Sven Haster 19/12/2022 111 min read

Topicus KeyHub 23

In the first week of 2023 we are proud to announce Topicus KeyHub 23. Starting with this release, group memberships will be signed as an added protection against out-of-band modifications. We also introduce the role of "content administrator" for linked systems, who will handle some of the tasks previously managed by technical administrators. Lastly, we added support for clustering on Microsoft Azure.As usual, a number of assorted smaller changes and bug fixes are also included.

 

Content administrator

TKH-2300 It is now possible to set a content administrator group for a linked system. This group handles requests regarding the contents of the linked system, i.e. groups on system and service accounts, that previously were handled by technical administrators. We've also provided group managers with the ability to request a new group on system or access to an existing group on system.

 

Group managers can use the Manage Access page to request a new or existing group on system for one of their groups. This request will be handled by the content administrators. After approval, a new group on system will be created immediately. A request for access to an existing group on system will be sent to the owning group of the group on system.

 

Cryptographic signing of group memberships

TKH-2180 KeyHub has introduced a separate set of keys to assist with the verification of the database's state. As of KeyHub 23 group memberships will be signed using a key specific to the group which is kept in the groups vault. This means that only people who legitimately have access to the group, can attest other people's legitimate access. In other words, if somebody were to give themselves a group membership via modifications directly on the database, KeyHub would be able to detect a false signature. This is meant to complement group audits and should provide for a higher level of confidence in the correctness of KeyHub's contents. Invalid signature(s) will lead to a warning on the dashboard and can be fixed by a group manager.

 

Clustering on Microsoft Azure

TKH-2296 It is now possible to build a HA-cluster of KeyHub installations on Microsoft Azure. Simply configure a static ip for the node in Azure and switch KeyHub to static configuration as well and you will be able to use the cluster setup wizard.Note that you will also need an external loadbalancer/proxy.

 

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-1443 If you have lost access to one or more group vaults, KeyHub will try to automatically restore that access when another group member logs in. This removes the need to manually request and approve said access.
  • TKH-2176 You can now enable your rotating password directly from the profile page, without needing to go through the password setup wizard.
  • TKH-2214 TKH-2248 TKH-2341 We've added some more statistics to the open metrics endpoint, such as group activations and webhook deliveries. We've also added the name of the linked system to the relevant metrics.
  • TKH-2231 The remove group confirmation pop-up now displays the correct label for the 'repeat group name' field.
  • TKH-2233 TKH-2325 We've improved the CLI. Textual output will now be in neat columns and there is a CSV output mode available. UUIDs have also been added to the output for entities like groups and vaultrecords.
  • TKH-2238 We've fixed a visual bug on the auditlog page where the upper line could be hidden by the search bar.
  • TKH-2240 We've added a visual indicator to vault records whose contents are wholly or partially derived from something else, such as a client application's id and secret.
  • TKH-2244 Creating a new internal account will now correctly save the 'can request new groups' property.
  • TKH-2246 TKH-2247 We've added a circuitbreaker to webhooks to avoid performance problems from unstable endpoints. In addition, webhooks can now be manually disabled.
  • TKH-2251 We've added HTML attributes to our 2FA TOTP fields to enable better autocomplete and keyboard options.
  • TKH-2262 KeyHub's dashboard page should no longer break when fetching the auditlog results in errors.
  • TKH-2273 Uploading a newer license to an older installation should no longer result in errors when the license includes a feature that is not yet available in the installed version.
  • TKH-2275 We've added a global "read groups" permission type for client applications.
  • TKH-2281 KeyHub should now correctly display an "add new member" request to the authorising group for membership, even after approval.
  • TKH-2283 The appliance manager should now correctly restart in all cases where the node's configuration changed.
  • TKH-2285 Unallocated space should now be calculated and displayed correctly on Azure and AWS installations.
  • TKH-2287 RDN fields are now correctly labeled as such.
  • TKH-2288 We've hardened security for the OAuth2 device code flow.
  • TKH-2290 KeyHub administrators will now be able to revoke client permissions for global permission types.
  • TKH-2294 Snapshot recovery now works even without a running SaltStack implementation.
  • TKH-2299 We've improved the quick-fix solution for TKH-2298 in KeyHub 22 to provide client application with only the right amount of READ rights on linked systems.
  • TKH-2304 We've updated our interface and documentation to clearly distinguish between password reset and recovery.
  • TKH-2305 It is no longer possible to generate an error by aborting a WebAuthn flow and then pressing the login button.
  • TKH-2306 Restoring a backup from an "offline" installation into a normal installation should now allow disabling of the offline mode.
  • TKH-2307 We've added HTTP Vary headers to our cacheable responses to improve the browser's caching.
  • TKH-2309 You should no longer be able to disable your own account as an auditor.
  • TKH-2310 We've updated the mails regarding upcoming license expiry to display the date in a more readable format and to identify the sending KeyHub installation.
  • TKH-2311 The gathering of statistics for the about page and for license checks has been improved so as to lessen the performance impact.
  • TKH-2313 We've permanently removed the 'old' token exchange endpoint in favor of the 'new' spec compliant endpoint added in KeyHub 22.
  • TKH-2315 Creating a new backup removes stale backup processes to avoid conflicts.
  • TKH-2316 Starting a password reset while updating your KeyHub password after changing the directory password out-of-band, should no longer result in an unrecovereable account state.
  • TKH-2318 TKH-2353 Rotating password and "provisioning configuration required" notifications will no longer be shown for users with the license role "Business".
  • TKH-2319 TKH-2352 We've improved handling of rotating passwords and static provisioning.
  • TKH-2320 TKH-2321 TKH-2334 We've improved client permissions. Client applications should now be able to move, share and copy vault records, access launchpad tiles for a group, and read linked systems.
  • TKH-2322 The password mode has been added to the auditor account export.
  • TKH-2324 It is now possible to configure a linked system to remove unknown accounts. This ability was already added to the backend in KeyHub 21 but was mistakenly left out of the interface.
  • TKH-2326 It is now possible to configure a list of resource URIs on a client application. The client application can then only request tokens for one of the provided resource URIs.
  • TKH-2327 The cluster status now incorporates the SSH-connectivity to other nodes.
  • TKH-2329 The 'last audit record' timestamp for other cluster node's database status should now display in the correct timezone.
  • TKH-2335 The correct user should now be written to the audit log when a request to create a new service account is approved.
  • TKH-2338 We've fixed an issue where, during timedrift detection upon entering TOTP codes for 2FA, the account state was in some instances incorrectly marked as "provided a correct 2FA code".
  • TKH-2340 We've improved the permission checking in the backend to lessen the performance impact.
  • TKH-2342 You can now sort on the group on system name on the linked system's "Groups" page.
  • TKH-2343 Synchronizing the state of multiple linked systems with KeyHub is now handled on separate threads to avoid timeout issues.
  • TKH-2344 Unlinked group on systems are now only loaded on demand on the Manage Access page. This avoids performance issues when one group owns a large number of such groups.
  • TKH-2345 The clicking on a group from list of group memberships on an account's details page, will now lead to the appropriate group details page for auditors and KeyHub administrators.
  • TKH-2347 We've removed all XML examples and schema's from our OpenAPI spec.
  • TKH-2350 Rotating a service account's password should no longer result in an error.
  • TKH-2351 It is no longer possible to accidentally save duplicate client permissions.