgraded the internal logging component to a newer, more secure version. This update strengthens overall system security and helps protect customers.
Security Fixes
Platform Security Improvements. As part of this release, Axiad has addressed several security vulnerabilities across the Axiad Conductor platform identified through routine third-party dependency scanning.
PM-19063 – Addressed vulnerabilities: CVE-2026-42587, CVE-2026-42579, CVE-2026-42583.
PM-19158 / PM-19159 – Addressed vulnerability: CVE-2026-41284.
PM-19323 – Addressed vulnerability: CVE-2026-44503.
PM-18471 / PM-18450 – Addressed vulnerabilities: CVE-2026-29145, CVE-2026-34500, CVE-2026-29129, CVE-2026-24880.
PM-18084 / PM-18085 – Addressed vulnerability: CVE-2026-22733.
PM-18825 – Addressed vulnerabilities: CVE-2026-34478, CVE-2026-40973, CVE-2026-34480.
PM-18478 – Addressed vulnerabilities: CVE-2026-40477, CVE-2026-2332.
PM-18269 – Addressed vulnerability: CVE-2026-4800.
PM-18206 – Addressed vulnerability: CVE-2025-8671.
PM-18145 – Addressed vulnerability: CVE-2026-22732.
PM-18826 – Addressed vulnerability: CVE-2026-34477.
PM-18083 – Addressed vulnerability: CVE-2026-22737.
PM-18128 – Addressed vulnerability: CVE-2026-33871.
PM-16661 – Addressed vulnerability: CVE-2025-12383.
PM-18951, PM-18205, PM-18268 – Upgraded additional dependencies to address issues identified through routine security scanning for which CVE identifiers had not yet been assigned at the time of release.
Known Limitations
PM-18472 – Credential issuance using YubiKey 4 with IdenTrust CA fails during the certificate import phase. The CSR is generated and submitted successfully, but the process fails with an error indicating the CSR/PKCS#10 is invalid and the certificate cannot be imported. YubiKey 5 and YubiKey 5.7.1 devices are not affected.
Installer - This version is not packaged with the installer, use a previous version of the installer to deploy the product.
Conductor Browser Extension 1.9.1
Prerequisites
Axiad Conductor UCMS 4.31 or later (for Virtual Smart Card minimum PIN length below 8 characters)
Axiad Conductor OS Bridge 1.9.0 or later (for Virtual Smart Card minimum PIN length below 8 characters)
Enhancements
PM-16556 / PM-16557 – Support for Virtual Smart Card minimum PIN lengths of 6 or 7 characters. Aligned with the Windows OS Bridge, the macOS OS Bridge now supports Virtual Smart Card profiles configured for PINs as short as 6 characters in Conductor (UCMS 4.31 or later).
October 31, 2025
Conductor HI
Components included in this version
UCMS 4.25.1
UP 2.20.1
Database Schema
4.25.1 - Requires update, please refer to the upgrade paths to identity what updates are required based on your version.
Upgrading to UCMS 4.25.1 / UP 2.20.1
Check out the upgrade considerations for this new version here
New Features
Axiad Confirm is now supported in Axiad Conductor for Airgap.
Enhancements
Enhanced Compatibility – Issuance of Thales eToken Fusion PIV with SafeNet Authentication Client
Axiad Conductor now supports issuing Thales eToken Fusion PIV devices while the SafeNet Authentication Client (SAC) is running.
Previous versions encountered conflicts during issuance; this enhancement ensures seamless operation and improved compatibility in managed workstation environments.
PM-14762 – Issuance Failure for Thales eToken Fusion PIV Devices with Key Escrow Enabled
Resolved an issue where Thales eToken Fusion PIV device issuance failed when the Key Management certificate was configured with key escrow, a feature not supported in the previous release. The issuance process now completes successfully when key escrow is enabled.
PM-14763 – Challenge/Response Option Displayed After Device Suspension
Fixed an issue where the Challenge/Response (C/R) option remained visible in the User Portal after suspending a Thales eToken Fusion PIV device. The option is now correctly hidden for suspended devices, preventing invalid operations and error messages.
PM-14776 – Prevent Unintended Revocation During Group Transition for Thales eToken Fusion PIV Devices
Resolved an issue where an error occurring during the group transition process could result in the unintended revocation of Thales eToken Fusion PIV devices. The process now correctly preserves device status when transitions fail or are interrupted.
PM-14777 – Configurable Parameters for Flexible Legible ID Retrieval
New configuration parameters — ATR, tag, offset, length, and character set (charset) — allow administrators to define how Legible IDs are retrieved for different device types.
This enhancement provides greater flexibility to support multiple Thales device models and ensures accurate mapping between the printed serial number and the system-stored identifier. Online documentation is being updated to include configuration guidance for this new functionality.
PM-14920 - Display Physical Serial Number for Thales eToken Fusion NFC PIV Devices
Previously, the User Portal (UP) did not display the serial number physically printed on the eToken Fusion NFC PIV devices.
This enhancement ensures that the printed serial number is now correctly retrieved and displayed within the User Portal, aligning on-screen data with the device’s physical identifier for improved accuracy and traceability.
PM-15120 - Axiad RPM Files include Digital Signatures
All RPM files provided by Axiad as part of the product release now include a digital signature, enhancing package integrity and authenticity verification.
Refer to this guide to learn how to import the RPM public GPG keys.
PM-15229 – Improved Device Identification for Thales eToken Fusion PIV
The Unified Portal now displays enrolled Thales SafeNet eToken Fusion PIV devices with the correct Thales security key icon, ensuring consistent and accurate representation across the user interface.
PM-15552 - Improved Device Identification for SafeNet IDPrime 930/931 smart cards
The device legible ID is now displayed throughout all lifecycle operations for or the SafeNet IDPrime 930/931 smart cards, improving traceability and consistency between reported and printed device identifiers.
PM-16181 – Selective SID/Custom SID per Certificate Type
It is now possible to configure, for each certificate type, whether to include the SID X.509 extension, which directory/SCIM attribute to use for its value, and whether that attribute is mandatory or optional.
Online documentation is being updated to include configuration guidance for this new functionality.
Security Fixes
As part of this release, Axiad has addressed several security vulnerabilities across the Axiad Conductor platform.
PM-14716 - Enhanced Transport Key Encryption Algorithm - The algorithm used to encrypt OTP seeds has been updated from RSA/ECB/PKCS1Padding to RSA/NONE/OAEPWithSHA256AndMGF1Padding, providing improved cryptographic security.
PM-14593 - Missing Security Header - Implemented HTTP Strict Transport Security (HSTS) to enforce secure connections.
PM-15198 - Uncontrolled Recursion - Addressed a vulnerability that could lead to application instability when processing certain inputs. (CVE-2025-48924)
PM-15309 Addresses high-severity vulnerabilities in Apache Tomcat (integer overflow, resource exhaustion) and Apache Commons Lang (uncontrolled recursion) by upgrading dependencies to secure versions. (CVE-2024-34750, CVE-2024-37383, CVE-2024-47554)
PM-15742 - Addressed Relative Path Traversal Vulnerability - Resolved a high-severity vulnerability that, under specific deployment configurations, could allow unauthorized access to files outside the intended web directory. The issue was mitigated by updating internal components responsible for resource handling and path validation. (CVE-2025-24913)
PM-15658 - Resource Exhaustion – Mitigated a vulnerability that could lead to excessive resource consumption and service disruption. (CVE-2025-55163)
PM-15659 - Resource Handling Risk – Fixed an issue that could allow denial-of-service attacks under specific conditions. (CVE-2025-48989)
PM-15737 - Path Traversal – Resolved a flaw that could allow unauthorized access to files outside the intended directory. (CVE-2025-41242)
PM-15861 - HTTP Request Smuggling – Corrected a vulnerability that could enable attackers to bypass request validation and inject malicious requests. (CVE-2025-58056)
PM-16080 - Authorization Bypass – Fixed an issue where improper validation could allow unauthorized access to sensitive operations. (CVE-2025-41249)
Known Limitations
PM-16274 – Legible ID Not Displayed for Newly Inserted Devices on Scanner Page
When a new (unissued) SafeNet eToken Fusion device is inserted on the Scanner page, the Legible ID field is not displayed.
The device appears with a valid serial number and status “Available,” but the Legible ID column remains blank until the device has been issued.
PM-14818 - The PUK unblock screen does not appear at the Windows Credential Provider for Thales eToken Fusion PIV devices
September 18, 2025
Conductor HI
Components included in this version
UCMS 4.20.5
UP 2.15.4
Database Schema
4.20.5 - No update required
Enhancements
PM-15120 – Digital Signatures Added to Axiad RPM Files
All RPM files provided by Axiad as part of the product release now include a digital signature, enhancing package integrity and authenticity verification.
Refer to this guide to learn how to import the RPM public GPG keys.
Support for EJBCA 9.x
This version of Axiad Conductor has been validated with EJBCA 9.1.1 Community Edition. We expect compatibility with Keyfactor EJBCA 9.x as well, based on the shared core codebase.
Note
Keyfactor EJBCA (Enterprise Edition) and EJBCA Community Edition share the same core functionality; however, enterprise builds include additional features and commercial modules not available in the community version. Organizations using Keyfactor EJBCA should validate any enterprise-specific features or workflows separately.
Security Fixes
PM-15787 – Security Vulnerability Fixes Implemented
Addressed multiple security vulnerabilities as part of this release, including:
CVE-2025-41242, CVE-2025-49146, CVE-2025-48988, CVE-2025-52520, CVE-2025-53506, CVE-2025-48989, CVE-2025-31650, CVE-2025-48924, CVE-2025-55163, CVE-2025-48976, and CVE-2025-48734.
PM-15861 — Security Fix: CVE-2025-58056
Resolved the vulnerability identified as CVE-2025-58056 to enhance system security and compliance.
PM-14716 — Enhanced Transport Key Encryption Algorithm
The algorithm used to encrypt OTP seeds has been updated from RSA/ECB/PKCS1Padding to RSA/NONE/OAEPWithSHA256AndMGF1Padding, providing improved cryptographic security.
Upgrade Considerations
Tomcat HSTS Security Requirement
For Linux deployments with external Tomcat, you must enable HSTS globally at the Tomcat level by configuring the HttpHeaderSecurityFilter in Tomcat’s
web.xml
Windows deployments (embedded Tomcat in Spring Boot) do not require this update
Read the instructions here
September 8, 2025
OS Bridge 1.8.1.1 (Mac)
Enhancements
Added support for provisioning FIDO2 security keys (passkeys) for Microsoft Entra ID in conjunction with Axiad Conductor platform and Axiad Conductor Browser Extension
Conductor OS Bridge for Mac is now signed with a publicly-trusted code signing certificate
June 27, 2025
Conductor Human Identities (HI)
Components included in this version
UCMS 4.22.1
UP 2.17.0
Database Schema
4.22.1 - Requires update
Enhancements
Support for Thales SafeNet eToken Fusion NFC PIV Device
Axiad Conductor now supports the Thales SafeNet eToken Fusion NFC (PIV), expanding the range of strong authenticators available to customers. This addition gives organizations more flexibility when selecting phishing-resistant authentication methods that align with their security and deployment needs.
Read about how to configure a Credential Profile for this device
Support for EJBCA 9.x
This version of Axiad Conductor has been validated with EJBCA 9.1.1 Community Edition. We expect compatibility with Keyfactor EJBCA 9.x as well, based on the shared core codebase.
Note
Keyfactor EJBCA (Enterprise Edition) and EJBCA Community Edition share the same core functionality; however, enterprise builds include additional features and commercial modules not available in the community version. Organizations using Keyfactor EJBCA should validate any enterprise-specific features or workflows separately.
Known Limitations
PM-14818: The PUK unblock screen does not appear at the Windows Credential Provider for IDPrime PIV v4 devices
PM-14776: An error during the group transition process can lead to unintended revocation of the IDPrime PIV v4 device
PM-14767: The maximum PIN and PUK retry values are hardcoded for IDPrime PIV v4 devices, and cannot be customized in the Credential Profile
PM-14763: Following suspension, the Challenge/Response option remains visible for IDPrime PIV v4 devices and entering a challenge value results in an error
PM-14762: Issuance fails for IDPrime PIV v4 devices when the Key Management certificate is configured with key escrow as key escrow is not supported in this release; however, if key escrow is disabled, then issuance will complete successfully, and the resulting key can be used for macOS logon
To avoid conflicts during issuance, the Thales SAC client must be closed when issuing the SafeNet eToken Fusion with Axiad Conductor. Having the SAC client running during issuance may interfere with device initialization and certificate operations and return a 6999 error
SHA256 Hashes
SHA256 hashes can be found on the Axiad Version Support guide
June 17, 2025
Unsupported Conductor for Airgap Version
Currently, FIDO2 passkey support is not available for Axiad Conductor for Airgap. This will come in a future release. The updated components listed below are required to issue and manage FIDO2 passkeys, but you will not be able to do this until your version of Conductor HI is updated.
Browser Extension 1.8.0
Availability
Axiad Conductor Browser Extension 1.8.0 has been published to both the Google Chrome and Microsoft Edge Add-ons Web Stores and will update automatically or can be updated manually, depending on your browser settings.
Enhancements
Added support for provisioning FIDO2 security keys (passkeys) for Microsoft Entra ID in conjunction with Axiad Conductor platform and Axiad Conductor OS Bridge.
OS Bridge 1.8.0
Prerequisites
Install the latest version of Microsoft Visual C++ Redistributable downloads
Enhancements
Added support for provisioning FIDO2 security keys (passkeys) for Microsoft Entra ID in conjunction with Axiad Conductor platform and Axiad Conductor Browser Extension
Official support of Windows 11
Bug Fixes
PM-12998 NPE on GlobalPlatformCard.loadGlobalPlatformKeySet
April 29, 2025
Conductor Human Identities (HI)
Components included in this version
UCMS 4.20.4.1
Database Schema
4.20.4.1 - Requires update
Enhancements
PM-13596 Axiad Conductor now supports YubiKey 5 Series devices with firmware versions up to 5.7.4
April 11, 2025
Conductor Human Identities (HI)
Components included in this version
UCMS 4.20.3
UP 2.15.3
Database Schema
4.20.3 - Requires update
Enhancements
PM-13546 / TUTI-12954 When fetching users, SCIM APIs can now optionally return membership information, i.e what SCIM group(s) the user belongs to. See the updated configuration steps in Create a SCIM User Source.
PM-13636 Following the deprecation of the /saml/sso login endpoint, there are now two options to log into the Unified Portal: / or /user
Bug Fixes
PM-13537 Users can now successfully log into the Axiad Unified Portal when federated with Microsoft Entra ID
March 27, 2025
Conductor Human Identities (HI)
Components included in this version
UP 2.15.2
Enhancements
PM-10065 Upgrade to Java 17 and Spring Boot 3. See the note above about the Java upgrade.
PM-2788 When an Operator attempts to revoke a user’s device or credential, they are prompted to confirm the action before it is revoked
New UI:
PM-9360 Expanded and clarified the language presented to users when creating a PIN
Before:
After:
PM-10171 Operators can include custom links in end-of-lifecycle operation messages. Learn how to add links to messages here.
Known Limitations
PM-13076 Revoke confirmation message (PM-2788) does not display for imported service type credentials. Axiad plans to resolve this in a future release.
PM-13368 Logging into UP does not work with /saml/sso as Axiad has deprecated this endpoint as of UCMS 4.20 / UP 2.15. As of UCMS 4.20.3 / UP 2.15.3, you can use / or /user to log into the portal.
March 21, 2025
Conductor Human Identities (HI)
Components included in this version
UCMS 4.20.2
UP 2.15.1
IMPORTANT
In this Axiad Conductor release, and moving forward, Java 17 is required, and Java 11 is no longer supported. Prior to upgrading Axiad, please ensure that you’re using Java 17 and JAVA_HOME is set to reflect the new version.
Database Schema
4.20.2 - Requires update
Features
PM-1380 Axiad Operators can configure an HTML template to use for all outgoing email notifications. See the updated settings here.
PM-10467 Added support for SafeNet eToken Fusion 5300
PM-10193 Added support for Gemalto IDPrime MD 930 cards with custom manufacturer key
Enhancements
PM-10065 Upgrade to Java 17 and Spring Boot 3. See the note above about the Java upgrade.
PM-9178 Add SHA256 digest in header to all RPMs
PM-10337 Update logging to show ERROR message instead of WARN when the connection to the HSM Client becomes stale
PM-7653 New option allows a user to replace a device without reissuing certificates that are both escrowed and still valid
PM-11431 Each user project now has a Group attribute included when querying users through the SCIM endpoint
Security Fixes
PM-11246 Addressed vulnerabilities: CVE-2024-38819, CVE-2024-38820
PM-9936 Addressed vulnerabilities: CVE-2024-38809, CVE-2024-38808
PM-9347 Addressed vulnerabilities: CVE-2024-38816
PM-13182 Addressed vulnerabilities: CVE-2024-38828
PM-10194 Addressed vulnerabilities: CVE-2024-38821
PM-13236 / PM-13246 Addressed vulnreabilities: CVE-2025-24813
Known Limitations
In workflow transitions, UCMS pulls the existing encryption certificate, even if it is about to expire, forcing users to come back to update their device again, despite having recently updated them. For a workaround, user must update the device again. Axiad plans to resolve this in a future release.
Upgrading to UCMS 4.20 / UP 2.15
Check out the upgrade considerations for this new version here
February 7, 2025
Conductor Human Identities (HI)
Components included in this version
UCMS 4.17.6
UP 2.12.3
Database Schema
4.17.6 - Requires update
Security Fixes
PM-11175 Addressed the following security issues: CVE-2024-50379 / CWE-367, CVE-2024-56337 / CWE-367, CVE-2024-52316 / CWE-248
January 8, 2025
Conductor Human Identities (HI)
Components included in this version
UCMS 4.19.6
UP 2.14.2
Database Schema
4.19.6 - No DB changes
Security Fixes
PM-11175 Addressed the following security issues: CVE-2024-50379 / CWE-367, CVE-2024-56337 / CWE-367, CVE-2024-52316 / CWE-248
Bug Fixes
PM-11424 LDAPS now works with UCMS in FIPS mode
December 2, 2024
AirLock 2.4.0
Features
PM-8591 Operators can now define which authentication methods can bypass AirLock. By default, AirLock lets users in if they authenticated using Axiad ID (Push/OTP), a certificate, Windows Hello for Business, or the Microsoft Authenticator.
Enhancements
PM-8592 Users are automatically redirected to AirLock if any of the certificates on any of their authentication devices are within the renewal period and must be updated. Devices that contain multiple certificates can now be recognized and prompted for update via AirLock.
This applies to ANY inserted device, even if the user is not employing it for authentication. If the certificate is within the renewal window or expired, then the user will be redirected to AirLock to update it.
PM-8940 Operators can now allow specific users (in addition to groups) to bypass AirLock enforcement
PM-9942 All deployed executables are digitally signed
Bug Fixes
PM-7300 The correct AirLock version displays in Windows Program list
PM-6779 AirLock checks the Windows edition to ensure that it has the required features to work and will cancel installation if unsupported to avoid user errors after a failed installation
AirLock requires the Enterprise edition, and Axiad supports all versions of Windows currently supported by Microsoft
PM-4090 An empty "Immune Security IDs" list is allowed and will enforce AirLock for all users, as expected
PM-7949 AirLock successfully detects smartcard login over RDP
Known Limitations
PM-10109 WHFB login may fail if an empty VSC is present on the system. You can remove the empty VSC as a workaround.
November 22, 2024
Conductor Human Identities (HI)
Components included in this version
UP 2.14.1
Security Fixes
PM-10375 Addressed vulnerabilities: CVE-2023-44487, CWE-79, CVE-2024-4067, CVE-2024-52316
Bug Fixes
PM-10346 Local logout setting respected when portal.timeout.idle is hit
PM-10154 User is able to reauthenticate with UP after session times out
PM-9858 Users are no longer presented with a spinning wheel when accessing UP without using the login URL first
PM-8081 "Unassign" option appears only once for imported devices
September 17, 2024
Conductor Human Identities (HI)
Components included in this version
UCMS 4.19.0
UP 2.14.0
Database Schema
4.19.0 - Requires update
Features
Support for YubiKey Firmware 5.7.1
The YubiKey firmware version 5.7.1 brings a number of significant changes and improvements that are now supported by the personalization process that Axiad Conductor / UCMS uses to enable secure lifecycle management of the devices. Axiad continues to support older YubiKey versions alongside the newer versions and this does not bring any breaking changes to your YubiKey experience.
Configuration Change
To support the new YubiKey version along with the older versions, you must change to YK Version parameter to 5.7.1. View more information about this parameter here.
Local Logout from Unified Portal
Operators can choose whether users log out from only the Axiad Unified Portal or out of their entire IdP (SAML) session. View the setting and additional information here.
Enhancements
PM-7033 Add session identifier in logger extension for easier log traceability. To enable this, you must update the Log4j2.xml configuration file.
PM-8768 Support for Luna HSM 10.5.0+
Backward Compatibility
UCMS 4.19 is NOT backwards compatible with older versions of the client Luna HSM versions and requires a minimum version of 10.5.0-470 for the Commercial version, and 7.13.2 for the government version.
View installation changes here
PM-8538 New API endpoints added
Prerequisite for 4.19+
For versions 4.19+, you must add privileges for the following APIs for the Role to which a bearer token (for UP) was generated:
GET
/api/v2/devices/start/<process>/<key>POST
/api/v2/devices/next
PM-6737 UCMS will now enforce that the Certificate Server Name is unique in each configuration. When upgrading UCMS, any duplicate names are automatically updated with a counter following the name, e.g. ServerName, ServerName1, ServerName2, etc.
PM-6754 Removed the private key alias and private key password fields from IdenTrust Credential Server configuration as they are not used by this connector.
PM-6755 Removed the signer certificate alias, signer certificate password, and wrapping certificate alias fields from IDnomic ID-PKI Credential Server configuration as they are not used by this connector.
PM-8314 New Authority ID field added to the PrimeKey EJBCA Credential Server configuration to capture the necessary value. When upgrading UCMS, the field will automatically populate with the CA name. New configurations will require setting this value before saving the configuration.
PM-7697 On the Helpdesk > Users page, when opening the user Details, the field Username (UPN) is changed to Username
PM-8115 Detailed login and logout events added to the audit log
Bug Fixes
PM-6613 User search in Operator Portal now works properly when searching for users previously imported through the migration tool
PM-7567 CA connects successfully when configured with FIPS LunaHSM with updated Java version. See specific requirements for the fips.mode parameter here
PM-8125 Error message updated when issuance fails due to unsupported device or invalid PIN to be more helpful
PM-7813 Updated notification verbiage if one of the credentials on an enrolled device has expired:
Previous message: "Your device has expired, please renew now."
New message: "One of the credentials mapped to device is expired, please renew now."
PM-8544 Enrolling a virtual smart card when there are no existing devices enrolled no longer leads to a loading loop
August 30, 2024
Axiad ID Mobile Application 2.1.2
Enhancements
Android Library Updates for Google Play API
Axiad completed various backend library updates to meet the necessary target API level requirements. This ensures the security and efficiency of the app usage.
No User Impact
This change is fully transparent to the user experience and does not include any functional changes in the mobile application.
Security and Performance Updates
This version includes maintenance updates to continually improve the security and performance of the Android and iOS Axiad ID mobile application.
Browser Extension 1.5.5
Enhancements
Support for Manifest v3.0
To support Google's deprecation of browser extensions using the Manifest v2.0 format, we've updated the Axiad Portal Extension to support this new Manifest v3.0 format.
WebPCSC Backward Compatibility
This version of the browser extension does not require a new version of Axiad WebPCSC. You can use this extension version with any version of the WebPCSC component, including the latest 1.5.5 version.
August 18, 2024
OS Bridge 1.5.5
Release Prerequisites
Install the latest version of Microsoft Visual C++ Redistributable downloads
Enhancements
Support for Manifest v3.0
To support Google's deprecation of browser extensions using the Manifest v2.0 format, we've updated WebPCSC to support the Axiad Portal Extension in this new Manifest v3.0 format. This will be the baseline version for all Windows and macOS endpoints going forward.
June 10, 2024
Conductor Human Identities (HI)
Components included in this version
UCMS 4.17.4
UP 2.12.2
Bug Fixes
PM-7617 / PM-7321 / PM-7513 Update PIN settings to meet MD930 requirements
PM-7672 UCMS Operator email address can now include “-” and “_” following “@”
PM-7898 Reset PIN supported for Gemlato cards
PM-6594 SMTP support enhancements
PM-7335 / PM-7787 / PM-7788 Axiad displays a meaningful error message if backend services are unreachable
PM-7905 When configuration leads to a mismatch, Axiad fails the issuance and displays necessary information for the user
PM-7380 Operator can choose how to use the Device Expiration feature, if at all
May 10, 2024
Conductor Human Identities (HI)
Components included in this version
UCMS 4.17.3
Bug Fixes
PM-7704 The UPN can now be included as a SAN extension in encryption certificates issued by MSCA
May 2, 2024
Conductor Human Identities (HI)
Components included in this version
UCMS 4.17.2
Bug Fixes
PM-7334 Errors returned by an IdenTrust CA during issuance or revocation will now produce a more explicit message
PM-7495 You can now edit a workflow even if there is not an active credential profile is associated to it
PM-7497 / 7582 Migrating a user and renewing one of their devices will no longer result in duplicated device records
PM-7586 After upgrading from UCMS 4.13 to 4.17, searching for a user in the helpdesk or scanner will no longer result in UCMS.devices.internalError error
March 28, 2024
Conductor Human Identities (HI)
Components included in this version
UCMS 4.17.1
UP 2.12.1
Bug Fixes
PM-6857 NULL pointer exception no longer displays during PIN reset and card details retrieval
PM-6803 User can successfully update existing Windows Hello for Business certificates via Axiad
PM-6801 User can revoke Windows Hello for Business credential from Unified Portal
PM-7152 Username data consistently updated in Axiad via SCIM
PM-5643 User stays on logout page or is redirected to configured logout page when they click “logout” from the UP
January 25, 2024
Conductor Human Identities (HI)
Components included in this version
UCMS 4.17.0
UP 2.12.0
Features
FIPS-Compliant Cryptography
As part of our dedication to ensuring our solution meets FedRAMP authorization requirements, we've upgraded all of our cryptography libraries with their FIPS-compliant versions. You can now configure UCMS to rely exclusively on FIPS compliant cryptography.
Microsoft Environments
There are known issues when FIPS mode is enabled that can make UCMS unable to connect to Active Directory or a Microsoft Certification Authority. We are currently investigating how to best address those. For now, we advise you to avoid using use this mode in a Microsoft environment, until further notice.
Support for Multiple AD Identities Mapped to a Single Authenticator
Axiad now supports users with multiple AD identities that are mapped via user SIDs to a single authenticator, in support of the recently-introduced Microsoft KB5014754 certificate-based authentication changes to Windows domain controllers.
SIDs Configured via a SCIM or AD User Source: When the SID is configured in your SCIM or AD data source, it will be automatically included in all certificate requests for card slots that are configured in a workflow.
Alternatively, you can opt to use a custom attribute to insert a custom value via a new Custom SID column on the Certificate Workflow’s Configure Workflow Steps > Certificates page:
In this field, you can:
leave the field blank: UCMS will automatically retrieve the SID and insert it into the PIV Authentication slot, as described above.
enter a custom attribute that is defined in your user source.
UCMS reads a custom attribute for the current user (such as {user_custom1}) to retrieve a custom SID.
This custom attribute can come from either an Active Directory or a SCIM user source.
If the custom attribute is empty, or set with an incorrect value (for example, an invalid format), the device issuance fails.
You can configure as many custom SIDs as there are certificate slots available, and the device will issue with each authentication certificate that presents the expected SID. This process works with all Axiad-supported PKI providers.
Note
The certificate template used by your PKI will ultimately decide whether the value is included as an extension in the certificate.
Read more about this feature’s experience here.
UCMS-Installer PowerShell Module
For Windows-based deployments, Axiad is introducing a new UCMS-Installer PowerShell module. This module automates and simplifies many steps, and, as a result, we've removed the following files from the UCMS > archive folder:
bin\encrypt.bat
bin\install_service.bat
bin\migration.bat
bin\oauth.bat
bin\uninstall_service.bat
schema\load-db.ps1
schema\load-db-config.xml
schema\README.txt
The UCMS-Installer PowerShell module is available from your Customer Success representative.
Support for Offline PIN Reset via a Challenge / Response with IDEMIA 8.2 Cards
If enabled in your organization, when using IDEMIA 8.2 cards, you can use either the PIN Unblocking Key (PUK) functionality and/or reset your PIN via a challenge question and response prompt. Enterprises can set a preferred method for devices that support both mechanisms.
This option is available to all IDEMIA 8.2 cards. If you have an existing, enrolled IDEMIA 8.2 card, the challenge/response prompt will be available for you (if your organization enables it). From an administrative standpoint, you can set a preferred PIN reset method for your IDEMIA 8.2 cards by creating and configuring a new parameter, Preferred offline unlock on the Parameter Management page in UCMS.
Set Your Preferred PIN Reset Method
From the top menu, click Configuration > Parameter Management.
The Parameter Management page displays.Select Miscellaneous from the Configuration Parameter drop-down list.
Your miscellaneous configuration parameters display.Click Add Parameter Value.
The Add Parameter Values for 'Miscellaneous' dialog box displays.Enter the following values:
Configuration code: Preferred offline unlock
Display value: Enter one of the following:
Blank: Leaving this field blank returns all supported PIN reset methods.
PUK: When multiple PIN reset methods are available, sets PUK to the preferred PIN reset method.
CR: When multiple PIN reset methods are available, sets challenge response to the preferred PIN reset method.
Click Save.
The parameter is saved and added to the Miscellaneous Parameter Values list.Click Close.
The Add Parameter Values for 'Miscellaneous' dialog box closes.
Working with devices that do not support multiple methods
The PIN reset method preference only applies to devices such as IDEMIA 8.2 cards that offer more than one method. For other devices that only support one method to reset the PIN offline, the preference is ignored, and the one method supported is the one that will be offered.
User-Friendly Device Names for Your UCMS-Managed Identity Devices
You can now rename all of your own certificate-based identity devices issued in the Unified Portal (including Gemalto and IDEMIA smart cards, YubiKeys, and Virtual Smart Cards) with custom, user-friendly names.
New "LEGIBLE ID" Column in the MyIdentities and Reporting Pages
If your organization issues IDEMIA cards via UCMS, you can use a new column, LEGIBLE ID, to display the card's printed serial number. This makes it easier to compare what's listed in your device list to the physical card itself.
For existing devices, the ID will not display the first 10 digits of your IDEMIA card (the BAP number and the IC embedded date), as we did not previously store this data. For example, if your existing card number is 123456-7890-1234567890, it displays in the LEGIBLE ID column as XXXXXX-XXXX-1234567890.
For new devices, we will display all digits of your IDEMIA card, including the BAP number and IC embedded date. For example, if your new card number is 123456-7890-1234567890, it displays in the LEGIBLE ID column as 123456-7890-1234567890.
Enhancements
User Groups Are No Longer Exclusive From Each Other in Workflows
Groups that you use in your organization to assign UCMS workflows to users are no longer exclusive. A new priority attribute allows you to decide which workflow should take precedence when multiple ones apply to a given user.
Bug Fixes
PM-4884 When you disable a YubiKey, UCMS disable the the YubiKey touch functionality, but also deletes the certificate in the YubiKey slot
PM-4330 When you enroll a YubiKey via the Unified Portal with the issuance workflow configured a specific slot, UCMS verifies if the device was previously issued - if it was, the existing certificate remains in the specified slot
PM-5206 When performing an LDAP sync, if there is a username in the directory with the same name as the default administrator in UCMS, then that account is now ignored
PM-6010 API endpoint GET /api/v3/users/{uid}/notifications were updated to support group transition - return message displays “renewTransition” upon completion
PM-4663 On the Reporting page, when you revoke a device, the device status now displays as INACTIVE as expected
PM-5718 Help Desk Operators with REVOKE privileges can now unassign hardware OTP tokens from any user
Known Limitations
Users who attempt to initialize a Virtual Smart Card (VSC) created by a third party receive an Incorrect Admin Key error while performing PIV Administration authentication. This is temporary until we add the capability in our solution to identify virtual smart cards not managed by Axiad.
Deprecation
Device Actions in UCMS
The following device management actions have been removed from the UCMS Operator Portal, and are no longer available:
Device Scan > Card Security > GP Lock
Device Scan > Card Security > GP Unlock
Device Scan > Card Security > Reset
The following device management actions are now handled exclusively via the Unified Portal’s Help Desk and/or MyIdentities pages.
Device Management Action | Former Location in UCMS | Existing Location(s) in Unified Portal |
|---|---|---|
PIN Reset | Administration > Manage Credential Holders |
|
Renew | Administration > Manage Credential Holders |
|
Offline PIN Reset | Administration > Manage Credential Holders | Managed service via the Help Desk > Users page: Retrieve a Personal Unblocking Key (PUK) |
Issue Device | Administration > Manage Credential Holders |
|
Credentialing | Administration > Manage Users > Users |
|
Reset | Device Scan > Card Security > Reset |
|
API v1
As of this release, we no longer support version 1 of the UCMS REST API.
Legacy Devices and Tools
As of UCMS 4.16, we no longer support the following:
YubiKey Neo
We no longer support the YubiKey Neo device.
You can no longer create or manage a YubiKey Neo credential profile.
The YubiKey Neo option has been removed from the Add Credential Profile option on the Credential Profile page.
The Create Yubikey Neo Credential Profile privilege on the Configuration Management > Role Management > Access Privileges page has been removed.
JCOP
Generic JCOP devices are no longer supported in UCMS.
You can no longer create or manage a JCOP credential profile.
The JCOP and JCOP3 applet types have been removed from the Add Credential Profile option on the Credential Profile page.
The Create JCOP Credential Profile privilege on the Configuration Management > Role Management > Access Privileges page has been removed.
As of UCMS 4.17, we no longer support the following:
the legacy CMS import tool
3DES Keys in HSMs
As of December 2024, NIST no longer approves the use 3DES keys in any FIPS-compliant environment. We are updating our product to align with these new security guidelines. UCMS will continue to support legacy devices in the field that are using such keys.
Note
Additional details can be found in the NIST's Special Publication, Transitioning the Use of Cryptographic Algorithms and Key Lengths
Was this article helpful?
