CalNet Releases

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University.  As technology is updated throughout the CalNet portfolio, updates will appear on this page.  

If you support technology that depends on CalNet tools, this is the best place to look to understand if something in the CalNet technology stack has changed and how it could be affecting your services. You can also sign up to receive notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases and click JOIN.

Upcoming Releases

December 30, 2024, 7:00 am

This release features updates to the CAS MFA setup to enable MFA globally, replacing the current group-based trigger. Additionally, we will introduce a second CAS MFA integration with stronger factors, configurable for specific service providers. CMR: CHG0038636

Services Affected:

  • CAS
  • Duo

Recent Releases

November 13, 2024, 5:00 pm

This update included patching and feature deployment for the BIDMS app (doesn't affect SSO).

- CNR-2573: Additional data elements for matching
- CNR-2631 and CNR-2632: New match rules and modify/remove some existing rules
- CNR-2675: Work-around to set official email in LDAP to alternate ID email if person has changed their calnetId since March 1st
- Upgraded to Spring Boot 3.3.5 and upgraded other dependencies

 CMR: CHG0038582

Services Affected:

  • LDAP

November 8, 2024, 6:00 am

To address errata published by Red Hat, we patched Red Hat Enterprise Linux servers. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0038552

Services Affected:

  • Zabbix
  • Duo

November 7, 2024, 7:00 am

The purpose of this release was to implement throttling for failed authentication attempts that reach a certain threshold. CMR: CHG0038487

Services Affected:


November 6, 2024, 7:30 am

For this update we upgraded CAS on the *test* auth-test.berkeley.edu cluster to 7.1. This included significant UI changes and underlying library upgrades.  An outage was not anticipated; however, because the underlying service ticket registry cluster version upgraded, clients who authenticated the morning of this change lost their SSO session and will be required to re-auth when accessing any SSO applications after the upgrade. CMR: CHG0038559

Services Affected:


October 22, 2024, 6:00 pm

CNR-2626: Created a solution for UCPath sending empty pronoun strings when employees set their pronouns as "My pronouns are not listed" or "Decline to state" CMR: CHG0038518

Services Affected:

  • UCPath

October 9, 2024, 6:00 pm

We provisioned student & employee pronouns to LDAP. CMR: CHG0038458

Services Affected:

  • LDAP

September 27, 2024, 7:30 am

In this release, we removed the berkeleyEduNamePronouns attribute from anonymous access. It is now restricted to authenticate users. CMR: CHG0038430

Services Affected:


September 27, 2024, 6:00 am

This release featured the patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0038449

Services Affected:

  • Zabbix
  • Duo

September 19, 2024, 4:00 pm

The purpose of this release was to deploy an update to the CalNet Admin Tool that fixes a Reconciliation user interface bug. CMR: CHG0038420

Services Affected:

  • CAT

September 5, 2024, 6:00 pm

This release featured the addition of custom scopes and claims to our OpenID Connect identity provider to support client applications. CMR: CHG0038099

Services Affected:


September 5, 2024, 5:00 pm

This release did not affect Single Sign On.

BIDMS patch and features release.

CNR-2407 Upgraded CAT/CAM to Grails 6
CNR-2587 fixed switch user issue
CNR-2572 Displayed grace status in CAM
CNR-2589 mailed overrideAddress ignored after upgrade
CNR-2551 Error message was not announced properly
CNR-2607 Brought in Duo SORObjects into registry with bulk querying via API
CNR-2597 Made bidms docker tests optional
CNR-2598 Upgraded to Spring Boot 3.3.2 and other dependencies
CNR-2603 Added CS delegate IDs to LDAP as a berkeleyEduAffID value
CNR-2596 Added language to CAM password reset page for managed machines
CNR-2601 Synchronized dev/test CS delegates with their production UIDs
CNR-2611 Removed old Advcon API services from BIDMS

CMR: CHG0038368

Services Affected:

  • BIDMS

September 4, 2024, 7:00 am

We removed routes for both the /advcon and /directorySearch  APIs. The alumni API functionality has been moved into BIDMS and the directory search endpoint has been moved to API Central. CMR: CHG0038340

Services Affected:

  • Directory

September 3, 2024, 5:00 pm

This release included the following: A configuration issue was causing emails sent from the grouper deamon to fail, emails from the UI worked as expected. CMR: CHG0038339

Services Affected:


August 15, 2024, 6:00 am

In this release, we changed the source of the required email address attribute for REFEDS to berkeleyEduAlternateID, the primary email address managed by the bConnect team. This means that only the primary @berkeley.edu email address will be asserted when users authenticate to services that belong to this federation. CMR: CHG0038294

Services Affected:


August 13, 2024, 6:00 am

As part of this release, we patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0038281

Services Affected:

  • Zabbix
  • Duo

August 12, 2024, 6:00 pm

For this release, we rolled out a new functionality on SPA-admin application: Update SPA display name. CMR: CHG0038282

Services Affected:

  • SPA-admin application

August 8, 2024, 3:30 pm

The provider for the InCommon certificate service (Sectigo) changed their authentication endpoint. In this release, we updated our user-friendly redirects with the new authentication endpoint. CMR: CHG0038291

Services Affected:


July 31, 2024, 7:00 pm

This release featured the fixing of the error message announcement issue on CDU. CMR: CHG0038238

Services Affected:

  • CDU

July 24, 2024, 7:00 am

The purpose of this release was to correct a misconfiguration on two of our CAS cluster nodes where the OIDC certificates are mismatched.  CMR: CHG0038229

Services Affected:


July 22, 2024, 6:00 pm

We used HTOP (HMAC one-time passcodes) Duo Mobile passcodes. We changed the type of Duo Mobile passcodes to TOTP (time-based one-time passcodes). CMR: CHG0038158

Services Affected:

  • Duo

July 16, 2024, 5:00 pm

This release included the following: 

- As part of the Alumni Digital Experience project, expired approximately 480,000 alumni accounts (~388k without calnetIds + ~92k with calnetIds).
- CNR-2563: sorObjects search API
- CNR-2583: Added FORMER-*-IN-GRACE affiliations (requires a bulk write to LDAP to add these values).
- CNR-2586: set uidNumber/gidNumber in Active Directory (requires a bulk write to Active Directory to add these attributes).

CMR: CHG0038217

Services Affected:


July 15, 2024, 4:00 pm

In this release, we implemented Employee Pronouns in BIDMS. CMR: CHG0038169

Services Affected:

  • BIDMS

July 15, 2024, 8:00 am

For this update, we restarted BIDMS to unpause UCPath messages after UCPath outage. CMR: CHG0038125

Services Affected:

  • UCPath

July 12, 2024, 2:00 pm

This release included restarting BIDMS to pause UCPath messages during UCPath outage. CMR: CHG0038124

Services Affected:

  • UCPath

July 5, 2024, 7:00 am

The purpose of this release was to upgrade CAS on the production auth.berkeley.edu cluster to apply security patches to CAS and the embedded Tomcat container. The work was done in a rolling manner to avoid an outage. CMR: CHG0038139

Services Affected:

  • CAS

June 26, 2024, 5:00 pm

As part of this release, we will change the base OS image for our production shibboleth instance from centos 7 to rocky 8 to ensure continued OS updates. CMR: CHG0038122

Services Affected:


June 26, 2024, 7:00 am

This release featured the addition of custom scopes and claims to our OpenID Connect identity provider to support client applications. CMR: CHG0038099

Services Affected:


June 20, 2024, 6:00 pm

The purpose of this release was to remove legacy password hash options from LDAP. CMR: CHG0038087

Services Affected:

  • LDAP

June 14, 2024, 12:00 pm

In this release, the software behind CalGroups was upgraded to the current version of Grouper. The initial upgrade was expected to take a couple hours. During this time, the User Interface at calgroups.berkeley.edu was unavailable. Once the UI upgrade was complete, additional configuration work happened through the weekend, including upgrades to the provisioning software, loader jobs, and the Web Services API. CMR: CHG0037957

Services Affected:

  • CalGroups

June 14, 2024, 11:00 am

For this update, there were two releases in SPA-Admin application in accordance with Grouper Upgrade. The first release happened before Grouper Upgrade in order to take SPA Admin application down so that SPA Admin was not affected during the Grouper upgrade. The second release happened after Grouper API and UI upgrades were completed. In the second release, Grouper Rest API URLs (basically API versions) and UI url were changed in spa-admin config and SPA admin application was brought back. CMR: CHG0037967

Services Affected:

  • Grouper

June 13, 2024, 7:00 pm

This release included accessibility fixes based on feedback from Accessibility team for the new CDU UI. CMR: CHG0038069

Services Affected:

  • CDU

June 13, 2024, 4:00 pm

This release featured the deployment of BIDMS changes for business telephone numbers coming from the Regional Portal system to be sent to UCPath. CMR: CHG0038084

Services Affected:

  • UCPath

June 6, 2024, 4:00 pm

In this release, we deployed fixes for the Slate integration within CalNet Account Manager. CMR: CHG0038045

Services Affected:

  • CAM

June 3, 2024, 7:00 pm

Secure connections were not enforced by our password policy for legacy reasons. We configured the back-end LDAP service to require either SSL or STARTTLS for any authenticated connections with this change. CMR: CHG0037960

Services Affected:

  • LDAP

May 25, 2024, 9:00 am

This release included replacing the general purpose LDAP cluster used by campus services (ldap.berkeley.edu) with new RHEL 9 hosts. CMR: CHG0037988

Services Affected:

  • LDAP

May 24, 2024, 7:00 am

This release featured the patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0038012

Services Affected:

  • Zabbix
  • Duo

May 21, 2024, 7:00 pm

In this release, we replaced the LDAP cluster used by authentication services (CAS, Shibboleth, Wi-Fi) with RHEL 9 hosts. CMR: CHG0037987

Services Affected:

  • CAS
  • Shibboleth
  • LDAP

May 14, 2024, 4:00 pm

This release didn't affect SSO.

CNR-2472 CDU UI fixes for accessibility
CNR-2469 Made sure Forgot Passphrase works for alumni
CNR-2416 Made sure alumni can claim accounts
CNR-2417 Made sure alumni can log into Account Manager
CNR-2445 Made Active Directory a SOR in BIDMS for the purposes of pulling in the "last logon" timestamp attribute
CNR-2468 Created a new quartz job in SGS to query AD for the last logon timestamps
CNR-2471 Encountered an AD search limit of 1000 while querying for last logon timestamps
CNR-2507 SGS had to start pulling in the LDAP berkeleyEduIsMemberOf attribute so we can detect the alumni email group
CNR-2508 Created a ldapGroupAlumniEmail role based on whether they have the berkeleyEduIsMemberOf value for the alum email group
CNR-2494 LDAP server didn't like "01" anymore for berkeleyEduBirthDay/berkeleyEduBirthMonth
CNR-2511 Removed the "Create My Email Account" link in CAM
CNR-2522 Made the new alumni expiration logic configurable because not enabled in production for awhile

CMR: CHG0037961

Services Affected:

  • CDU
  • CAM
  • LDAP

May 12, 2024, 9:00 am

In this release, we replaced the LDAP hosts at the SDSC data center with new hosts built on RHEL9. CMR: CHG0037959

Services Affected:

  • LDAP

April 15, 2024, 7:00 pm

CDU is the new "CalNet Directory Update" application that replaced the legacy directory update application. The purpose of this release was to roll out an enhanced CDU UI based on feedback from Usability team. CMR: CHG0037866

Services Affected:

  • CDU

April 6, 2024, 9:00 am

As part of this release, we upgraded the CalNet LDAP infrastructure to DS 7.4.  No impact to applications or customers was expected as we performed a rolling upgrade. CMR: CHG0037744

Services Affected:

  • LDAP

April 2, 2024, 5:00 pm

In this release, the new CDU search API had a bug that needed to be patched. CMR: CHG0037803

Services Affected:

  • CDU

March 28, 2024, 8:00 am

In this release, CDU was the new "CalNet Directory Update" application that replaced the legacy directory update application. CMR: CHG0037773

Services Affected:

  • LDAP
  • CalNet Directory Update

March 27, 2024, 3:30 pm

This release included deploying changes to BIDMS to support the new CDU launch. CMR: CHG0037772

Services Affected:

  • CDU

March 27, 2024, 3:00 pm

In this release, we added a maintenance page to the legacy CalNet Directory Update (CDU) tool on the afternoon of March 27th in preparation for migrating this functionality on March 28th.  On March 28th we changed this to redirect traffic to CalNet Account Manager (CAM) which is taking over this functionality. CMR: CHG0037756

Services Affected:

  • LDAP
  • CalNet Directory Update tool
  • CAM

March 27, 2024, 6:00 am

The purpose of this release was to patch Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037776

Services Affected:

  • LDAP
  • Zabbix
  • Duo

March 13, 2024, 7:00 am

To consolidate multiple access control instructions in LDAP in preparation for the new CalNet Directory Update tool launch, we streamlined access rules for berkeleyEduOfficialEmail, mail, and berkeleyEduAlternateID. CMR: CHG0037685

Services Affected:

  • CalNet Directory
  • LDAP

March 11, 2024, 9:00 am

This release included turning on UCPath messaging for UCPath release. CMR: CHG0037665

Services Affected:

  • UCPath

March 8, 2024, 11:00 am

This release included turning off UCPath messaging for UCPath release. CMR: CHG0037623

Services Affected:

  • UCPath

March 8, 2024, 8:00 am

The purpose of this release was to reconfigure our API gateway to allow error pass-through rather than intercepting them to reformat the errors. There was no outage, as this is a rolling NGINX reload to pick up new settings. CMR: CHG0037697

Services Affected:


March 1, 2024, 7:00 am

In this release, we added CalNet ID (berkeleyEduKerberosPrincipalString) in the set of attributes already released by the *.berkeley.edu CAS registration. CMR: CHG0037615

Services Affected:

  • LDAP
  • CAS

February 29, 2024, 6:00 pm

As part of this release, we removed indexes and schema attributes related to directory changes implemented during the preferred / lived name rollout. The following attributes were removed from the LDAP schema as they are either no longer in use or were replaced by other attributes:

berkeleyEduNameSalutation (1.3.6.1.4.1.4995.2.200.10.1.1.23)
berkeleyEduNameHonorifics (1.3.6.1.4.1.4995.2.200.10.1.1.24)
berkeleyEduNameGenerational (1.3.6.1.4.1.4995.2.200.10.1.1.25)
berkeleyEduFirstName (1.3.6.1.4.1.4995.2.200.10.1.1.27)
berkeleyEduLastName (1.3.6.1.4.1.4995.2.200.10.1.1.28)

CMR: CHG0037604

Services Affected:

  • LDAP

February 28, 2024, 7:00 am

This release included an upgrade to CAS on the production auth.berkeley.edu cluster to 6.6.15 to apply security patches to CAS and the embedded Tomcat container. The work was done in a rolling manner to avoid an outage. CMR: CHG0037605

Services Affected:

  • LDAP
  • CAS

February 22, 2024, 6:00 pm

For this release, we disabled change log indexing for our LDAP deployment. CMR: CHG0037601

Services Affected:

  • LDAP

February 15, 2024, 8:00 am

This release featured the patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037590

Services Affected:

  • Zabbix
  • Duo
  • LDAP

January 27, 2024, 8:00 am

The purpose of this release was to migrate our production LDAP infrastructure to a new security model. This involved deploying new cryptographic keys and configuring all back-end services (administration, replication) to use a new dedicated private CA model for internal operations. As part of this we also applied updates to core schema files. There were multiple restarts of each node in the cluster during the process.  Services are load balanced, but due to the number of restarts required, and application pooling, some applications may experience transient outages during this process. CMR: CHG0037507

Services Affected:

  • LDAP

January 26, 2024, 8:00 am

In this release, we upgraded the CalGroups test environment from 2.4 to 4.8.x. This has been done in the dev environment, and was repeated in the test environment. CMR: CHG0037518

Services Affected:

  • CalGroups
  • LDAP

January 25, 2024, 4:00 pm

To enable student account claim access codes from SIS, this release featured changes to a configuration flag and a restart of the CalNet Account Manager application. This did not affect Single-Sign-On. CMR: CHG0037508

Services Affected:

  • CAM
  • LDAP

January 24, 2024, 7:00 am

This release included the following: We removed the ds-rlim-lookthrough-limit attribute from all LDAP service accounts (binds). The attribute was deprecated. For service accounts that currently have larger query result size limits configured, we set the value on the ds-rlim-size-limit attribute which replaces the deprecated attribute. CMR: CHG0037448

Services Affected:

  • LDAP

January 21, 2024, 7:00 am

In this release, we replaced the TLS certificate used by the general CalNet LDAP cluster (ldap.berkeley.edu). No interruption was expected, we did rolling restarts of the backend LDAP servers. Customers should have been aware that the intermediate / signing certificate is changing to the "InCommon RSA Server CA 2" cert. See https://berkeley.service-now.com/kb?sys_kb_id=2372590fdbfe65d0066e252b13.... CMR: CHG0037443

Services Affected:

  • LDAP

December 22, 2023, 6:30 am

As part of this release, we upgraded CAS on the production auth.berkeley.edu cluster to 6.6.14 to apply security patches to CAS and the embedded Tomcat container. The work was done in a rolling manner to avoid an outage. CMR: CHG0037417

Services Affected:

  • CAS
  • LDAP

December 19, 2023, 4:00 pm

This release included the following:

- New enhancement to keep reconciliation and match history in database.
- Modified the CalNet Directory Update application to remove ability to enter a name. This functionality has been moved to other places due to GRLN project.
- At time of deployment, we cleared out the legacy LDAP berkeleyEdu name values that came from the CalNet Directory Update application. These berkeleyEdu name LDAP attributes have been deprecated and are replaced by GRLN lived names. Moving forward, the appropriate name attributes for lived names are 'givenName', 'sn' and 'displayName' (standard LDAP attributes). We will utilize berkeleyEduMiddleName for lived middle names.
- After deployment (while application is back up), we updated LDAP berkeleyEduMiddleName values to contain lived middle names from UCPath and Campus Solutions.

CMR: CHG0037393

Services Affected:

  • LDAP

November 30, 2023, 9:00 am

For this release, we implemented a new process for synchronizing the LDAP org units OU (ou=org units,dc=berkeley,dc=edu). This change should have been transparent to most consumers, but during the re-write we discovered that the existing process is violating our LDAP schema for the attributeberkeleyEduOrgUnitProcessUnitFlag. As part of this change, the berkeleyEduOrgUnit attribute berkeleyEduOrgUnitProcessUnitFlag no longer contains the value 1. Instead it is set to a boolean value of TRUE.

We reached out directly to the customers who may have been impacted by the change.

 CMR: CHG0037354

Services Affected:

  • LDAP

November 29, 2023, 7:00 am

This release featured patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition, we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037360

Services Affected:

  • Zabbix
  • Duo
  • LDAP

November 17, 2023, 8:00 am

As part of this release, we implemented a new process for synchronizing the LDAP org units OU (ou=org units,dc=berkeley,dc=edu). This change should have been transparent to most consumers, but during the re-write we discovered that the existing process is violating our LDAP schema for the attributeberkeleyEduOrgUnitProcessUnitFlag. As part of this change, the berkeleyEduOrgUnit attribute berkeleyEduOrgUnitProcessUnitFlag no longer contains the value 1. Instead it is set to a boolean value of TRUE.

We reached out directly to the customers who may be impacted by the change.

CMR: CHG0037322

Services Affected:

  • LDAP

November 15, 2023, 7:00 am

This release was to re-implement CHG0035218. Our most recent major upgrade of CAS included a different reverse proxy and we did not include the configuration described below as part of the upgrade.

We were seeing a high number of requests from a handful of misconfigured MacOS and iOS devices. These devices appeared to be configured using the Exchange mail and address book sync pointed at bMail (as opposed to using the appropriate Google sync). This was causing the clients to flood our CAS servers with invalid requests. We configured our proxies to return HTTP 400 (bad request) to these clients and prevent the traffic from reaching the CAS application.

CMR: CHG0037295

Services Affected:

  • CAS
  • LDAP

November 9, 2023, 7:00 pm

This release included the following:

CNR-2373: Augment web service for CDU
CNR-2369: Disregard bad messages on LdapSyncQueue
SGS: Fix triggering of bulk rematch and bulk reprovisioning from LdapSync job
Fix for sending newUid jms message
CAT: Upgrade Duo SDK library
CNR-2360: CAM: New Duo flow

CMR: CHG0037287

Services Affected:

  • Duo
  • LDAP

November 3, 2023, 7:00 am

In this release, we patched Shib on the production shib.berkeley.edu cluster to the 4.3.1_20231012 tag to upgrade the embedded Tomcat container.  The work was done in a rolling manner to avoid an outage. CMR: CHG0037237

Services Affected:

  • Shib
  • LDAP

October 17, 2023, 7:00 pm

As part of this update, we upgraded CAS on the production auth.berkeley.edu cluster to 6.6.12 to apply security patches to CAS and the embedded Tomcat container. The work was done in a rolling manner to avoid an outage. CMR: CHG0037190

Services Affected:

  • CAS
  • LDAP

October 13, 2023, 7:00 am

This release featured patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition, we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037186

Services Affected:

  • Zabbix
  • Duo
  • LDAP

October 8, 2023, 2:00 pm

For this release, the SIS group deployed their GRLN changes on October 8 and CalNet deployed BIDMS changes to support their launch. Changes were for writing SIS lived names to LDAP. CMR: CHG0037153

Services Affected:

  • LDAP

October 8, 2023, 7:00 am

This release was related to change CHG0037153 and the SIS GRLN launch.  We configured the CalNet Directory Update tool to direct students to SIS for preferred/lived name changes.  This should not have impacted homecoming activities as it did not affect the CalNet systems that perform authentication and authorization to campus systems. CMR: CHG0037157

Services Affected:

  • LDAP

September 27, 2023, 7:00 am

As part of this release, Duo deprecated the existing device management integrations that are used as part of new user on-boarding and self-service device management via the CalNet Account Manager (CAM).  We changed both the CalNet claim process and post-claim processes for managing Duo devices.  For existing users we enabled Duo's new Duo Central for device management.  This required that we configure Duo SSO, Duo Central, and integrate them with our existing SAML federation.   There is no expected impact to current Duo 2-step functionality as this is a separate feature.  This change is to enable these features so that our developers can work on the changes to CAM.  Future change requests and communications will address user impact and process changes. CMR: CHG0037120

Services Affected:

  • Duo
  • CAM
  • LDAP

September 21, 2023, 7:00 pm

In this release, there were changes to GitHub Actions Configuration for SPA Admin App. CMR: CHG0037096

Services Affected:

  • SPA Admin App
  • LDAP

September 8, 2023, 7:00 am

This release featured patching of Red Hat Enterprise Linux servers to address errata published by Red Hat.  This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037055

Services Affected:

  • Zabbix
  • Duo
  • LDAP

September 7, 2023, 7:00 pm

This release was an upgrade of the CalNet identity management suite that included an infrastructure change to switch to containerization of the Tomcat application server. A Tomcat upgrade was necessary to support the Spring Boot 3 upgrade, also part of this upgrade. There was a 2 hour outage associated with this release.

Release Notes:
Upgrade to Spring Boot 3
Containerization of the services Tomcat app server and upgrade to Tomcat 10 for Spring Boot 3
Support SIS Campus Solutions student claim access codes (will not be enabled until later date)
CNR-2292,CNR-2042: Remove references to affiliates OU that was removed from LDAP some time ago
CNR-2315: Give SUPPORT role ability to see the lock info on the CAT show person page
CNR-2314: Add raw SORObject view (aka 'grey arrows') back for people in the 'View' group in CAT
CNR-2320,CNR-2329: CAT lock emails going out when email button not selected
CNR-2326: Add Ucpath I-280 BUSN telephone numbers to BPR telephone table
CNR-2317: PostgreSQL 14 in development environment
CNR-2336: A nightly job to clean up the various expired token rows in BPR tables
CNR-2319: Improve error message when guest-type-potential-hire tries to claim an account
CNR-2338: CAM ClaimService isEligibleToClaimAccount needs additional checks
CNR-2344: Improve part of ucpath ddods query for efficiency
CNR-2298: Use GitHub Actions

CMR: CHG0037017

Services Affected:

  • CAT
  • UCPath
  • CAM
  • LDAP

September 3, 2023, 9:00 am

As a part of this release, we upgraded CAS on the production auth.berkeley.edu cluster to 6.6.  This upgrade involved moving to a new cluster running RHEL9 and many architectural changes and underlying library upgrades.  An outage was not anticipated; however, because the underlying service ticket registry cluster version was being upgraded clients who authenticate the morning of this change lost their SSO session and were required to re-auth when accessing any SSO applications after the upgrade. CMR: CHG0037004

Services Affected:

  • CAS
  • LDAP

July 13, 2023, 5:00 pm

For this release, we patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036887

Services Affected:

  • Zabbix
  • Duo
  • LDAP

June 21, 2023, 7:30 pm

For this release, as a last step to complete CalNet's portion of the UCPath GRLN deployment, we reenabled a regularly scheduled job that requests update messages for employees.  (Otherwise known as the I-371 job.)  This job was disabled as part of CHG0036664 on June 16th.  This CHG reenabled it after GRLN go-live. CMR: CHG0036666

Services Affected:

  • UCPath
  • CalNet
  • LDAP

June 20, 2023, 6:00 am

For this release, UCPath launched their GRLN (Lived Name) changes and CalNet needed to deploy changes as part of the project:

#1) Turned back on UCPath data processing that was previously turned off for the UCPath GRLN downtime window that began on June 16th.
#2) Deployed code changes to adapt to the new way that UCPath would be storing lived names in the DDODS database.
#3) Deployed code changes to change how names are set in LDAP and Active Directory to align with lived names that are now stored in UCPath for active employees and UCPath affiliates. These UCPath lived names were to replace the preferred names that employees and UCPath affiliates had previously set in the Directory Update application. It was expected many names in LDAP would change due to this change.
#4) Deployed a change to the Directory Update Application hosted at directory.berkeley.edu that disallowed active employees to change their preferred name in the application and provided a link to UCPath where their name could be changed within UCPath.

CMR: CHG0036665

Services Affected:

  • UCPath
  • CalNet
  • LDAP
  • Active Directory

June 16, 2023, 3:00 pm

As part of this release, UCPath was down starting June 16th at 3pm for the GRLN rollout.  At approximately the same time all UCPath data processing was shut off for the CalNet identity management system.  This required an application restart. CMR: CHG0036664

Services Affected:

  • UCPath
  • CalNet
  • LDAP

June 16, 2023, 6:00 am

As part of this release, UCPath launched their GRLN (Lived Name) changes. With this update, CalNet no longer allows the generation of preferred (display) names using the Directory Update application (directory.berkeley.edu) for anyone with a staff affiliation. CMR: CHG0036667

Services Affected:

  • UCPath
  • CalNet Directory
  • LDAP

June 7, 2023, 7:00 pm

This release included the following:

CNR-2265 CAT, limit displayed names to preferred (lived) names unless they have specific roles to grant access to other names that may include legal names
CNR-2118 Upgrade from h2db 1.4 to 2.1
CNR-2261 ucb-bidms should use same CalnetIdRules as CAM
CNR-2167 Convert calnet-ui from using Bower to using NPM
CNR-2264 Where possible, upgrade JavaScript dependencies in calnet-ui
CNR-2122 SGS Camel xmljson functionality has been deprecated and needs to be replaced with something else
CNR-2279 Create a REST service for changing uid on namespace entries
CNR-2280 There is a CS M02-related regression bug preventing admit role being asserted in some edge cases
CNR-1955 Reassign namespace entries when merging
CNR-2288 Upgrade CAT, CAM to latest Grails version
CNR-2284 Upgrade bidms dependencies, including Spring Boot
CNR-2121 Upgrade to Camel 3 for SGS

CMR: CHG0036676

Services Affected:

  • CAT
  • CAM
  • LDAP

June 7, 2023, 7:00 pm

There were two parts to this release:

1. We *stopped* sending the samAccountName from Active Directory back to CAS as the asserted principal user ID. Instead, CAS now uses the user-supplied account name for attribute lookups after authentication is successful.

2. We configured CAS to check both the sAMAccountName and the alias section of the userPrincipalName during authentication (i.e. alias@BERKELEY.EDU(link sends e-mail)).

CMR: CHG0036702

Services Affected:

  • CAS
  • LDAP

June 1, 2023, 5:00 pm

This release involved patching of Red Hat Enterprise Linux servers to address errata published by Red Hat.  This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036705

Services Affected:

  • CAS
  • Grouper
  • LDAP
  • Shibboleth

April 20, 2023, 5:00 pm

This release involved patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036590

Services Affected:

  • CAS
  • Grouper
  • LDAP
  • Shibboleth

April 19, 2023, 5:00 pm

This release involved patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036589

Services Affected:

  • CAS
  • Grouper
  • LDAP
  • Shibboleth

March 28, 2023, 7:00 pm

As part of this release we removed the displayed userName from the default login and logout CAS pages. While these pages only allowed an authenticated user to see their own userName (e.g. CalNet ID), they also allowed accounts authenticated via trusted third-party sites to see their userName. This could have been undesirable in some cases. CMR: CHG0036528

Services Affected:

  • CAS

March 23, 2023, 7:00 pm

This release involved patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036457

Services Affected:

  • CAS
  • Grouper
  • LDAP
  • Shibboleth

March 16, 2023, 7:00 pm

This release upgraded our SAML IdP from 4.2.1 to 4.3.0 to address minor security vulnerabilities and ensure we are on the latest version. No outage was expected. CMR: CHG0036456

Services Affected:

  • Shibboleth

March 15, 2023, 7:00 am

This release moved the current CalNet Directory Update application to a new host to help decommission the existing host. This involved a temporary redirect of the current http://directory.berkeley.edu(link is external) "Update your listing" link to the new URL. We requested that Public Affairs update that link at their leisure once we were confident the new host was working as expected with the temporary redirect. CMR: CHG0036451

Services Affected:

  • CalNet Directory Update Application

March 12, 2023, 7:00 am

This release included changes to the underlying algorithm for storing hashed passwords for LDAP service accounts in ldap.berkeley.edu. CMR: CHG0036431

Services Affected:

  • LDAP 

March 2, 2023, 7:00 pm 

This release included a configuration and restart for the new Cirrus API key. There was a brief outage associated with this release. CMR: CHG0036421

Services Affected:

  • Cirrus

February 9, 2023, 1:00 pm

This release involved an enhancement/bug fix release for the CalNet BIDMS application suite. CMR: CHG0036376

CNR-2232: Improve the access denied error message for SPAs
CNR-2242: Fix AD error when locking expired people
CNR-2243: Remove unneeded reconciliation page cache
CNR-2250: Add clarifying log entries about AD passphrases when locking accounts
CNR-2251: Expand list of reserved CalNetIDs to align with bConnected
CNR-2252: Fix recognition of certain AD errors in setting passphrase
CNR-2253: (Test environment) Fix GreenMail plugin
CNR-2255: Fix displaying error message when invalid identifier type is selected on passphrase reset page
CNR-2256: Cirrus is requesting new credentials for their API endpoint

Services Affected:

  • Special Purpose Accounts
  • Active Directory (AD)

January 29, 2023, 7:00 am

This release performed maintenance recommended by our vendor to address some lingering error messages in our logs.  The process was to reset the 'generation ID' of our replication domain to ensure any stale entries were not replicated. CMR: CHG0036342

Services Affected:

  • LDAP

January 23, 2023, 5:00 pm

This release applied a required certificate update on the Apache ActiveMQ server used by CalGroups and the Berkeley Person Registry. CMR: CHG0036289

Services Affected:

  • CalGroups
  • Berkeley Person Registry

January 10, 2023, 5:00 pm

This release involved cadds enhancements to the BIDMS lock API that is needed for locking accounts in large batches. CMR: CHG0036286

Services Affected:

  • CalNet Admin Tool (CAT)
  • LDAP
  • CalGroups API