UCMS 4.17/UP 2.12 Release Notes
- 12 Jun 2024
- 9 Minutes to read
- Print
- DarkLight
- PDF
UCMS 4.17/UP 2.12 Release Notes
- Updated on 12 Jun 2024
- 9 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Last Updated: May 16, 2024
Note
If you have any questions about these features or want to request a more in-depth discussion about the best way to leverage them, reach out to us at productmanagement@axiad.com.
Product versions included in this release:
UCMS v4.14, 4.15, 4.16, and 4.17
UP v2.9, 2.10, 2.11, and 2.12
UCMS 4.17
New Features
FIPS-Compliant Cryptography
As part of our dedication to ensuring our solution meets FedRAMP authorization requirements, we've upgraded all of our cryptography libraries with their FIPS-compliant versions. You can now configure UCMS to rely exclusively on FIPS compliant cryptography.
Microsoft environments
There are known issues when FIPS mode is enabled that can make UCMS unable to connect to Active Directory or a Microsoft Certification Authority. We are currently investigating how to best address those. For now, we advise you to avoid using use this mode in a Microsoft environment, until further notice.
Support for Multiple AD Identities Mapped to a Single Authenticator
Axiad now supports users with multiple AD identities that are mapped via user SIDs to a single authenticator, in support of the recently-introduced Microsoft KB5014754 certificate-based authentication changes to Windows domain controllers.
SIDs Configured via a SCIM or AD User Source: When the SID is configured in your SCIM or AD data source, it will be automatically included in all certificate requests for card slots that are configured in a workflow.
Alternatively, you can opt to use a custom attribute to insert a custom value via a new Custom SID column on the Certificate Workflow’s Configure Workflow Steps > Certificates page:
In this field, you can:leave the field blank: UCMS will automatically retrieve the SID and insert it into the PIV Authentication slot, as described above.
enter a custom attribute that is defined in your user source.
UCMS reads a custom attribute for the current user (such as {user_custom1}) to retrieve a custom SID.
This custom attribute can come from either an Active Directory or a SCIM user source.
If the custom attribute is empty, or set with an incorrect value (for example, an invalid format), the device issuance fails.
You can configure as many custom SIDs as there are certificate slots available, and the device will issue with each authentication certificate that presents the expected SID. This process works with all Axiad-supported PKI providers.
In this field, you can:NOTE
The certificate template used by your PKI will ultimately decide whether the value is included as an extension in the certificate.
Read more about this feature’s experience here.
UCMS-Installer PowerShell module
For Windows-based deployments, Axiad is introducing a new UCMS-Installer PowerShell module. This module automates and simplifies many steps, and, as a result, we've removed the following files from the UCMS > archive folder:
bin\encrypt.bat
bin\install_service.bat
bin\migration.bat
bin\oauth.bat
bin\uninstall_service.bat
schema\load-db.ps1
schema\load-db-config.xml
schema\README.txt
The UCMS-Installer PowerShell module is available from your Customer Success representative.
Support for Offline PIN Reset via a Challenge/Response with IDEMIA 8.2 Cards
Please see the UP release notes below for details on the user experience. From an administrative standpoint, you can set a preferred PIN reset method for your IDEMIA 8.2 cards by creating and configuring a new parameter, Preferred offline unlock on the Parameter Management page in UCMS.
From the top menu, click Configuration > Parameter Management.
The Parameter Management page displays.Select Miscellaneous from the Configuration Parameter drop-down list.
Your miscellaneous configuration parameters display.Click Add Parameter Value.
The Add Parameter Values for 'Miscellaneous' dialog box displays.Enter the following values:
Configuration code: Preferred offline unlock
Display value: Enter one of the following:
Blank: Leaving this field blank returns all supported PIN reset methods.
PUK: When multiple PIN reset methods are available, sets PUK to the preferred PIN reset method.
CR: When multiple PIN reset methods are available, sets challenge response to the preferred PIN reset method.
Click Save.
The parameter is saved and added to the Miscellaneous Parameter Values list.Click Close.
The Add Parameter Values for 'Miscellaneous' dialog box closes.
Working with devices that do not support multiple methods
The PIN reset method preference only applies to devices such as IDEMIA 8.2 cards that offer more than one method. For other devices that only support one method to reset the PIN offline, the preference is ignored, and the one method supported is the one that will be offered.
Enhancements
User Groups Are No Longer Exclusive From Each Other in Workflows
Groups that you use in your organization to assign UCMS workflows to users are no longer exclusive. A new priority attribute allows you to decide which workflow should take precedence when multiple ones apply to a given user.
Feature Removal: Device Actions in UCMS
The following device management actions have been removed from the UCMS Operator Portal, and are no longer available:
Device Scan > Card Security > GP Lock
Device Scan > Card Security > GP Unlock
Device Scan > Card Security > Reset
The following device management actions are now handled exclusively via the Unified Portal’s Help Desk and/or MyIdentities pages.
Device Management Action | Former Location in UCMS | Existing Location(s) in Unified Portal |
|---|---|---|
PIN Reset | Administration > Manage Credential Holders |
|
Renew | Administration > Manage Credential Holders |
|
Offline PIN Reset | Administration > Manage Credential Holders | Managed service via the Help Desk > Users page: Retrieve a Personal Unblocking Key (PUK) |
Issue Device | Administration > Manage Credential Holders |
|
Credentialing | Administration > Manage Users > Users |
|
Reset | Device Scan > Card Security > Reset |
|
Feature Removal: API v1
As of this release, we no longer support version 1 of the UCMS REST API.
Feature Removal: Legacy Devices and Tools
As of UCMS 4.16, we no longer support the following:
YubiKey Neo
We no longer support the YubiKey Neo device.
You can no longer create or manage a YubiKey Neo credential profile.
The YubiKey Neo option has been removed from the Add Credential Profile option on the Credential Profile page.
The Create Yubikey Neo Credential Profile privilege on the Configuration Management > Role Management > Access Privileges page has been removed.
JCOP
Generic JCOP devices are no longer supported in UCMS.
You can no longer create or manage a JCOP credential profile.
The JCOP and JCOP3 applet types have been removed from the Add Credential Profile option on the Credential Profile page.
The Create JCOP Credential Profile privilege on the Configuration Management > Role Management > Access Privileges page has been removed.
As of UCMS 4.17, we no longer support the following:
the legacy CMS import tool
Support Deprecation: 3DES Keys in HSMs
As of December 2024, NIST no longer approves the use 3DES keys in any FIPS-compliant environment. We are updating our product to align with these new security guidelines. UCMS will continue to support legacy devices in the field that are using such keys.
FOR MORE INFORMATION
Additional details can be found in the NIST's Special Publication Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Bug Fixes
Version | Ref ID | Description |
|---|---|---|
4.14.0 | PM-4884 | When you disable a YubiKey, UCMS disable the the YubiKey touch functionality, but also deletes the certificate in the YubiKey slot |
PM-4330 | When you enroll a YubiKey via the Unified Portal with the issuance workflow configured a specific slot, UCMS verifies if the device was previously issued - if it was, the existing certificate remains in the specified slot | |
4.15.0 | PM-5206 | When performing an LDAP sync, if there is a username in the directory with the same name as the default administrator in UCMS, then that account is now ignored |
4.17.0 | PM-6010 | API endpoint GET /api/v3/users/{uid}/notifications were updated to support group transition - return message displays “renewTransition” upon completion |
4.17.1 | PM-6857 | NULL pointer exception no longer displays during PIN reset and card details retrieval |
PM-6803 | User can successfully update existing Windows Hello for Business certificates via Axiad | |
PM-6801 | User can revoke Windows Hello for Business credential from Unified Portal | |
PM-7152 | Username data consistently updated in Axiad via SCIM | |
4.17.2 | PM-7334 | Errors returned by an IdenTrust CA during issuance or revocation will now produce a more explicit message |
PM-7495 | You can now edit a workflow even if there is not an active credential profile is associated to it | |
PM-7497 PM-7582 | Migrating a user and renewing one of their devices will no longer result in duplicated device records | |
PM-7586 | After upgrading from UCMS 4.13 to 4.17, searching for a user in the helpdesk or scanner will no longer result in UCMS.devices.internalError error | |
4.17.3 | PM-7704 | The UPN can now be included as a SAN extension in encryption certificates issued by MSCA |
4.17.4 | PM-7617 PM-7321 PM-7513 | Update PIN settings to meet MD930 requirements |
PM-7672 | UCMS Operator email address can now include “-” and “_” following “@” | |
PM-7898 | Reset PIN supported for Gemlato cards | |
PM-6594 | SMTP support enhancements |
Known Issues
Version | Issue | Workaround |
|---|---|---|
4.15.0 | Users who attempt to initialize a Virtual Smart Card (VSC) created by a third party receive an Incorrect Admin Key error while performing PIV Administration authentication | Users are now always presented with the alternative option of creating a new VSC
|
UP 2.12
New Features
FIPS-Compliant Cryptography
As part of our dedication to ensuring our solution meets FedRAMP authorization requirements, we've upgraded all of our cryptography libraries with their FIPS-compliant versions. You can now configure UCMS to rely exclusively on FIPS compliant cryptography.
Support for Offline PIN Reset via a Challenge/Response with IDEMIA 8.2 cards
If enabled in your organization, when using IDEMIA 8.2 cards, you can use either the PIN Unblocking Key (PUK) functionality and/or reset your PIN via a challenge question and response prompt. Enterprises can set a preferred method for devices that support both mechanisms.
This option is available to all IDEMIA 8.2 cards. If you have an existing, enrolled IDEMIA 8.2 card, the challenge/response prompt will be available for you (if your organization enables it).
User-Friendly Device Names for Your UCMS-Managed Identity Devices
You can now rename all of your own certificate-based identity devices issued in the Unified Portal (including Gemalto and IDEMIA smart cards, YubiKeys, and Virtual Smart Cards) with custom, user-friendly names.
New "LEGIBLE ID" Column in the MyIdentities and Reporting Pages
If your organization issues IDEMIA cards via UCMS, you can use a new column, LEGIBLE ID, to display the card's printed serial number. This makes it easier to compare what's listed in your device list to the physical card itself.
For existing devices, the ID will not display the first 10 digits of your IDEMIA card (the BAP number and the IC embedded date), as we did not previously store this data. For example, if your existing card number is 123456-7890-1234567890, it displays in the LEGIBLE ID column as XXXXXX-XXXX-1234567890.
For new devices, we will display all digits of your IDEMIA card, including the BAP number and IC embedded date. For example, if your new card number is 123456-7890-1234567890, it displays in the LEGIBLE ID column as 123456-7890-1234567890.
To display this column, see Update Your Unified Portal Display Preferences.
Bug Fixes
Version | Ref ID | Description |
|---|---|---|
2.9.0 | PM-4663 | On the Reporting page, when you revoke a device, the device status now displays as INACTIVE as expected |
PM-5718 | Help Desk Operators with REVOKE privileges can now unassign hardware OTP tokens from any user | |
2.12.1 | PM-5643 | User stays on logout page or is redirected to configured logout page when they click “logout” from the UP |
2.12.2 | PM-7335 PM-7787 PM-7788 | Axiad displays a meaningful error message if backend services are unreachable |
PM-7905 | When configuration leads to a mismatch, Axiad fails the issuance and displays necessary information for the user | |
PM-7380 | Operator can choose how to use the Device Expiration feature, if at all |
Article History
Date | Section | Description |
|---|---|---|
May 16, 2024 | UCMS / UP Bug Fixes | Updated bug fixes for UCMS 4.17.2, 4.17.3 and UP 2.12.1 |
April 4, 2024 | Overall | Added 4.17.1 / UP 2.12.1 release notes |
January 26, 2024 | Overall | Restructured and updated following official release. |
December 7, 2003 | Clarified Removal vs. Deprecation. | |
December 6, 2023 | Added REST API v1 to the API deprecation release note. | |
December 5, 2023 | Updated "Mult-Factor Authentication Groups" title to "User Groups Are No Longer Exclusive From Each Other in Workflows" and clarified description of feature. | |
December 4, 2023 | Added section due to scope increase. | |
Added two new features due to scope increase:
| ||
Added section due to scope increase. | ||
November 15, 2023 | Article creation |
Was this article helpful?
