UCMS 4.7/UP 2.2 Release Notes

Updated on 22 Aug 2023
3 Minutes to read

Print
Share
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

Last Updated: August 21, 2023

NOTE

If you have any questions about these features, or want to request a more in-depth discussion about the best way to leverage them, reach out to us at productmanagement@axiad.com.

New Features

Support for New Devices

UCMS now supports the issuance of management of new device types. To issue and manage these devices, you must create a new device profile and assign it to a workflow.

Virtual Smart Cards

This new device type is available only to Windows users, and allows the issuance of certificate-based credentials with keys generated and stored in a Trusted Platform Module. This feature requires a TPM with firmware versions 1.2 and 2.0, and Axiad WebPCSC version 1.4.0 or later.

Virtual Smart Cards are considered a new category of certificate-based authenticator. As a result, access to the new configuration screens are bound to new permissions which must be granted to any Operator role you deem appropriate.

Gemalto MD830 and MD930 Smart Cards

UCMS is now able to issue CIV-compliant certificate-based credentials on Gemalto smart cards.

YubiKeys with Firmware 5.3 and Above

This firmware introduces the support for establishing a secure channel, which UCMS can leverage to support additional features (such as regeneration of the OTP slot on every issuance). This provides the best level of security without the additional burden of managing pre-existing OTP seeds.

Soft Revocation

Revoking an authenticator will no longer fail if the PKI is unavailable at the time of the operation. UCMS will mark the device as revoked and all certificated-based credentials will be marked as pending revocation. UCMS will automatically retry the operation when the PKI becomes available again. New settings are available in the config.properties file to adjust the schedule:

Key	Description	Default	Suggestions
soft.revoke.scheduler.cron	Frequency at which failed (“soft”) revocations should be reprocessed.	0 15 22 1/1 * ? (10:15pm every day)	Increase this value if you have a large number of users to synchronize.
soft.revoke.max.job.age	Maximum validity of a synchronization task in the queue.	PT8H (8 hours)

Device Serial Number in Certificates

UCMS operators can now elect to include the device serial number as part of either the Distinguished Name or SubjectAlternativeName extension of any digital certificate. This can help users with multiple authentication certificates better distinguish which is the certificate on the card (or device currently plugged in). To use this feature, add the new {device.serialNumber} field to a certificate configuration in a new or existing workflow.

New API Functions

To use these new API, you must enable the associated permissions in role(s) of your choice. The following functions were introduced in this version:

Verb	URL	Description
GET	/users/{uid}/notifications	Get the list of expiration notices for a given user.
GET	/api/v3/parameters/{category}	Get the list of configuration parameters set in UCMS for a given category.
GET	api/v3/parameters/{category}/{configName}	Get the value of a specific configuration parameter set in UCMS for a given category.
POST	/api/v3/parameters/{category}	Add or update configuration parameters to UCMS.
DELETE	/api/v3/parameters/{category}/{configName}	Remove a specific configuration parameter set in UCMS for a given category.
POST	/api/v3/devices	Get a list of devices matching the given criteria(s).
GET	/api/v3/devices/metadata	Get the list of available report filters.
GET	/api/v3/parameters	Get the list of configuration parameters set in UCMS.

Enhancements

MSCA Template Permissions

If UCMS is deployed with the MS CA Agent (to request certificates from a Microsoft CA), this agent no longer requires the AutoEnroll permission on all certificate templates in order to list them in the Operator Portal.

We recommend you remove this permission.

Active Directory Synchronization

UCMS 4.7 introduces new options in the config.properties file to adjust how often the local Active Directory cache is refreshed.

Key	Description	Default
Key	Description	Default
ldap.scheduler.cron	Frequency of LDAP synchronization, expressed as a cron expression.	0 15 22 1/1 * ? (10:15pm every day)
max.job.age	Maximum validity of a LDAP synchronization task in the queue.	PT8H (8 hours)

Notification Templates

Issuance, replacement, renew, and reset notifications are improved to include the following macros in the notification message:

$DEVICE_SUB_TYPE$ (the device type)
$CUID_NUM$ (the device serial number)
$PIN$(the user's PIN)
IMPORTANT
A user's PIN is not saved in the database, and is only available for the following operations:
- PIN Generated Info
- Your device's PIN has been Reset
- You have been issued a replacement device

To Modify a Notification Template

In the UCMS Operator Portal, from the menu, click the Configuration tab.
Click Notification > Notification Templates.
The Notification Templates page displays.
In the Condition Name text field, search for one of the Condition Names listed above.
Select the notification template you want to modify.
Click the Edit icon.
The Edit Notification page displays.
Open the saved notification template you made prior to upgrade, and copy the Subject from it.
Paste it into the Subject field on the Edit Notification page.
In the saved notification template, copy the Message Body.
Paste it into the Message Body field on the Edit Notification page.
Click Save.
Repeat for any of the Condition Names listed above.

RA Certificate in HSM

You can now use a certificate stored in a HSM to connect to a CA, as opposed to using a certificate stored in the local Java KeyStore.

Was this article helpful?

What's Next

UCMS 4.6 Release Notes

Table of contents

New Features
Enhancements