Historical CalNet Releases

CalNet operates a complex suite of applications that support the Identity and Access Management functions of the University.  Below are CalNet releases from previous calendar years. Records of releases have been maintained on this website since March 2016. 

You can sign up to receive timely notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases(link is external) and click JOIN.Or, see current year CalNet Releases.


November 13, 2022, 8:00 am

This release completed the upgrade of the EWH CalNet LDAP infrastructure to DS 7.2. This impacted LDAP services use by CAS, WiFi, and various other services across campus.  No impact to applications or customers is expected.  CMR: CHG0036096

Services Affected:

  • LDAP
  • CAS
  • Wifi Services

November 6, 2022, 8:00 pm

This release included an upgrade of the SDSC CalNet LDAP infrastructure to DS 7.2. This impacted the dir-auth-os.calnet.berkeley.edu VIP which is used by CAS services hosted at SDSC primarily for failover.  No impact to applications or customers expected.  CMR: CHG0036095

Services Affected:

  • LDAP
  • CAS
  • Berkeley Person Registry

October 20, 2022, 7:00 pm

This release included enhancements and bug fixes to Berkeley Person Registry and SPA provisioning. There may be a brief outage to Berkeley Person Registry and associated applications while the server restarts.  CMR: CHG0036067

Services Affected:

  • Berkeley Person Registry
  • Special Purpose Accounts (SPAs)
  • Active Directory (AD)

October 3, 2022, 5:00 pm

This release changed the ways that Special Purpose Accounts were provisioned to Berkeley Person Registry. No outage or impact to SPA users. Users of the CalNet Admin Tool noticed that SPAs have accurate status after this release. CMR: CHG0035986

Services Affected:

  • Berkeley Person Registry
  • CalNet Admin Tool

September 7, 2022, 7:00 pm

This release contained enhancements and bug fixes for CalNet identity management applications. CHG0035940

Services Affected:

  • CalNet Account Manager
  • LDAP
  • Provisioning

August 12, 2022, 11:00 am

This release was a debug for the recaptcha for account claiming. CHG0035872

Services Affected:

  • CalNet Account Manager
  • CHG0035940

August 10, 2022, 7:30 pm

This release was a minor configuration change to the Shibboleth IDP that requires a restart of the servers. There was no outage. CHG0035859

Services Affected:

  • Shibboleth

August 10, 2022, 7:00 pm

This release contained enhancements, bug fixes and dependency upgrades. Also with this release, expired Cirrus guests were moved to ou=Expired. CHG0035821

Services Affected:

  • Cirrus Sponsored Guests
  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry
  • Account provisioning

July 1, 2022, 3:00 pm

In this release, we patched CAS from the current version (6.5.4) to the latest version (6.5.6) to address a potential security vulnerability.CMR: CHG0035722

Services Affected:

  • CAS

July 1, 2022, 12:00 pm

On July 2, new department numbers will begin to flow from UCPath to Berkeley Person Registry to CalGroups and LDAP. CalGroups admins will need to make changes to their authorization / communication groups after July 2 to use the new groups. We will remove the old groups after July 15. CMR: CHG0035712


June 30, 2022, 9:00 am

We enabled the device management portal in the "new" Duo Prompt for applications using CalNet SSO. This allows users to add/remove 2-Step devices directly from the CAS/Duo prompt rather than having to use the legacy portal from https://mycalnet.berkeley.edu(link is external). The legacy portal will continue to work. This change added a menu item to the "Other Devices" option when the user is going through the 2-step process. The documentation here was updated: https://calnet.berkeley.edu/calnet-2-step/2-step-devices. There was no planned outage associated with this release. CMR: CHG0035675

Services Affected:

  • CalNet 2-Step Authentication
  • CAS

June 7, 2022, 5:30 am

We patched CAS from the current version (6.5.2) to the latest version (6.5.4) to apply a bug-fix required to implement new functionality.  There was no planned outage associated with this release. CMR: CHG0035622

Services Affected:

  • CAS

May 24, 2022, 7:00 pm

We upgraded the production Shib IDP servers from 4.0.x to 4.1.x.  There was no planned outage associated with this release. CMR: CHG0035500

Services Affected:

  • Shibboleth

April 5, 2022, 8:00 pm

In this release, we enabled the Duo Universal Prompt which changed how Duo looks and behaves. https://calnet.berkeley.edu/news/new-changes-duo-browser-workflow. In addition, we upgraded CAS on the production auth.berkeley.edu cluster to 6.5. CMR: CHG0035435

Services Affected:

  • CalNet 2-Step Authentication

April 1, 2022, 1:00 pm

This release was patching for our production Shib clusters and upgrading Tomcat to the latest version. All other Shib environments were patched with latest versions. CMR: CHG0035451

Services Affected:

  • Shibboleth

March 31, 2022, 11:45 am

This release included patching our production CAS clusters.  All other CAS environments were patched with latest versions. CMR: CHG0035449

Services Affected:

  • CAS

March 31, 2022, 8:00 am

This release included patching for our backend services with the latest version of Spring, and changing the Java version our frontend is running. CMR: CHG0035448

Services Affected:

  • Berkeley Person Registry
  • Account Provisining
  • CalNet Admin Tool
  • CalNet Account Manager

March 24, 2022, 10:00 am

This emergency release fixed a bug that prevented CalNet accounts from expiring when they should. CMR: CHG0035425

Services Affected:

  • Berkeley Person Registry
  • LDAP

March 22, 2022, 7:00 pm

This release included additional tracking of UCPath primary jobs and a bug fix. CMR: CHG0035401

Services Affected:

  • Berkeley Person Registry
  • Account Claiming

March 22, 2022, 7:00 pm

In this release, we changed the firewall configuration for the CalNet LDAP cluster dedicated to authentication services.  CMR: CHG0035405

Services Affected:

  • LDAP
  • Firewall

February 17, 2022, 7:00 pm

In this CalGroups change, we refactored 2-Step groups and also added a new feature for some admins in CalGroups to view alumni both in their groups and in their searches. 2-Step users should not notice the change. CMR: CHG0035296

Services Affected:

  • CalGroups
  • CalNet 2-Step

February 17, 2022, 7:00 pm

This was a major upgrade of the identity management system that does data intake, identity matching, account provisioning, web services and data writing to LDAP and Active Directory. The significant changes can be summarized as: A refactoring onto the latest Spring Boot framework (numerous code changes as a result), an upgrade to using latest dependency libraries, an upgrade to using latest Java 17 LTS, an upgrade to the Tomcat 9 application server, and moving to new, upgraded virtual machines running RedHat. There was a short planned outage associated with this release. CMR: CHG0035238

Services Affected:

  • Berkeley Person Registry
  • CalNet Admin Tool 
  • CalNet Account Manager

January 30, 2022, 9:00 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. During this cycle we also upgraded our Nginx proxy servers. There was a short outage of bpr.calnet.berkeley.edu that affected CAT and CAM while that host rebooted. CMR: CHG0035220

Services Affected:

  • Berkeley Person Registry
  • CalNet Admin Tool 
  • CalNet Account Manager
  • CAS
  • Shibboleth
  • CalGroups
  • LDAP
Back to Top

December 21, 2021, 7:00 pm

We patched the Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. There was a short outage of bpr.calnet.berkeley.edu thereby affecting CAT and CAM while that host rebooted. CMR: CHG0035116

Services Affected:

  • Berkeley Person Registry
  • CAS
  • Grouper
  • LDAP
  • Shibboleth

December 2, 2021, 7:00 pm

In this release, CalNet is updating email templates used for account locking and for Stu-Delegate account creation. CMR: CHG0035062

Services Affected:

  • Berkeley Person Registry
  • Account Claiming

November 30, 2021, 7:00 pm

The CalNet team is implementing an emergency change. The IP address of shib.berkeley.edu(link is external) will change. CMR: CHG0035046

IMPORTANT: If you currently enforce outbound firewall rules for web traffic, you must add an additional allow rule for the new Shibboleth virtual IP:

  • Port: 443

  • IP: 169.229.54.216

Services Affected:

  • SAML-based logins (bMail, ServiceNow, Adobe)

October 15, 2021, 6:00 am

We configured all Duo integrations to remove the phone callback option by default.  Existing telephone users were not impacted and were required to fill out an exception by January 12, 2022.  After January 12, 2022 only users with an exception / valid business case for using telephone with Duo are allowed to use the feature. There was no planned outage associated with this release. CMR: CHG0034869

Services Affected:

  • CalNet 2-Step Authentication

October 10, 2021, 8:30 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. There was a short planned outage for CAT/CAM within the release window. CMR: CHG0034879

Services Affected:

  • Shibboleth
  • LDAP
  • Berkeley Person Registry
  • CAS
  • Grouper
  • CalNet Admin Tool 
  • CalNet Account Manager

September 25, 2021, 6:00 am

The CalNet Postgres databases will be upgraded by the campus database team. This will result in an outage of some CalNet services of approximately 90 minutes. CalNet logins will not be impacted during this outage. CMR: CHG0034838

Services Affected:

  • CalNet Account Manager (including account claiming, changing passphrase or ID and managing 2-Step)
  • CalNet Admin Tool
  • Berkeley Person Registry
  • CalGroups
  • The identifiers web service used by CalCentral and iHub

September 1, 2021, 7:00 pm

We deployed code changes for CalNet Identity Management. There was a short planned outage for a few minutes within the release window. CMR:CHG0034797

Services Affected:

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool
  • Account Claiming

August 8, 2021, 6:00 am

We upgraded CAS on the production auth.berkeley.edu cluster to 6.3. This version of CAS is required to maintain support and future product enhancements and security patches. Other enhancements include: support for TLSv1.3, improved support for SAML and OIDC, support for newer Duo prompt, various upgrades to system software including Java, Tomcat, and Nginx. There was a planned outage associated with this release. CMR:CHG0034740

Services Affected:
  • CAS
  • Shibboleth

July 29, 2021, 6:45 pm

The CalNet Admin Tool got an update allowing support staff to use the Duo Application for user verification. There was a planned outage associated with this release. CMR:CHG0034736

Services Affected:
  • CalNet Admin Tool
  • CalNet Account Manager
  • Berkeley Person Registry

July 22, 2021, 7:00 pm

We updated CAT/CAM to implement a compatibility change for CAS 6 and Slate delegated logins. There was a brief outage while the server restarted. CMR:CHG0034593

Services Affected:
  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

June 17, 2021, 7:30 pm

This release included changes to identifierTypes, changes to the no recovery email address screen in CalNet Account Manager, and changes to roles in CalNet Admin Tool. There was a planned outage associated with this release. CMR: CHG0034593

Services Affected:

  • CalNet Admin Tool
  • CalNet Account Manager
  • Berkeley Person Registry

May 24, 2021, 11:05 am

Starting at approximately 11:05 am some clients may have seen errors when trying to log into a CAS-protected application. The issue was resolved fully by 12:36 pm. The java process running the Tomcat web application server had more open file handles than allowed by the operating system. In trouble-shooting we found that the CAS process opens that script for every user log in to the service, but never closes the file handle. Over the course of approximately 30 days the number of opened files for that process grew above the hard limit set by the OS. There was an unplanned outage associated with this release which took place intermittently across the release window. CMR: CHG0034546

Services Affected:

  • CAS

May 20, 2021, 7:00 am

The majority of the remaining deprecated attributes definitions (objectClasses and attributeTypes) were removed. These attributes are no longer maintained and have been marked for removal for several years. The list of attributes that were removed can be found at https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization#B. There was no planned outage associated with this release. CMR: CHG0034495

Services Affected:

  • LDAP

May 20, 2021, 5:00 am

We configured DNS failover for the ldap.berkeley.edu cluster.  This allows the service to automatically fail over to San Diego in case of a major network or system outage at EWH. There was no planned outage associated with this release. CMR: CHG0034507. 

Services Affected:

  • LDAP

May 19, 2021, 7:00 pm

We issued a new certificate for the ldap cluster at ldap.berkeley.edu in preparation for enabling automated failover to our SDSC data center the following morning. We quiesced traffic to each node in turn to update the certificate. There was no planned outage associated with this release. CMR: CHG0034514. 

Services Affected:

  • LDAP

May 5, 2021, 9:00 pm

This change allows campus postdocs to have a longer grace period. There was no planned outage associated with this release. CMR: CHG0034476

Services Affected:

  • Berkeley Person Registry

May 2, 2021, 6:00 am

We changed the load balancing direct routing method used by ldap.berkeley.edu to stop using ARP tables and instead use iptables. The ldap.berkeley.edu cluster configuration for direct routing was not working as intended. Some applications were experiencing loss of connectivity to ldap when we performed maintenance that should otherwise be transparent. This change was intended to correct this issue and allow us to perform maintenance without impacting customers in the future. There was a planned LDAP outage of 10 minutes within the release window. CMR: CHG0034444

Services Affected:

  • LDAP

April 25, 2021, 6:30 am

We patched Red Hat Enterprise Linux servers to address errata published by Red Hat.  This included bug fixes, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition, we applied patches as needed from custom repositories for Zabbix and Duo. We patched to address OS bugs and vulnerabilities.  There was a 5 minute outage for Manage My CalNet while that system rebooted. CMR: CHG0034443

Services Affected:

  • BPR systems
  • CAS
  • Grouper
  • LDAP
  • Shibboleth

April 21, 2021, 9:00 am

We issued a new certificate for the ldap cluster at ldap.berkeley.edu in preparation for enabling automated failover to our SDSC data center. We quiesced traffic to each node in turn to update the certificate.  Application owners and developers using non-system keystores should ensure they are only referencing the root and intermediate certificates, and not the leaf node. There were no planned outages associated with this release.  CMR: CHG0034209

No Services Affected


April 15, 2021, 7:00 pm

We upgraded the SDSC production Shibboleth servers to the same version we are now running in EWH. We did a quick failover test to confirm them afterwards. There were no planned outages associated with this release.  CMR: CHG0034424. 

Services Affected:

  • Shibboleth

March 31, 2021, 7:00 pm

We have upgraded the Shibboleth IDP to version 4x in order to stay current with the most recent release. There were no planned outages associated with this release.  CMR: CHG0034375

Services Affected: 

  • Shibboleth

March 22, 2021, 7:00 pm

This CalNet release included changes to the CalNet Account Manager Forgot Passphrase tool and added additional functionality to handle Potential Hire Academic POIs from UCPath. There was a brief outage during the specified release window. CMR: CHG0034359

Services Affected:

  • CalNet Account Manager
  • Berkeley Person Registry 

March 4, 2021, 6:30 pm

CalNet restarted registry-p1 Tomcat for a DDODS database host change. There was a brief outage during the half-hour release window.  CMR: CHG0034321

Services Affected:

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

February 23, 2021, 6:00 am

We replaced the certificate on the CAS instance (auth.berkeley.edu). The new certificate has a different issuer. We deprecated the Extended Validation certificates in favor of standard InCommon SHA-2 certificates. Certain applications, such as those using Java key stores or other non-operating system certificate stores, may require providing the root certificate in addition to the intermediate certificates. Obtain certificates from a trusted source like the certificate store on your local computer or directly from the Root CA. There were no planned outages associated with this release.  CMR: CHG0034268

Services Affected: 

  • CAS

February 11, 2021, 7:00 am

We replaced the certificate on the test CAS instance (auth-test.berkeley.edu). The new certificate has a different issuer. We deprecated the Extended Validation certificates in favor of standard InCommon SHA-2 certificates. Certain applications, such as those using Java key stores or other non-operating system certificate stores, may require providing the root certificate in addition to the intermediate certificates. Obtain certificates from a trusted source like the certificate store on your local computer or directly from the Root CA. There were no planned outages associated with this release.  CMR: CHG0034267

Services Affected: 

  • CAS

January 1, 2021, 9:00 am

We increased LDAP replication retention from 3 days to 5 days to ensure changes made while EWH DC is unavailable are retained in the event that the outage is longer than expected. These changes were pushed to LDAP-test on December 21, 2020. There were no planned outages associated with this release.  CMR: CHG0034176

Services Affected

  • LDAP

Back to Top


December 21, 2020, 8:00 am

We removed the deprecated attribute values from CalNet LDAP directory (access to these attributes was revoked on Oct 29th). A list of those attributes can be found at https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization#B. There were no planned outages associated with this release. CMR: CHG0034140

Services Affected

  • LDAP

December 3, 2020, 6:30 pm

We changed the production DDODS connection string, no longer recognizing academic potential hire POI type, and changed how effective rows are calculated from DDODS POI table. There was a brief outage that occurred between 6:30pm - 7:00pm. CMR: CHG0034129

Services Affected

  • Berkeley Person Registry

November 30, 2020, 7:00 pm

We had about 1200 old-style departmental accounts that were expired. We moved them from ou=people to ou=expired people in LDAP. We have made attempts to contact these account owners, but there may still be some users who are using these old-style accounts. If that is the case, then we can roll back the change for that particular account. There was no planned outage associated with this release. CMR: CHG0034115

Services Affected

  • LDAP

November 30, 2020, 6:30 pm

We have set up new servers for the SPA Admin app. CNAME changes for the idc.berkeley.edu will point to these new servers. We added a new server name, spa.berkeley.edu, that idc.berkeley.edu will redirect to. This release included a planned outage, however the outage was momentary, and only impacted users logged in at that moment. If users were using the application at that time, they needed to refresh their browser. CMR: CHG0034119

Services Affected

  • SPA Admin Application

November 30, 2020, 6:00 pm

To make it easier to determine if one has the current person when adding a member to a group in CalGroups, we added more attributes to the display value for member lookups. Previously, it was displayName. It was changed to uid - displayName - department name or "non-FSA". This release included a planned outage, however the outage was momentary, and only impacted users logged in at that moment. If they were using the application at that time, they needed to refresh their browser. For more information regarding this release, please click here(link is external). CMR: CHG0034116

Services Affected

  • CalGroups

November 17, 2020, 8:00 pm

Informational Update - in this release, the Windows and bConnected teams switched the authentication page from ADFS to CAS for some campus services (eg Sharepoint). This release included a planned outage, however the outage was less than a minute and only impacted authentication attempts for applications using ADFS during that minute. CMR: CHG0034088

Services Affected

  • CAS
  • Sharepoint
  • O365
  • Azure
  • ADFS

November 12, 2020, 10:00 pm

We are pointing BPR to a different back-end LDAP cluster. This required a server restart. There was a planned outage for 5 minutes during the 60 minute time frame of this release. CMR: CHG0034016

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry 

November 8, 2020, 9:00 am

We brought two new LDAP hosts online to replace our remaining RHEL6 LDAP hosts.  These hosts are dedicated to the BPR application but participate in the multi-master synchronization topology for all production LDAP servers. There was no planned outage associated with the release. CMR: CHG0034014

Services Affected

  • LDAP

October 29, 2020, 7:00 pm

SPAs were showing up in departmental groups in CalGroups after the recent changes. Since these departmental groups are employee groups, we removed the SPAs from these groups. There was no planned outage associated with the release. CMR: CHG0034037

Services Affected

  • SPA Admin Application
  • CalGroups

October 29, 2020, 7:00 am

We removed access to the CalNet LDAP/directory deprecated attributes. Those attributes can be found at https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization#B. There was no planned outage associated with the release. CMR: CHG0033993

Services Affected

  • LDAP

October 17, 2020, 9:00 am

We made modifications to SPA group names to allow both the group and the SPA to be added to groups. Multiple application owners would like to add SPAs to their groups since the accounts show up in their account list rather than the personal account.

Services Affected

  • CalGroups
  • LDAP
  • SPA Admin Application
  • CalNet AD

September 25, 2020, 2:00 pm

We updated the language found at mycalnet.berkeley.edu. This required a restart of CalNet Account Manager, so account claiming, passphrase resets, and other CAM functions were briefly unavailable. 

Services Affected

  • CalNet Account Manager

September 19, 2020, 9:00 am

We made changes to property files in production Shibboleth by adding a new scripted attribute for the Library. CMR: CHG0033929

No Services Affected


September 19, 2020, 7:00 am

We reconfigured the LDAP cluster to use a different type of load balancing. This will enable us to track remote client IPs better. CMR: CHG0033928

Services Affected

  • LDAP

September 10, 2020, 7:00 pm

We renewed the certificate for the ldap cluster at ldap.berkeley.edu before it expires. We quiesced traffic to each node in turn to update the certificate.  Application owners and developers using non-system keystores should ensure they are only referencing the root and intermediate certificates, and not the expiring leaf node.  CMR: CHG0033895

No Services Affected


September 9, 2020, 7:00 am

We reconfigured the offsite LDAP clusters used for Shibboleth/CAS DR as well as general LDAP services to use a different type of load balancing. This enables us to track remote client IPs better.  CMR: CHG0033896

Services Affected

  • LDAP at SDSC

September 2, 2020, 9:00 am

CalNet shutdown the CalAccess service at https:/idc.berkeley.edu/ca since the application is no longer in use.  CMR: CHG0033880

No Services Affected


September 1, 2020, 10:30 am

We moved CalNet's Production Shared Services AWS account from the current AWS organization to the newer control tower-enabled central payer account organization.   CMR: CHG0033881

No Services Affected


September 1, 2020, 7:00 am

CalNet will remove approximately 50 unused and deprecated attributes from the berkeleyEdu objectclass(es) and delete the attribute definitions from the schema. We will be applying this change to LDAP Test on August 11th. CMR: CHG0033825

Services Affected

  • LDAP

September 1, 2020, 7:00am

The passphrase complexity changes scheduled for August 17 have been rescheduled to September 1, 7am. 

CalNet is updating the passphrase complexity requirement standards. Updated password complexity requirements will only affect *newly* created accounts or passphrases changed after the implementation. CMR: CHG0033821

Services Affected

  • BPR
  • CalNetAD

July 23, 2020, 7:30 am

Updated the certificate for the CalNet ActiveMQ instance because it was due for renewal. CMR: CHG0033781

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

July 22, 2020, 8:00 pm

Removed the "Entity not found" entries from CalGroups. Entity not found entries in CalGroups are of two types. They are from either ou=expired or ou=advcon. We will remove those from ou=expired from all groups. We cleaned-up the advcon entries from any official groups, but not app or org groups. CMR: CHG0033797

Services Affected

  • CalGroups

July 8, 2020, 7:00 am

We are making updates to the LDAP schema in preparation for the new CalNet Directory Update tool.  This includes modifications that should only be visible to internal CalNet processes. 

CMR: CHG0033749

No Outages 


July 4, 2020, 7:00 am

Additional settings to ensure a secure operating system.  These settings have already been applied to the production CAS systems since April and have been in our test environment for a month.  There will be a 10-minute outage of BPR while the server restarts after patching.  Other services are load-balanced and no outage is expected. CMR: CHG0033719

Services Affected

  • BPR / CalNet Account Manager
  • Shibboleth
  • CalGroups
  • Manage My Keys
  • LDAP 

July 1, 2020, 6:30 am

The PostgreSQL instance 'calnetbprprod' was migrated to a new RHEL7 VM dba-postgres-prod-55, as the RHEL6 VMs will soon be out of support. This database supports Calnet-BPR/IDM application.  CMR: CHG0033740

Services Affected

  • BPR / CalNet Account Manager
  • CalNet Admin Tool 

May 25, 2020, 7:30 am

We have upgraded CalGroups production servers to Grouper version 2.4. CMR: CHG0033624

Services Affected

  • CalGroups 

May 23, 2020, 8:00 am

This change updates the CAS configuration to allow the release of the mail attribute for Sponsored Guests. CMR: CHG0033623

Services Affected

  • LDAP
  • CAS
  • CalNet Sponsored Guests 

May 14, 2020, 6:00 pm

This release includes the following bug fix and feature enhancements, and will include a brief outage (less than 5 minutes) of BPR apps while the servers restart. CMR: CHG0033589

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool
  • CalNet Namespace
  • Berkeley Person Registry

Tickets Resolved

TicketComment
CAT-172 Add Status and Expiration Date to CAT
CNR-2011  Changes to ou and berkeleyEduExpDate calculation for some students
CNR-2013  New Changes to Account Locked Emails
CNR-2010 User with CAT Role: ROLE_IHUB_TRIGGER is not able to trigger iHub message
CNR-2012 Create new person info registry-service endpoint for Directory Update app

April 29, 2020, 9:55 pm

This release will change the method of download for the InCommon Metadata. We have been doing nightly downloads of the entire list of InCommon SPs. A new method, Metadata Query service (MDQ), allows us to only download the SPs we need to access.
We will also begin the IDP cert change process. It involves adding the replacement cert to the metadata along with the original cert, allowing time for SPs to pick up the new cert, and eventually removing the original cert from the metadata. CMR: CHG0033559

Services Affected

  • Cloud based services including bConnected
  • Shibboleth

April 28, 2020, 7:16 am

This release is the removal of assured replication from the CalNet LDAP replication domains.CMR: CHG0033523

Services Affected

  • LDAP

April 28, 2020, 7:16 am

This release applies additional OS security settings to our systems. This change is to configure the level 1 and 2 CIS benchmark settings.CMR: CHG0033480


April 17, 2020, 2:08 pm

This release updates BPR and changes the managing of expired STU-DELEGATEs. When a student affiliation is expired, the delegate's stu-delegate affiliation will also expire.
When a student has extended SIS access, the delegate's affiliation should expire when the student's extended SIS access affiliation expires. There is no grace period for STU-DELEGATE affiliations. CMR: CHG0033488

Services Affected

  • BPR

April 14, 2020, 6:44 am

This release will enable hostname whitelisting to the CAS Duo integration in production. This was done for auth-test several months ago.CMR: CHG0033474
Services Affected

  • CAS

April 3, 2020, 8:55 am

This release adds an additional cipher to our LDAP servers' configuration to support older hosts using openssl.CMR: CHG0033453
Services Affected

  • LDAP

March 18, 2020, 6:30 pm

This release disables TLS 1.0 and 1.1 so that clients/integrations must use at least TLS 1.2.CMR: CHG0033356
Services Affected

  • BPR
  • CalNet Account Manager
  • CalNet Admin Tool
  • CalGroups
  • CAS
  • LDAP
  • Shibboleth

 March 18, 2020, 6:30 pm

In this release, we will be applying a text change to the Berkeley Person Registry (BPR), specifically the CalNet Account Manager. Most public-facing BPR functions, like the CalNet Account Manager and CalNet Admin Tool, will be offline for a minute or two while the server restarts. CMR: CHG0033431

Services Affected

  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

March 16, 2020, 6:00 am

This release is the removal of the expiring AddTrust root certificate is in the SSL template used for the EWH CAS load balanced VIP. CMR: CHG0033399


March 3, 2020, 9:30 pm

We will be changing the source for the org tree data found in production LDAP on Wednesday 3/4 from 9:30 - 10. There is no expected downtime. CMR: CHG0033388


March 3, 2020, 9:00 pm

We will change the certs for IDC servers on Wednesday 3/4 at 9 pm (30 min window). There will be no downtime, as the servers are HA. The services, SPA admin and Manage My Keys, will continue to be accessible during the change. CMR: CHG0033387


March 3, 2020, 5:30 pm

This code release for Berkeley Person Registry includes Grails upgrade, modifications to logic, and bug fixes. CMR: CHG0033384

Tickets Resolved

TicketComment
CNR-1990 Upgrade to Grails 3.3.11
CNR-1989 Upgrade Grails Spring Security plugin to 3.3.1
CNR-441 Implement security on ucb-match and registry-match-service
CNR-1992  Modify match engine and match service configurations to use auth
CNR-1984 Restrict length of new CalNetIDs to 19 characters
CNR-1987  Change CalnetID requirements page to show max of 19 instead of 20
CNR-2003 Content change for source for i371 requests sent to iHub
CNR-1995  User is active but should not be

February 27, 2020, 8:00 pm

This release is an upgrade of CAS (auth.berkeley.edu) to 5.3.15.  It includes minor bug fixes as well as CalNet specific changes to improve some error messages as well as an updated URL for forgotten passphrases. No outage is expected. CMR: CHG0033329


February 19, 2020, 8:00 pm

This release changes the way that Special Purpose Accounts are provisioned. We will no longer be using OpenIDM. No downtime is expected. CMR: CHG0033331


February 18, 2020, 7:00 am

At 7am on Tuesday, Feb 18, we will enforce AuthZ on CAS-enabled applications using the wildcard (*.berkeley.edu) registration. The purpose of this change is to ensure that, by default, only CalNet users with 2-step verification are permitted to authenticate. This includes all active and in-grace students, employees and affiliates, logging in as themselves or using SPAs or rSPAs. CMR: CHG0033199

See https://calnet.berkeley.edu/calnet-technologists/single-sign/sso-authorization for more information.


February 13, 2020, 7:00 am

This release is an update of the certs for CalGroups. There will be no downtime. CMR: CHG0033332


January 28, 2020, 7:30 am

A new version of CAS (5.3.15) will be released to auth-test on January 28. The update includes:

  • Update to the forgot CalNet ID or passphrase link on the CAS screen
  • Add 2-step help link and better language to the MFA error page
  • Various minor fixes in the base CAS project

Back to Top


December 17, 2019, 8:00 pm

This release is a certificate update for bpr.calnet.berkeley.edu. There will be a brief outage of BPR as the service restarts. CMR: CHG0033161

Services Affected

  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

December 6, 2019, 5:30 pm

This release includes bug fixes and feature enhancements to Berkeley Person Registry, CalNet Admin Tool and CalNet Account Manager. CMR: CHG0033126

Services Affected

  • CalNet Account Manager
  • LDAP
  • CalNet Admin Tool
  • CalNet Namespace
  • Berkeley Person Registry

Tickets Resolved

TicketComment
CAT-162 UIDOld and UIDOldConsolidationDate not getting written in consolidation
CAT-169 Namespace folders do not get moved from expired records in LDAP upon consolidation
CAT-170 ConsolidationDate and CalNetUidOld do not get written
CNR-1961 Detect and delete VOID VOID records
CNR-1962 Change Locked Account Email
CNR-1969 Update passphrase requirements text
CNR-1975 problem with BUSN email getting to UCPath
CNR-1978 Multiple new SORObjects partially matching to a UID
CNR-1979 Change the Rank Order used for Names from SORs
CNR-1980 Fix hash code bug when two DDODS email addresses swap PREF_EMAIL_FLAG values.
CNR-1981 Recognize PREF_EMAIL_FLAG='N' UCPath emails.

December 4, 2019, 9:00 pm

This release retires the legacy CalNet Guest application. CMR: CHG0033137

Services Affected

  • CalNet Guest application

Tickets Resolved

TicketComment
CG-187 Retire Legacy Guest App

November 21, 2019, 8:30 am

We will be launching the process that enables the policy of requiring an employee as part of a SPA user group starting Thursday morning, Nov. 21 at 8:30 am. There is no down time. 

Services Affected

  • Special Purpose Accounts

November 21, 2019, 7:00 am

We are making two changes to our LDAP access logs.

1. Add milliseconds to the timestamp format. 
2. Switch to a combined log format to simplify log parsing and reduce log size.

Services Affected

  • LDAP

November 15, 2019, 8:00 am - November 22, 2019

We will decommission net-auth-p1 and calnet-p2 servers.

Both servers will be powered off and then deleted after 7 days.

Services Affected

  • Open IDM
  • SPA Admin App

November 13, 2019, 9:00 pm

We need to restart openidm on idm-p1 to remove a dependence on the krbservice/net-auth. The service affected is the SPA Admin app which is available to employees only.  2 minute outage of SPA App expected. CMR: CHG0033079

Services Affected

  • Open IDM
  • SPA Admin App

November 12, 2019, 7:00 am

We will update CAS registrations to specifically ensure sponsored guests cannot access services that have not directly been enabled for sponsored guests by the application owner.  In some cases it is possible for a sponsored guest who has an existing and valid SSO session to access an application that has not specifically been enabled for guest access.  This is due to an issue in CAS that affected the migration of service registrations and was fixed in the last CAS upgrade. CMR: CHG0033075

Services Affected

  • CAS

October 29, 2019, 8:00 pm

We will upgrade CAS (auth.berkeley.edu) to 5.3.12.1 and Tomcat server to 8.5.46.  Both contain numerous bug and security fixes.  Hazelcast is bundled with CAS and will receive a version bump as well. Auth-test and auth.berkeley.edu will be upgraded as follows:

Monday, 10/7 @0800 - Implement in auth-test.berkeley.edu
Tuesday, 10/29 @2000 - Implement in auth.berkeley.edu

We encourage developers to test their applications thoroughly against https://auth-test.berkeley.edu(link is external).  A separate announcement will be sent for the production upgrade toward the end of October. CMR: CHG0032985

Services Affected

  • CAS

October 24, 2019, 9:00 pm

This release is a minor change to the idc.b.e/mmk app. We are removing the user defined option for bConnected keys. Given the idc.b.e system is HA, there is no expected downtime. CHG0033031

Services Affected

  • Manage My Keys

October 22, 2019, 5:30 pm

In this release, we add known bad passwords to ucb-dictionary. CMR: CHG0033024

Services Affected

  • ucb-dictionary
  • bidms-downstream
  • registry-service
  • account-manager

October 7, 2019, 8:00 pm

This release includes configuration adjustments and cosmetic changes to CAS. It was released to auth-test.berkeley.edu on 9/30/19 to allow time for testing. There are no major changes to CAS code in this release. CMR: CHG0032969

Services Affected

  • CAS

September 13, 2019, 6:00 pm - September 16, 2019, 8:00 pm

This release includes substantial changes to the CalNet stack. The MIT Kerberos authentication servers are being retired in favor of Active Directory. Reorganization of the AD structure follows security best practices and allows CalNet to be system of record for all user objects.

In addition, this release contains feature enhancements and bug fixes for CalNet Account Manager and CalNet Admin Tool; removal of legacy HCM and SIS processes; and an upgrade to Grails 3.3.10.

There may be brief periods of instability in the CalNet suite of services over the weekend while user account reprovisioning occurs. We expect all systems to return to their normal functions by 8pm on Monday, Sept. 16.

This release also retires the CalNet Sync Tool.

CMR: CHG0032879

Services Affected

  • All CalNet and Berkeley Person Registry Applications
  • CalNetAD
  • CAS
  • CalNet Sync Tool

Tickets Resolved

Ticket

Comment

CNR-1899

Change to match rule #2

CNR-1903

Remove legacy HCM account claiming entirely from CAM (Was: Delete extra employee account claim in CAM admin view)

CNR-1909

Fix UCPath LdapSync'ing in test environment

CNR-1904

Changes to CalNet ID creation - confirmation email

CNR-1938

Create a "Super Canonical" match engine config rule type

CNR-1939

registry-sor-gateway Quartz jobs stop working after some amount of time in production

CNR-1937

There is a CAM cache bug when a user changes calnetId

CNR-1926

Make it configurable to switch between sendgrid and greenmail for registry-service quartz jobs that send out email

CNR-1936

Not able to change CalNet ID to something I already own

CNR-1924

Need a way to identify "presirs with calnetIds" using roles

CNR-1922

AD provisioning: Changes to who gets provisioned to AD

CNR-1921

AD provisioning: OU changes based on primary affiliation

CNR-1920

AD provisioning: primaryGroupID changes based on primary affiliation

CNR-1919

Create new provisioning groups in my local AD

CNR-1918

AD provisioning: Active userAccountControl for in-grace people

CNR-1914

AD provisioning: OU and primaryGroupID changes for different primary affiliations and keeping in-grace people active

CNR-1516

Modify bidms-downstream change password endpoint to recognize certain AD passphrase validation errors codes

CNR-1911

Modify BPR tools to use AD Kerberos and not krbservice

CNR-1927

Enhancement to bidms-connectors/bidms-downstream to add and remove a person from directory groups

CNR-1917

When doing password change, use an user bind rather than an administrative bind

CNR-1928

Enable sendgrid (to test mailbox) in test for reg-serv end-of-life jobs

CNR-1496

Remove sisStudentSorKeyDataExtractor from sor-key-data-service

CNR-1944

bidms-downstream memory leak

CNR-1945

bidms-connectors isn't detecting a change when userAccountControl bits should be changing so no write is performed

CNR-1947

No longer referencing SYSADM.PS_TERM_TBL in any BPR queries to SIS databases

CNR-1946

Add CWR004 Staff Intern and CWR012 Traveling Nurse to official affiliatons in BPR

CNR-1910

Remove legacy hcm from SOR Gateway Service

CNR-1891

Remove defunct legacy HCM provisioning code from registry-provisioning-scripts

CNR-1949

Upgrade BIDMS web apps to Grails 3.3.10

CNR-1951

Add Deposit Pending to Campus Solutions query

CNR-1941

Provision BPR-managed SPAs to LDAP

CNR-1950

Update content on CAM welcome page

CNR-1956

Additional audit logging for CAT split/merge/reconciliation

CNR-1957

Additional audit logging for CAT split/merge/reconciliation

CNR-1958

Additional audit logging for CAT split/merge/reconciliation

CNR-1959

CalNet ID naming requirements need to be more restrictive temporarily


September 12, 2019, 8pm

In this release, we will add new authentication profile to the shibcas plugin. This is very minor change. Service won't be affected because the servers are in an HA configuration. CMR: CHG0032909

Services Affected

  • Shibboleth

September 12, 2019, 8:15 pm

This is a minor change to CalGroups, CalGroups that changes the large group limit for AD and LDAP provisioning from CalGroups. There will be a short break (15 sec) in provisioning to AD and LDAP when the provisioning service is restarted.  CMR: CHG0032908

Services Affected

  • CalGroups

August 1, 2019, 6:00 am

This release will update CAS logging and A10 health checks. CMR: CHG0032767

Services Affected

  • CAS

July 4, 2019, 8:00 am

This is a test of DNS failover for auth.berkeley.edu and shib.berkeley.edu starting the morning of Thursday, July 4th at 08:00 AM PT. CMR: CHG0032674

The test period is expected to last for approximately 1 hour. During this period DNS requests for auth.berkeley.edu and shib.berkeley.edu will return the addresses for our DR site. 

If you currently enforce outbound firewall rules for web traffic, you should add additional allow rules for the SDSC virtual IPs:

CAS:
Port: 443
IP: 192.107.102.203

Shib:
Port: 443
IP: 192.107.102.199

This should be transparent to your applications. If you experience any issues please contact calnet-admin@berkeley.edu(link sends e-mail) with a thorough description of your problem.

Services Affected

  • CAS
  • Shibboleth

July 3, 2019, 7:00 pm

This release will prevent Student Volunteers from creating CalNet accounts, per instruction from UCPath. There will be a brief outage when the servers are restarted. CMR: CHG0032702

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

July 2, 2019, 7:00 am

DNS change for the Shibboleth production hostnames to allow us engage in HA with our SDSC servers. There will be an outage of Shibboleth of up to 10 minutes during this time. CMR: CHG0032671

Services Affected

  • Shibboleth

June 20, 2019, 8:00 am

We will upgrade CAS on the test auth-test.berkeley.edu cluster to 5.3.11.  The CAS release contains bug fixes for delegated authentication.  The CalNet-specific changes include enabling authentication and ticket issuance throttling.  No downtime expected, we will fail over to SDSC and back to EWH. CMR: CHG0032637

Services Affected

  • auth-test.berkeley.edu

June 13, 2019, 9:00 pm

In this release, we will remove the passphrase synchronization feature from auth.berkeley.edu in preparation for the migration to AD Kerberos.  This is not a user-facing function of CAS and is not to be confused with the passphrase reset features of CalNet Account Manager. CMR: CHG0032603

Services Affected

  • CAS

June 13, 2019, 7:00 am

In this release, we will configure DNS failover for the shib-test.berkeley.edu Shibboleth cluster.  This will allow Shibboleth to fail over to San Diego in case of a major network or systems outage at EWH.  There will be an outage to shib-test as DNS records will be deleted and re-created as new record types. CMR: CHG0032614

Services Affected

  • shib-test

June 6, 2019, 7:00 am

This release is a patch of RHEL 6.x and the JVM for the idc.berkeley.edu application cluster. CMR: CHG0032587

Services Affected

  • idc.berkeley.edu, including:
    • Legacy Guests
    • MMK

June 1, 2019, 10:00 am

This release will enable WebAuthn/FIDO2 and Touch ID for Duo users and devices. See https://guide.duo.com/security-keys(link is external) and https://guide.duo.com/touch-id(link is external) for details on these new options for Duo devices. Existing Duo U2F users will be prompted to re-register their devices. CMR: CHG0032567

Services Affected

  • CalNet 2-Step

May 28, 2019, 9:00 pm

We will modify the CAS principal lookup filter to be more exclusive by only returning berkeleyEduPerson objects.  This is necessary to address an issue discovered while validating new Sponsored Guests with a specific application. CMR: CHG0032578

Services Affected

  • CAS
  • Shibboleth

May 23, 2019, 6:30 pm

This expedited change includes changes to UCPath and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

  • SOR Gateway Service
  • Registry Provisioning Scripts
  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1898

UCPATH_DDODS hash query 
CNR-1894 CWR020 Student Volunteer

CNR-1887 

Cirrus Guest Account provisioning populate beKPS

CNR-1876

Set LDAP ucNetId value from UCPath external identifiers

May 23, 2019, 6:30 pm

This expedited change includes changes to UCPath and Sponsored Guests provisioning. CMR: CHG0032577

Services Affected

  • SOR Gateway Service
  • Registry Provisioning Scripts
  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1898

UCPATH_DDODS hash query 
CNR-1894 CWR020 Student Volunteer

CNR-1887 

Cirrus Guest Account provisioning populate beKPS

CNR-1876

Set LDAP ucNetId value from UCPath external identifiers

May 12, 2019, 10:00 am

This release will modify the queries used for department and title code groups within CalGroups to only use UCPath data. Some users may gain or lose access to systems that use those groups. CMR: CHG0032522

Services Affected

  • Any system utilizing department / title code groups, such as:
    • LDAP
    • Active Directory
    • Google
    • CalGroups API

Tickets Resolved

TicketComment
CG-173 Modify Department and title code groups in CalGroups

May 10, 2019, 6:30 pm

This release will upgrade all Berkeley Identity Management Suite apps to Grails 3.3.9.

It will also remove HCM as a system of record for job data and LDAP affiliations.

Employees and Affiliates that are in HCM but are not yet in UCPath may enter their grace period (https://calnet.berkeley.edu/calnet-me/how-claim-your-calnet-id/grace-periods) and are likely to get an account expiration notice. Employees and Affiliates who receive an unexpected expiration notice should review their UCPath HR status with their HR support staff.

LDAP affiliations for expired HCM and UCPath Affiliates will undergo a change to ensure backwards compatibility:

  • HCM Affiliates who enter their grace period will get the FORMER-HCM-AFFILIATE  affiliation.

  • UCPath Affiliates who enter their grace period will get the FORMER-AFFILIATE  affiliation.

  • In 3-4 months, CalNet will transition to using FORMER-AFFILIATE, only.  

  • Developers will receive additional communications when this change is made, and when the FORMER-HCM-AFFILIATE will be deprecated.

All affiliate records should only ever have either a FORMER affiliation or an active AFFILIATE-TYPE- affiliation, but not both at the same time.

See UCPath Affiliation Changes(link is external) for additional affiliation information.

CMR: CHG0032500

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • SOR Gateway Service
  • Match Service
  • CalNet Account Tool
  • CalNet Account Manager
  • LDAP

Tickets Resolved

TicketComment
CNR-1859 Upgrade all BIDMS apps to Grails 3.3.9
CNR-1879 Create replacement roles for Manager/Supervisor in UCPath
CNR-1880 Recognize UCPath "PRF" coded names as sorPreferredName
CNR-1881 Minor changes to match engine logging output
CNR-1884 Assert FORMER-AFFILIATE for former UCPath affiliates.  Don’t assert FORMER-HCM-AFFILIATE for active UCPath affiliates.
CNR-1883 Remove legacy HCM job data
CM-445 Edit error message for CAM
CM-447 Error message for twoStepClaim
CM-448 Redirect Slate-authenticated users
CM-449 List of AFFILIATE-TYPE- values for authorization need to be updated in CAM

April 24, 2019, 9:00 pm

In this release, CAS operating system patches will be applied. CMR: CHG0032465.

Services Affected

  • CAS
  • Shibboleth

April 24, 2019, 7:00 pm

This release includes work on the CalNet Sponsored Guest project, and some continuing UCPath cleanup. CMR: CHG0032481

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • LDAP
  • SOR Gateway Service
  • Match Service
  • CalNet Sponsored Guests

Tickets Resolved

TicketComment
CNR-1860 Ensure CAM restricts users from creating CalNet IDs that start with UID
CNR-1862 Cirrus reporting http 403 error
CNR-1864 Add REST endpoints to registry-service that talk to Cirrus API to create invitations for existing UIDs
CNR-1865 Write a program that creates Cirrus invitations for existing UIDs through registry-service endpoints
CNR-1863 Convert existing guests into Cirrus guests using pre-sent Cirrus invitations
CNR-1870 Remove legacy SIS (pre-CS) from LdapSync process
CNR-1869 Remove legacy HCM sor from LdapSync process
CNR-1868 Add ucpath to LdapSync now that dev/test have prod ucpath EMPLIDs
CNR-1867 Rename ldapAffilGuestTypeSocial role to be consistent with the new string value in LDAP
CNR-1849 Add sorObjKey to registry-match-service NewSORConsumerService response log message
CNR-1874 

Claim token can be used twice

 CNR-1875 Trigger IHub button in CAT should send message to both CS and UCPath, if it isn't already

April 14, 2019, 8:00 am

This is an update to the Slate theme of the Duo login page. Related to: CHG0032441.

CMR: CHG0032458

Services Affected

  • CAS
  • Shibboleth

April 9, 2019, 8:00 pm

This is an update to a new version of the Duo websdk and includes changes to the CAS login view, to change how the Duo iframe is generated. Some users may now see the 2-Step page rendered as smaller-than-normal. See Known Issues for steps to fix this issue. CMR: CHG0032441

Services Affected

  • CAS
  • Shibboleth

April 1, 2019, 4:45 pm

This code is an update to the logic BPR uses regarding UCPath messages; specifically, to ignore ActionReason 'VOI' jobs in I-280 and DDODS. CMR: CHG0032422

Services Affected

  • Berkeley Person Registry

April 1, 2019, 8:45 am

This code fixes timeout exceptions when provisioning large quantities from Berkeley Person Registry to Active Directory. CMR: CHG0032419

Services Affected

  • Berkeley Person Registry
  • Active Directory

March 28, 2019, 3:00 pm

This release fixes a bug in provisioning in which berkeleyEduExpDate got improperly reset for some legacy HCM former employees CMR: CHG0032416

Services Affected

  • LDAP
  • Berkeley Person Registry

March 27, 2019, 11:00 pm

With this release, we will replace the EV TLS cert for auth.berkeley.edu.  Additional alternative names will be included to support future DNS failover. CMR: CHG0032402

Services Affected

  • CAS
  • Shibboleth

March 27, 2019, 3:10 pm

This CalNet release updates logic used to populate employeeNumber attribute in LDAP as well as the way CalNet looks at POIs from UCPath. CMR: CHG0032413

Services Affected

  • Berkeley Person Registry
  • LDAP

Tickets Resolved

TicketComment
CNR-1851 UCPath POIs aren't getting masterActive role if their only active affiliation is UCPath POI
CNR - 1852 Delete employeeNumber from LDAP if active UCPath POI/CWR but not an employee, even if active emp in legacy HCM

March 25, 2019, 10:40 am

This deployment is for new code to handle new information from UCPath DDODS tables. This deployment required a restart on registry-p1, which led to a brief outage. This deployment is already complete. CMR: CHG0032404

Services Affected

  • Berkeley Person Registry

Tickets Resolved

TicketComment
CNR-1847 New info from UCPath: DML_INDICATOR='D' in DDODS tables indicates a DELETED row

March 25, 2019, 7:00 am

In this release, we will configure DNS failover for the auth-test.berkeley.edu CAS cluster.  This will allow CAS to fail over to San Diego in case of a major network or systems outage at EWH.  There should be no noticeable outage, this is just a transparent DNS change from the perspective of CAS clients. CMR: CHG0032379

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 22, 2019, 7:00 am

This change is an upgrade to CAS on the test auth-test.berkeley.edu cluster to version 5.3.9. The CAS release contains minor bug fixes. This changes also includes cosmetic updates to support CalNet Sponsored Guest accounts. The TLS certificate for auth-test will also be updated to add additional SAN records for DNS failover and to use an EV certificate to mirror production.

The service will be down for less than 5 minutes for a restart. CMR: CHG0032374

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

March 20, 2019, 6:00 am

CalNet will begin UCPath Go-Live and reprovisioning activities on or after 3/20/2019.

During the go-live process, there may be restarts needed that will affect CalNet Admin Tool and CalNet Account Manager for ~5 minutes. Reprovisioning could cause delays in real time messaging and updates to LDAP, Active Directory and API Integration Hub.

LDAP attributes will be updated with UCPath data (most notably: employeeNumber, berkeleyEduAffID, berkeleyEduAffiliations, title codes). Users using these attributes should refer to https://ucpath.berkeley.edu/ucpath-cal/tech-talk(link is external) or https://ucpath.berkeley.edu/faq/technical(link is external) for additional information.

There is no planned outage for SSO, CAS, Shibboleth, or LDAP.

This change date is tentative, and may be delayed by 1 or more days if UCPath conversion is behind schedule. CMR: CHG0032350

Services Affected

  • LDAP - attributes only
  • CalNet Admin Tool
  • CalNet Account Manager

March 20, 2019, 12:00 pm

During this change, legacy apps using Rails are no longer needed and are vulnerable will be retired. CMR: CHG0032376

Services Affected

  • Manage Your Identity Applications
  • CalNet Deputy Application
  • UAS Portal

Tickets Resolved

TicketComment
OPS-409           Deprecate MYI/UAS - calnet-p2/net-auth-p2

March 6, 2019, 6:00 pm

This release will add notices/warnings on the directory update pages hosted on calnet-p1. These warn about the potential for public exposure of addresses and phone numbers entered via the Directory Update app when published to the Campus CalNet Directory.

A brief outage of less than 1 minute will occur when the app is restarted. CMR: CHG0032344

Services Affected

  • CalNet Directory Update Application

March 6, 2019, 6:45 am

This release includes code changes in support of the UCPath implementation and server patches. There will be two short outages, about one minute each, as the server is restarted. CMR: CHG0032340

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • Registry Provisioning
  • CalNet Account Manager
  • CalNet Admin Tool
  • Active Directory
  • LDAP

Tickets Resolved

TicketComment
CNR-1667             UCPath: If personal email address becomes available via UCPath, modify sor-key-data-extractor to parse out and modify registry-provisioning-scripts to provision as personal email address
CNR-1741 UCPath: Need to understand how "UCB" POIs are identified in DDODS
CNR-1785 UCPath: Gain access to the DDODS UAT instance
CNR-1801 Modify bidms-connectors to reuse same LDAP connection within a call to persist()
CNR-1803 UCPath: Integrate with the new "delete EMPLID" queue once it becomes available (yet to happen, but code is there to support it)
CNR-1805 UCPath: Quartz job to find old emplids in i-280 sor that aren't in DDODS anymore
CNR-1806 UCPath: dev DDODS hash query throwing an string concatenation exception
CNR-1809 UCPath: DDODS query needs to handle POI-only people with no jobs
CNR-1810 UCPath: The test I-371 IHub REST endpoint is not working
CNR-1811 UCPath: POI_TYPE codes have changed in DDODSQPT
CNR-1812 UCPath: There are additional CWR codes in DDODSQPT that we weren't originally given
CNR-1813 UCPath: The "send to IHub" logic needs to become more complex to support multiple IHub endpoints for CS and UCPath
CNR-1814 UCPath: last_updates subquery is causing slowness of the per-EMPLID DDODS query
CNR-1816 UCPath: Make ucPathId a recognized account claim identifier in CAM and registry-service
CNR-1817 UCPath: Create a SQL query to compare UAT active employee list with legacy HCM active employee list
CNR-1818 UCPath: Modify reg-prov-scripts to have UCPath be prioritized over legacy HCM for payroll-related LDAP attributes
CNR-1819 UCPath: In match engine, make UCPATH_DDODS<->UCPATH_INTER_PERUPD primary key pairing a canonical match
CNR-1820 UCPath: Create a view from DDODS data that only contains I-280 data elements
CNR-1821 UCPath: Look at BOTH PPS_ID and PSFT_ID for a legacy HCM external identifier
CNR-1823 UCPath is sometimes incorrectly removing the leading zero from legacy HCM identifiers
CNR-1829 UCPath: last_updates inline view has a SQL bug in it

February 27, 2019, 9:00 pm

On Wednesday evening (2/27) from 9-10 pm, we will be upgrading the ShibCAS plugin on the production Shibboleth servers. Since the servers are redundant, there will be no down time while the updates happen. This service is used by any campus member logging into an external service like bConnected. CMR: CHG0032328

Services Affected

  • Shibboleth

February 27, 2019, 7:00 am

This is an update to the CAS / AD password sync filter. With the implementation of AD password sync in CAS on Sunday (CHG0032283) we are seeing a high number of errors for a specific account.  This change will alter the LDAP filter to exclude the account from the sync call. CMR: CHG0032323

Services Affected

  • CAS
  • Active Directory

February 24, 2019, 8:00 am

We will upgrade CAS on the production auth.berkeley.edu cluster to 5.3.7. CMR: CHG0032283

Notable Changes Include

  • CalNet AD password synchronization
  • Improved surrogate/impersonation support for SPAs
  • Support for social guests
  • Accessibility improvements

Services Affected

  • CAS
  • Shibboleth

February 21, 2019, 6:00 pm

We will reconfigure the httpd TLS settings on calnet.b.e and net-auth.b.e to follow OWASP recommendations for TLS security. A brief outage of less than 1 min will happen as the web servers are restarted. CMR: CHG0032301

Services Affected

  • Directory Update App
  • krbservice

February 17, 2019, 9:00 am

In this release, we will extend the berkeleyEduPerson object class to include a new attribute named berkeleyEduUCPathID.  After conversion to UCPath, the berkeleyEduHCMID will contain the deprecated employee id.  Both berkeleyEduUCPathID and employeeNumber will contain the UCPath employee id. CMR: CHG0032274

Services Affected

  • LDAP

February 13, 2019, 7:00 am

We will replace the certificate on the test/QA CAS instance (auth-test.berkeley.edu) to update the subject alternative names in preparation for DNS failover testing.  There will be a brief outage while CAS is restarted, from 7am-7:10am. CMR: CHG0032291

Services Affected

  • auth-test.berkeley.edu
  • CAS-test

February 11, 2019, 9:00 am

This release is an upgrade of the CAS test/QA service definition files to the latest format to prepare for the CAS 5.3.7 upgrade in prod later this month. 

We will also implement a new default authorization policy on CAS applications that have not registered with the CalNet team. The default authorization will enforce that any non-registered applications are restricted to student, staff, faculty and valid HCM affiliates. See https://calnet.berkeley.edu/calnet-technologists/single-sign/cas/cas-default-authorization for more information. CMR: CHG0032273


January 31, 2019, 8:00 am

This release is the retirement of the nds.berkeley.edu LDAP service. CMR: CHG0032216.  All customers should use ldap.berkeley.edu as the primary LDAP service and ldap-test.berkeley.edu for test/qa purposes.

On October 31, 2018 ldap.berkeley.edu was upgraded to the latest directory server software, which is a major upgrade from nds.berkeley.edu.  With that service stable we are now retiring the legacy LDAP service.

If your service depends on LDAP, you can test the performance and functionality of the latest software using either ldap.berkeley.edu or ldap-test.berkeley.edu.  It is highly recommended that you test your applications as soon as possible and report any issues to calnet-admin@berkeley.edu(link sends e-mail).

If your application or TLS/SSL libraries do not accept the ldap.berkeley.edu certificates as trusted see this resource for developers.


January 3, 2019, 6:00 pm

This is an emergency release primarily to address a regression bug affecting some accounts with conflicting affiliations. CMR: CHG0032199

Notable changes Include

  • Fix for employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time
  • Add LDAP mail attribute for social guests
  • Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.

Services Affected

  • Registry Service
  • Registry Provisioning
  • Cirrus Guest App
  • CalNet Account Manager
  • CalNet Guest Accounts

Tickets Resolved

TicketComment
CNR-1800 LDAP mail attribute with cirrus/social guests user email address
CNR-1804 Registry-match-service newSORObjectQueue queue listener stops listening after one exception on a message.
CNR-1807 Employees showing up with FORMER-EMPLOYEE and EMPLOYEE-TYPE-* LDAP affiliations at the same time.
CNR-1808 Add additional exception handling in provisionUid and provisionUidBuilk (related to CNR-1804)
Back to Top

December 2, 2018, 8:00 am

The nds.berkeley.edu certificate is expiring on December 6th, 2018.  Though this is now considered to be our legacy LDAP system we have several customers still using the cluster.  This may impact their applications if they are manually importing certificates into their application's key store. CMR: CHG0032146

Services Affected

  • nds.berkeley.edu
  • Any application still using nds.berkeley.edu

November 30, 2018, 7:00 am

This release is an upgrade of the the test/qa instance of CAS to version 5.3.6.  This will enable customers to test the latest version of CAS on auth-test.berkeley.edu. CMR: CHG0032155

Services Affected

  • CAS auth-test

November 1, 2018, 7:30 am

This release includes a variety of bug fixes; updates to system software; improvements to Registry Provisioning, SOR-Gateway Service, Active Directory, and CalNet Account Manager; and development on UCPath and the Cirrus guest app replacement. CMR: CHG0032080

Notable changes include

  • Users in grace can use CalNet Account Manager
  • Users in grace will be disabled but not deleted in Active Directory
  • Users with a lapsed but not terminated HCM record will receive regular grace period notifications
  • Guests will be able to use CalNet Account Manager to recover passphrase and change passphrase (new Guests will need to wait 24 hours after account creation before they can use this feature)

Services Affected

  • Registry Service
  • Registry Provisioning
  • SOR Gateway Service
  • CS Delegates
  • SOR Gateway
  • UCPath
  • Cirrus Guest App
  • CalNet Account Manager
  • CalNet Guest Accounts
  • Active Directory
  • Special Purpose Accounts


Tickets Resolved

TicketComment
CNR-1744 registry-service java.lang.IllegalArgumentException: null exception
CNR-1743 registry-service principal cannot be null exception
CNR-1748 CS delegate quartz job is running but doesn't appear to be doing anything in production
CNR-1737 UCPath: Get test env hooked up to ddodsdpt ucpath DDODS
CNR-1738 UCPath: Gain access to I-371 integration team's api-central REST endpoint
CNR-1753 UCPath: real time messages need to go through the match engine
CNR-1751 UCPath: Get test env hooked up to i-280 ihub endpoint
CNR-1731 UCPath: Add mock i280 SORObjects to registry-mock
CNR-1662 UCPath: Develop JMS consumer for expected format of real-time iHub messages for I-280 data
CNR-1752 UCPath: Write a script to invoke I-371 (request I-280) for a list of EMPLIDs
CNR-1750 UCPath: Send a UID message to uc path uid endpoint
CNR-1740 UCPath: Add PS_PER_POI_TRANS to DDODS query
CNR-1732 UCPath: Modify reg-prov-scripts to treat the i280 SOR as primary uc path SOR
CNR-1749 UCPath: IHub real-time messages currently contain " " (quotespacequote) for empty values. Need to convert these to nulls.
CNR-1665 UCPath: Modify BPR views to replace HCM with UCPath or augment views with UCPath data
CNR-1758 sor-gateway hash and query quartz jobs should not be executing service methods within log.info() call
CNR-1759 In sor-gateway incorrect calnetSorHashAndQuery.enabled check logic in hash and query quartz jobs
CNR-1761 UCPath: Improve the UcPath?AppointmentsJson.getUcPathAppointmentEffectiveStatus logic for future effective appointments
CNR-1725 UCPath: Mechanism for detecting desynchronization between DDODS and last i280 received
CNR-1762 Create mechanism in SGS to call the IHub UCPath I-371 (request msg) interface
CNR-1771

Cirrus: Create LDAP DownstreamObject for Cirrus guests and add GUEST-TYPE-SOCIAL to berkeleyEduAffiliations (this has changed to GUEST-TYPE-SPONSORED as of March 2019).

CNR-1776 Cirrus: Add sponsorUid to LDAP
CNR-1774 Cirrus: Need to pay attention to the guest end date in the Cirrus JSON
CNR-1763 Cirrus: Add Cirrus SORObject processing to registry-provisioning-scripts
CNR-1766 Cirrus: Add an Identifier type for the Cirrus primary key
CNR-1767 Cirrus: Add an IdentifierType for the Cirrus accepted invitation ID
CNR-1765 Cirrus: Add an IdentifierType for Cirrus Guest Sponsor UID
CNR-1718 Cirrus can't provide sponsorUid, only sponsorEppn (calnetId), in the messages they pass back -- convert eppn to uid as early as possible on our end
CNR-1768 Cirrus: Add an IdentifierType for Cirrus Guest Sponsor EPPN
CNR-1769 Cirrus: Add a cirrusGuest role
CNR-1770 Cirrus: Set primaryOU to ou=Guests
CNR-1772 Cirrus: Add person name from Cirrus JSON to PersonName table
CNR-1773 Cirrus: Add personal (social) email address to Email table
CNR-1722 Latest Apache HttpClient versions, included in recent Grails/SpringBoot apps, break REST HTTP Digest authentication
CNR-1622 Remove commas from the calnet sor person identifier in the CalNet SOR Person tool for a better copy and paste experience
CNR-1782 Create a batch job to reprovision people where current date > ASGN_END_DT
CNR-1784 AD: In-grace people should be disabled in AD, not deleted
CNR-1781 Upgrade SGS to Atomikos 4.0.6
CNR-1780 Upgrade to Camel 2.21.2 and ActiveMQ 5.15.5 within Grails plugins for BIDMS
CNR-1727 Create spa registry account/credentials and grant role to sorObjects endpoint for SPA SOR
CNR-1786 UCPath: Add support to SGS for querying multiple DDODS instances
CNR-1787 UCPath: Add support to SGS to listen on multiple UCPath real time message queues
CNR-1788 Make best effort in determining if person has employee or student in-grace roles during IdentifierBuilder phase and mark identifier as active if so
CNR-1790 In registry-provisioning-scripts legacy SIS role builder, remove anything looking at stale legacy SIS term data
CNR-1791 Confirm a legacy guest can use CAM to change or reset passphrase once legacy system has provisioned Guest to LDAP
CNR-1792 Get CAM forgot passphrase working for legacy guests
CNR-1793 Remove Change Personal Email Address functionality for legacy guests in CAM
CNR-1794 Remove Change CalnetId functionality in CAM for legacy guests
CNR-1783 registry-provisioning needs Spring Security authn/authz added for url protection

October 31, 2018, 6:00 am

This release is a migration of the ldap.berkeley.edu LDAP service to DS 6.0.  This is a major upgrade to the LDAP server software and will complete our migration to the latest version.  In addition to this upgrade the LDAP SSL public certificate will change.  It will be important for developers whose applications do not trust the Comodo root CA to update their applications manually.  We will post the new certificate ahead of the upgrade. CMR: CHG0032027

Services Affected

  • LDAP

October 24, 2018, 6:00 am

This release is a migration of the dir.calnet.berkeley.edu LDAP service to DS 6.0.  This is a prerequisite step to change CHG0032027.  This upgrade will allow us to implement the updated certificate and test the latest LDAP server software upgrade on the cluster that will become ldap.berkeley.edu on October 31. CMR: CHG0032031

Services Affected

  • LDAP

October 18, 2018, 9:30 pm

Users going in to grace starting will continue to be required to 2-Step until they expire or move to ADVCON. Users in ADVCON who are currently doing the 2-Step will no longer be required. CMR: CHG0032049

Services Affected

  • CalGroups
  • 2-Step

October 1, 2018, 10:00 am

The Access Control Instruction (ACI) for the anonymous bind account will be changing starting on October 1, 2018. Currently the ACI permits access to many attributes [1] anonymously, but starting October 1, 2018, access to the berkeleyEduAffiliations attribute will be removed. After further review by various campus security and functional units, further access restrictions are likely to happen at a later date. See Changes to LDAP Binds for more information. CMR: CHG0031961

Services Affected

  • LDAP

September 30, 2018, 8:00 am

This release is to upgrade the nodes behind the dir-auth LDAP cluster to DS 6.0, apply OS security patches, and apply a new SSL certificate.  These nodes support CAS and Shibboleth. CMR: CHG0032023

Services Affected

  • LDAP
  • CAS
  • Shibboleth

September 28, 2018, 7:30 am

This release fixes a bug that is causing accounts in grace to be deleted in AD. This will require a Tomcat restart, which will result in an outage of appox. 30 seconds. CMR: CHG0032030

Services Affected

  • Active Directory
  • Registry-p1
  • SOR Gateway Service
  • Berkeley Person Registry

September 26, 2018, 9:oo pm

This release is a routine patch of the OS/JVM on the CalNet Grouper and Shibboleth VMs. CMR: CHG0032009

Services Affected

  • CalGroups
  • Shibboleth

September 25, 2018, 7:00 am

This release is a change to the CAS screen for students not enrolled in 2-Step, and changes to CalGroups to support the last step of the Student 2-Step project. CMR: CHG0032016

Services Affected

  • CalGroups
  • CAS

September 20, 2018, 6:30 am

This release is an upgrade to the nodes behind the dir-bpr LDAP and application of OS security patches. CMR: CHG0032001

Services Affected

  • LDAP
  • Berkeley Person Registry

September 19, 2018, 8:30 am

This release is a routine OS patching for RHEL for dir-os-p* VMs at SDSC. CMR: CHG0032007

Services Affected

  • LDAP

September 5, 2018, 6:00 pm

This release is a reboot of calnet-p2/net-auth-p2 to install a new OS kernel. It will primarily impact users of the krbsync pw sync to AD tool. A brief (< 5 min) outage will occur. Any adverse risk is low since the change can be reverted quickly if needed. CMR: CHG0031976

Services Affected

  • Active Directory

August 30, 2018, 8:30 pm

We will apply OS patches and also apply a required certificate update on the Apache ActiveMQ server used by CalGroups and the Berkeley Person Registry. - Changes made to CalGroups during this maintenance window may be slightly delayed to downstream systems (eg AD, Google).  Changes will resume after AMQ is back up. CMR: CHG0031963

Services Affected

  • CalGroups
  • Berkeley Person Registry
  • Downstream systems

August 26, 2018, 9:00 pm

This release updates  2-Step notification CAS UI for students not enrolled in 2-Step. CMR: CHG0031967

Services Affected

  • CAS Login Screen

August 24, 2018, 3:30 pm

This emergency release includes security patches for the OS as well as a revised krbsync app. CMR: CHG0031962

Services Affected

  • Active Directory

August 9, 2018, 6:30 am

This substantial release includes updates and bug fixes to many CalNet services, as well as updates to CalNet's UC \Path development. CMR: CHG0031910

Services Affected

  • Active Directory
  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry
  • Registry Service
  • SOR Gateway Service
  • UCPath

Tickets Resolved

TicketComment
CNR-1515 Modify registry-service to call bidms-downstream AD change password REST endpoint at the same time it calls krbservice to set Kerberos password
CNR-1591 Resolve all duplicate calnetIds in our systems
CNR-1598 There may be reg-serv, CAM or CAT Quartz jobs that need to be disabled on bpr-t2
CNR-1623 Upgrade everything to Grails 3.3.x
CNR-1631 merge delete SORObject cascade exception
CNR-1647 Sync BPR display name changes to AD
CNR-1653 no more ou=students, send students to fsa
CNR-1654 ActiveMQ Derby transaction log is growing beyond what it should
CNR-1658 For ActiveMQ, get embedded Derby listening on a network port so we can connect to it externally with the Derby client
CNR-1659 delete expired people out of AD
CNR-1660 UCPath: Build UCPath DDODS queries
CNR-1661 UCPath: Add UCPath DDODS queries to Sor Gateway Service
CNR-1668 UCPath: Once HCM identifier name becomes known in external_identifiers, modify sor-key-data-extractor to parse out
CNR-1670 UCPath: Create IdentifierTypes for different UCPath environment EMPLIDs
CNR-1671 UCPath: Add berkeleyEduUCPathID and berkeleyEduUCPathDevID to dev LDAP schema
CNR-1672 UCPath: Add UCPath EMPLID to identifiers (crosswalk) service for different UCPath environments
CNR-1673 UCPath: Modify registry-prov-scripts to provision UCPath EMPLID to Identifiers table
CNR-1674 UCPath: Modify reg-prov-scripts to add berkeleyEduUCPath<ENV>ID to the LDAP DownstreamObject JSON
CNR-1675 UCPath: Investigate which HCM table has values that end up in employee berkeleyEduAffiliations in LDAP
CNR-1678 UCPath: Add mock UCPath DDODS SORObjects to registry-mock
CNR-1679 UCPath: Need to add DDODS "source" to DDODS SORObjects
CNR-1680 UCPath: Find out how HCM APPT_TYPE and ORG_NODE are going to be converted in UCPath
CNR-1681 UCPath: Modify reg-prov-scripts to add ucPathIds to Identifiers table
CNR-1682 UCPath: Figure out overall isActive logic for the UCPath Identifier
CNR-1683 UCPath: Figure out primary job logic
CNR-1684 UCPath: Add PS_UC_LL_EMPL_DTL to query for UC_HOME_DEPT_CD
CNR-1685 UCPath: Add PS_UC_JOB_CODES to query for UC_FACULTY_INDC
CNR-1686 UCPath: Replicate the EDW CUR_REC_FLAG for UCPath JOBS by adding an IS_EFFECTIVE flag
CNR-1687 UCPath: Need to figure out how future-dated appointments are presented in UCPath: EFF_DT/EFFSEQ?
CNR-1688 UCPath: Possibly add PS_PRIMARY_JOBS to query for PRIMARY_FLAG
CNR-1689 UCPath: The methods in reg-prov-scripts UcPathUtil need to be extensively tested with UCPath sample data
CNR-1690 UCPath: Add a CAMPUS_SOLUTIONS_STUDENT_ID identifier to Identifiers table and to identifiers service
CNR-1693 Start-of-grace email that goes out is showing the start of grace date to be one day earlier than it should
CNR-1694 UCPath: Need to enable the isActive logic in registry-sor-key-data
CNR-1695 UCPath: Build list of tables being queried so that service acct access can be requested for these tables
CNR-1697 UCPath: rps DOB builder
CNR-1698 UCPath: rps job builder
CNR-1699 UCPath: rps role builder
CNR-1700 UCPath: Add employee class roles based on the EMPL_CLASS codes and descriptions
CNR-1701 UCPath: Logic to turn UCPath state into LDAP berkeleyEduAffiliations and part of masterAccountStatus calculation
CNR-1702 AD renaming errors on certain type of entries
CNR-1703 change log message when receiving a CS EMPLID change message and the SORObject remains unchanged
CNR-1704 UCPath: reg-prov-scripts UcPathTypeMapper needs to gain awareness of UCPath POI/CWR affiliate types
CNR-1705 UCPath: Add documenting comments to top of the UcPathRoleBuilder.build() method
CNR-1706 UCPath: reg-prov-scripts needs to set title code and deptartment attributes in LDAP sourced from UCPath
CNR-1708 UCPath: In reg-prov-scripts PersonRoleExecutorSpec there are some commented out ucpath test cases that need to be looked at
CNR-1715 bidms-downstream AD CANT_ON_RDN error
CNR-1716 reg-prov-scripts: Set samAccountName to uidUID# for anybody with "system" as calnetId as this is not an allowed samAccountName
CNR-1720

Suppress noisy "Purging orphaned entry" messages in sor-gateway-service log


August 8, 2018, 9:00 am

Unneeded Access Control Instructions (ACIs) have a negative impact on performance, so we are removing several from the OpenDJ production LDAP tier. This requires no downtime for the affected hosts.

Services Affected

  • CalNet systems such as CAS and Shibboleth,and BPR

August 1, 2018, 7:00 am

We will be removing access to affiliations from anonymous LDAP binds on August 1, 2018. This will improve the security of anonymous searches. Click here to find out how this impacts your service. CMR: CHG0031713

Services Affected

  • All campus applications that use an anonymous LDAP bind

Tickets Resolved

TicketComment

LDAP-3

Update ACI for anonymous binds


Jul 24, 2018, 4:30 pm

This release is a patch to CalGroups. The service will remain up while the patching happens, since the servers are redundant. Potential affected users are campus employees. CMR: CHG0031888

Services Affected

  • CalGroups

Tickets Resolved

TicketComment
CG-168 Install CalGroups Patch

May 29, 2018, 6:00 am

This release will update the OS and JVM for the BPR stack (registry-p1, amq-p1, bpr-p1). This will result in a brief 5-min outage for public CalNet applications such as  CalNet Account Manager (CAM). CMR: CHG0031688

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

May 23, 2018, 5:30 pm

This release includes updates to language in account lock/unlock and new account/change ID screens in CalNet Admin Tool and CalNet Account Manager. CMR: CHG0031701

Services Affected

  • CalNet Admin Tool
  • CalNet Account Manager
TicketComment

CM-427

Update language in account lock/unlock messages

CM-424

Update account language in Create ID and Change ID screens to reflect auto bMail provisioning


May 21, 2018, 5:15 pm

This release changes the way affiliations are filtered in CalNet Account Manager. CMR: CHG0031704

Services Affected

  • CalNet Account Manager

Tickets Resolved

TicketComment

CNR-1692

Filter affiliations list in CalNet Account Manager


April 4, 2018, 7:00 am

This release includes bug fixes and upgrades to the CalNet stack and changes to AD provisioning scripts. CMR: CHG0031553

Services Affected

  • Berkeley Person Registry
  • Active Directory

Tickets Resolved

TicketComment

CNR-1650

Turn off ActiveMQ journal

CNR-1611

Fix regression on the performance of an individual ldapSync queue message consumption

CNR-1595

Fix bidms-downstream provision changed identities quartz job exception

CNR-1651

A registry-model uniqueness exception is now getting thrown

CNR-1644

Stop BPR provisioning of SPAs to AD


March 26, 2018, 5:00 am

During the 5 to 5:15 am window a 5-min outage of all CalNet services (CAS, Shib, LDAP, etc.) will occur as firewall services are migrated. CMR: CHG0031513

Services Affected

  • CAS
  • Shibboleth
  • LDAP
  • Berkeley Person Registry

Tickets Resolved

TicketComment

OPS-401

Move CalNet networks from ASA to Palo Alto firewall service.


March 16, 2018, 6:00 am

This release updates the target date on the 2-Step notification CAS UI. CMR: CHG0031507

Services Affected

  • CAS Login Screen

March 14, 2018, 5:00 pm

This release was completed on March 15, at 7am. It included updates and new functionality to CalNet Account Manager and CalNet Admin Tool. CMR: CHG0031508.

Services Affected

  • CalNet Admin Tool
  • CalNet Account Manager
  • Berkeley Person Registry
  • bConnected

Tickets Resolved

TicketComment
CNR-1641 Add database constraint to enforce that CREDMGMT (and LDAP/AD) sorObjKeys must match the uid
CNR-1620 Modify CalNet SOR Person tool to trigger a provision for newly created or updated accounts
CAT-163 Call bConnected API to lock Google account when CalNet account is locked
CAT-165

Create new CAT User Role


March 7, 2018, 5:00 pm

This release is a patch to the Active Directory provisioning code.  CMR: CHG0031506.

Services Affected

  • Active Directory

Tickets Resolved

TicketComment
CNR - 1640

AD provisioning change


March 4, 2018, 6:00 am

This release contains regular updates for the nds-p* nodes in the ldap.b.e cluster, including patches for OpenDJ, OpenJDK, and RHEL. CMR: CHG0031454

Services Affected

  • Users of the ldap.b.e cluster

February 24, 2018, 6:00 pm

This release resolves a known issue in which new AD accounts are not getting enabled when CalNet account is claimed. CMR: CHG0031477

Services Affected

  • Active Directory

Tickets Resolved

TicketComment
CNR - 1634 Reports of userAccountControl in AD not going active when account goes active

February 21, 2018, 6:00 am

This release updates the URL for the sign-up link on the 2-Step notification CAS UI. CMR: CHG0031464

Services Affected

  • CAS Login Screen

February 15, 2018, 6:00 am

This CAS release updates the notification message displayed by the auth.b.e cluster for 2-Step Cohort 1 not yet in CalNet 2-Step. CMR: CHG0031451

Services Affected

  • CAS Login Screen

February 13, 2018, 7:00 am

A Tomcat restart is required to change configuration to enable Two-Step during account claim for anyone in the RequiredMinusExemptFromReq group. CMR: CHG0031456

Services Affected

  • CalNet Account Manager

February 06, 2018, 7:00 am

In this release, Berkeley Person Registry will start provisioning records to CalNet Active Directory. CMR: CHG0031380

Services Affected

  • Berkeley Person Registry
  • All services that use CalNet Active Directory (AD)

February 03, 2018, 7:00 pm

This release includes updates to CalNet Account Manager and Registry Service in support of the 2-Step project. CMR: CHG0031410

Services Affected

  • account-manager
  • bidms-downstream
  • calnet-admin-tool
  • calnet-people
  • registry-match-service
  • registry-provisioning
  • registry-service
  • registry-sor-gateway
  • ucb-match

Tickets Resolved

TicketComment
CM-403 Modify 2-Step page in CAM to remove opt-out
CM-404 Create workflow for requiring 2-Step of new employees during account claim process
CM-406 For a non-mandatory two-step enroller, the get backup passcodes button remains greyed out (disabled) even after adding a device
CM-408 Modify BPR QA environment to use group-test instead of production grouper
CM-409 Modify CAM to also consider HCM affiliations along with Allow2StepUserTest membership
CM-410 CAM two-step needs more complete audit logging
CM-411 CAM two-step needs to show end user decent error messages when duo or grouper services fail
CM-412 Unable to type in "Create your CalNet ID" field
CM-413 Ability in CAM to mock Grouper for test environments by bypassing it and going directly to LDAP
CM-415 Make requiring employees to two-step during claim configurable and turn it off for now
CNR-1369 Convert to using central Tomcat JNDI database connection pool to stay under our PostgreSQL connection limits
CNR-1589 bypass-the-match-engine queue is throwing exception in reg-prov
CNR-1629 Every project needs its version and group put into gradle.properties
CNR-1630 Publish WAR files to Maven repo for all BIDMS web applications
WA-55 Create a calnetSwitch to replace buggy bootstrapSwitch

February 1, 2018, 6:00 am

The legacy auth-key.berkeley.edu (Second-level) CAS server will be turned off. This legacy server has been replaced by CalNet 2-Step Verification. CMR: CHG0031248.

Known Services Affected

  • OSCAR II

February 01, 2018, 6:00 am

This release will be an upgrade to the CAS server cluster (auth.b.e) to the Apereo CAS release (5.0.10) with some custom UC Berkeley mods. This affects all CAS- and Shibboleth-integrated apps.

Update: The new version of CAS is now up in auth-test. It is a minor change that should not affect any existing integrations, but we recommend testing your applications well before February 1 to be certain it functions as anticipated. CMR: CHG0031216

Services Affected

  • CAS
  • Shibboleth

January 9, 2018, 9:00 pm

This release is a patch of CalGroups servers. Since the servers are redundant, there will be no user level outage on CalGroups, however, there will be a brief lag in syncing updates to LDAP, AD, and Google. Affected user base will be employees. Affected systems are SPA Admin app and MyCalNet, related to CalNet 2-Step. CMR: CHG0031223

Services Affected

  • CalNet Account Manager
  • SPA Admin App
  • CalGroups

January 04, 2018, 7:00 am

On 1/4/18, the reset passphrase token app will require CalNet 2-Step to log in. CMR: CHG0031275

Services Affected

  • Token app

Back to Top


December 13, 2017, 8:00 am

In this release, the option to automatically send a push to a phone will be disabled since it prevents users from enabling the Remember Me option. CMR: CHG0031246

Services Affected

  • CalNet Account Manager
  • SPA Admin App
  • CalGroups

November 27, 2017, 6:00 am

Apply security and other updates to the OS and JVM for the BPR prod tier (amq-p1, registry-p1, and bpr-p1). A brief outage while systems are restarted will be required during the maintenance window. CMR: CHG0031177

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

November 15, 2017, 5:00 am

The Berkeley Person Registry postgres database will be upgraded on 11/15/17, 5am.  Outage expected from 5am-6am. Additional details forthcoming. CMR: CHG0031129

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool
  • CalNet Crosswalk

November 6, 2017, 9:00 pm

We will be upgrading the OS and the Shib-Cas plugin. It will be a rolling upgrade, so no downtime is expected. The Shibboleth IDP service is used by the entire campus for access to apps like Google, Box, and CalTime. CMR: CHG0031116.

Services Affected

  • Shibboleth

Tickets Resolved

TicketComment
OPS-385

Upgrade Production Shibboleth IDP


November 1, 2017, 7:00 am

CalNet 2-Step required for all IST employees and users of CAT effective November 1, 2017. CMR: CHG0031128

Services Affected

  • CAS
  • CalNet Admin Tool

October 29, 2017, 6:00 am

Perform a rolling patch and upgrade to the RHEL 7.x OS, OpenJDK JVM, and OpenDJ LDAP servers dedicated for use by CAS and Shibboleth. CMR: CHG0031096

Services Affected

  • CAS
  • Shibboleth

Tickets Resolved

TicketComment
OPS-384

Upgrade OS, JVM, and OpenDJ for dir-auth.calnet.1918.b.e cluster


October 25, 2017, 7:00 am

This release includes upgrades to how CalNet sets passphrases, CalNet Account Manager, Grails 3.2.11, registry provisioning, work in support of a new AD structure, and changes to how records are consolidated. Changes released to QA 10/9/17.CMR: CHG0031112

Services Affected

  • CAS
  • CalNet Admin Tool
  • CalNet Account Manager
  • LDAP
  • Berkeley Person Registry
  • SOR Gateway Service
  • Registry Service

Tickets Resolved

TicketComment
CM-386 Passphrase work
CM-387 Modify CAM to use the new bidms-credential-policy plugin that centralizes passphrase validation
CM-389 Passphrase related to CAM
CM-391 CAM is giving generic "system error" 
CM-394 Change CAM Menu text
CM-395 CAM Lib update
CNR-1367 Provision from BPR to Active Directory
CNR-1415 SGS needs to set uid on LDAP and AD SORObjects rather than waiting until LdapSync does it
CNR-1497 Add a configuration item to enable/disable AD provisioning in bidms-downstream
CNR-1498 Add a configuration item to enable/disable creation of AD DownstreamObjects in registry-provisioning-scripts
CNR-1504 immediate entryUUID retrieval is not working in prod after an insert or rename
CNR-1518 Create "dynamic attribute" feature for bidms-connectors
CNR-1532 Bug in reg-prov-scripts for AD where dn.ONCREATE has "CN=null" in it for uids with no name
CNR-1536 bidms-downstream provision changed identities quartz job is throwing an exception
CNR-1537 Need ability in reg-prov to create AD downstreamobjects but not send messages to downstream AD queue
CNR-1538 When setting AD DownstreamObject userAccountControl DISABLE, TrackStatus lock flag is being checked, but what about Person.isLocked?
CNR-1540 Access to bidms-downstream quartz/list web page is being denied
CNR-1541 AD userAccountControl has to be 546, not 512, on CREATE for active users
CNR-1542 Check for invalid characters in AD CN since it's part of the DN
CNR-1544 Remove primaryGroupID from AD DownstreamObject
CNR-1545 Remove guests from list of users provisioned to AD
CNR-1546 Set AD CN to Display Name (UID)
CNR-1547 CS SORObjects have some badly-structured JSON in them
CNR-1548 CAT and CAM can no longer download Bower assets
CNR-1549 Improve the performance of CredentialTokenService
CNR-1551 CAT and CAM are trying to use same Greenmail ports in dev and test environments
CNR-1564 SGS REST endpoint that serves same purpose as JMS SORObjectJSONQueue
CNR-1569 Add audit logging support to registry-provisioning NewUidController and ProvisionController
CNR-1573 SGS endpoints need to be protected with spring security
CNR-1575 mleefers requesting AD street address go into a different attribute
CNR-1576 mleefers requesting two-letter instead of three-letter country code
CNR-1577 Modify registry-match-service triggerMatch endpoint to return uid if it's assigned
CNR-1578 need to proxy SGS sorConsume REST calls through registry-service for networking security reasons
CNR-1579 When deleting entries, bidms-connectors LDAP needs to check for and delete "subordinate" entries
CNR-1580 match-service triggerMatch endpoint needs to recognize synchronousDownstream=false
CNR-1581 Support sending uid in the JSON payload in the sorObjects controller to match new sorObjects with existing uids
n/a upgrade to Grails 3.2.11
n/a Passphrase work
CM-400 Updates to change ID email language

October 6, 2017, 7:30 am

This release prevents enablement of CalNet 2-Step with a smart phone until after the Duo Mobile App has been verified to have been installed on the smart phone. CMR: CHG0031064

Services Affected

  • CalNet Account Manager
  • Duo 2-Step

Tickets Resolved

TicketComment
CM-399

Update hasDevices logic to make sure Duo account is active.


September 19, 2017, 6:00 pm

This release updates the merge function in CalNet Admin Tool. CMR: CHG0031005

Services Affected

  • CalNet Account Manager
  • Registry Service

Tickets Resolved

TicketComment
CAT-169

During merges, don't copy delete.credmgmt.calnetId if keep.ldap.beKerbPrincStr is present


September 14, 2017, 6:00 pm

This release fixes a bug and updates the CalNet Admin Tool. CMR: CHG0030992

Services Affected

  • CalNet Account Manager

Tickets Resolved

TicketComment
CAT-154

Enable X-FORWARDED-FOR header for auth.calnet.b.e

CAT-157

CAT needs modifications to work with latest ucb-spring-security-cas-ldap

CAT-158

Error when consolidating records in CAT


September 9, 2017, 9:00 am

We will be changing our SLB config to allow HTTP templates for the Auth.b.e VIP. We will give ourselves a 30 min window to do the work, and there will be a few seconds downtime as the SLB saves and responds to the new configuration. The change will happen Saturday morning, September 9, from 9 - 9:30 am. This affects any server using the campus SSO and the entire campus population. This change was tested successfully with the SDSC DR and BR CAS cluster. CMR: CHG0030879

Services Affected

  • CAS

Tickets Resolved

TicketComment
CAS-5

Enable X-FORWARDED-FOR header for auth.calnet.b.e


August 26, 2017, 6:00 am

To support new CalNet 2-Step users starting Monday, a new CAS server build with help text for Duo 2-Step is deployed. CMR: CHG0030956

Services Affected

  • This affects all CAS users, but the change is only additional help text show at the Duo 2-Step prompt.

August 10, 2017, 7:00 pm

This release includes fixes and updates to CalNet Account Manager and CalNet Admin Tool as well as an upgrade to Grails 3.2.11. CMR: CHG0030913

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

Tickets Resolved

TicketComment
CAT-154

CAT is displaying a "null" in the list of affiliations for all records.

CM-384

Update 2-Step Email notification to stop Google Phishing warning.

CNR-1454

New employee can't claim CalNet ID

N/A

Upgrade to Grails 3.2.11


July 28, 2017, 3:00 pm

This release replaces the CalNet OpenIDM. OpenIDM will be turned off and Downstream Provisioner will write directly to LDAP. CMR: CHG0030864

Services Affected

  • SOR Gateway Service
  • Registry Provisioning
  • Registry Provisioning Scripts
  • Downstream Provisioner
  • OpenIDM
  • LDAP

Tickets Resolved

TicketComment
CNR-1419

Replace OpenIDM with a new downstream provisioning system

CNR-1490

If in grace but affiliations are unknown, set primaryOu to existing LDAP ou 

CNR-1493

DownstreamProvisioningRESTClientService.provisionUid is throwing exceptions 

CNR-1494

sor-gateway DailyHashAndQueryJob is throwing exception 

CNR-1492

bidms-downstream LDAP schema violation exceptions 

CNR-1495

Registry-d1 sor-gateway is throwing a start-up exception related to oracle db connection 

CNR-1489

Removal of calnetId is causing an exception in registry-provisioning-scripts 

CNR-1476

bidms-downstream is reporting bad avg batch time values in the timing statistics 

CNR-1477

bidms-downstream sometimes can't find uid in LDAP but when a LDAP write is attempted, NameAlreadyBoundException is seen 

CNR-1484

bidms-downstream seeing OpenDJ errors sometimes with namespace changes 

CNR-1464

Change capitalization to berkeleyEduUnitHRDeptName in DownstreamObject JSON 

CNR-1465

Don't send audit log entries to the app log, as it's already logged in audit log file 

 CNR-1466

Create DownstreamObjects for LDAP namespace entries 


July 26, 2017, 6:00 am

This release will patch the production MIT Kerberos cluster. A brief outage of about 1 minute per node will occur. Some Kerberos clients will automatically fail over to the slave KDC when this happens. CMR: CHG0030836

Services Affected

  • CAS

July 19, 2017, 6:00 am

This release will update OS to RHEL 7.x and latest application libraries on the calnet.b.e web server, which includes the Directory Update Application. CMR: CHG0030822

Services Affected

  • Directory Update Application

July 18, 2017, 7:00 am

This release fixes an error in the CalNet Admin Tool and also changes what information is displayed in the tool. CMR: CHG0030863

Services Affected

  • CalNet Admin Tool

Tickets Resolved

TicketComment
CAT-133  Delete "Empl ID" field from basic info
CAT-150 Remove OU from CAT
CAT-152 CAT Throwing a MissingProperty Error

July 12, 2017, 6:00 am

This release will patch RHEL 6.x and the JVM for the idc.b.e application cluster. CMR: CHG0030818

Services Affected

  • CalNet self-service applications on the idc.b.edu cluster, such as Guests, SPAs, and Access Keys

June 28, 2017, 6:00 am

This release reconfigures the CAS auth.b.e servers to not do SSO for the base /cas/login URL if no service parameter is provided. This change is considered a security best practice. CMR: CHG0030793

Services Affected

  • All campus CAS users, especially those using 2-Step Verification

June 21, 2017, 6:00 am

This release is a rolling upgrade of the production CAS Server to fix intermittent degradation of service due to load and a known bug in the 5.0.4 server. CMR: CHG0030785

Services Affected

  • CAS

June 15, 2017, 6:00 am

This release is a rolling upgrade of the production CAS Server cluster to release 5.0.6 with bug fixes and some additional custom UI fixes. CMR: CHG0030749

Services Affected

  • CAS
  • Shibboleth

June 12, 2017, 6:00 am

In this release, CalNet will migrate net-auth.berkeley.edu to RHEL 7.x from 5.x. 15-min planned outage affecting campus customers of the Berkeley Person Registry identity management applications CalNet Admin Tool and CalNet Account Manager. CMR: CHG0030742

Services Affected

  • net-auth.berkeley.edu
  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

June 8, 2017, 2:00 am

This release includes updates to CalNet Account Manager. Changes to CAM will be visible only to users who have been granted access to CalNet Two-Step beta testing. CHG0030750.

Services Affected

  • CalNet Account Manager

Tickets Resolved

TicketComment
CM-344 2FA Login
CM-345 Pilot implementation of 2FA admin iFrame
CM-351 Add page headers to CAM pages
CM-352 2FA documentation
CM-353 Restrict who can see 2-Step Verf in the menu
CM-354 2-Step form edits for the instructions
CM-356 Changes to 2-Step Form Based on User Feedback
CM-357 Turn on 2-Step Switch Automatically
CM-358 Do not ask for pw on the 2-Step Switch
CM-359 Don't ask for pw on the Get Backup Passcodes request
CM-360 Get Backup Passcodes Screen Changes
CM-361 2FA Form Format and Color Changes
CM-362 Changes to New Enrollment Instructions
CM-363 Change 2-Step Switch Title
CM-364 Changes to Manage Your Devices - Help Text
CM-367 Send email when generating backup codes
CM-368 Add link to privacy statement in the footer
CM-370 Change language on passphrase reset screen
CM-371 reduce UC Berkeley logo
CM-372 Delete numbers on the items in the Help Section
CM-373 2 Step Switch Format Change
CM-374 Backup Passcodes Format Change
CM-375 Reduce Duo iFrame height
CM-376 Add line spaces
CM-377 2 Step Switch Confirmation Messages
CM-378 Changes to Get Backup Passcodes Page
CM-379 cross-site request forgery protection?
CM-381 Change font-size and weight in help headers
CM-382 Move on/off + passcode button closer to text

June 6, 2017, 9:00 pm

This release is a minor upgrade of the Shibboleth IDP to version 3.3.1 and the Shibcas connector. There is no expected downtime, though we have an hour window to complete the work. Affected systems include any using the Shibboleth IDP for authentication. Students, staff, and faculty could potentially be affected. Site examples include most off-campus services like Google, ServiceNow, Learning Center, Salesforce, and Box.

The Shibcas connector upgrade will fix the error messages displayed to a user readable message rather than the current code dump. CMR CHG0030731.

Services Affected

  • Shibboleth
  • Any using the Shibboleth IDP for authentication

Tickets Resolved

TicketComment

SHIB-1

Minor Shibboleth IDP upgrade - 3.3.1, Shibcas

May 18, 2017, 10:00 pm

This emergency CAS Server release fixes the regression affecting some campus applications using SPAs. No outage is expected as we will do a rolling restart of the cluster nodes. CMR: CHG0030704

Services Affected

  • CAS
  • Special Purpose Accounts

May 16, 2017, 10:00 am

This release is a rolling restart for CAS, no outage expected. CMR: CHG0030697

Services Affected

  • CAS

May 15, 2017, 6:00 am

Begin testing on April 7, 2017

This release is the final step in migration to CAS Server 5.0.4. We are upgrading the Apereo CAS servers at UC Berkeley from version 4.1.x to 5.0.4 with some additional features deployed, with the help of Unicon(link is external), one of the major contributors to the CAS project(link is external). CMR: CHG0030513

The QA tier will be updated on April 7 to allow for testing. To test, point your QA CAS client application at the auth-test.berkeley.edu DNS name. The previous QA nodes (cas-t1/t2) will remain available for a transition period as individual nodes. Please be sure to test your application before May 15.

Find additional details about this upgrade on our website: Migration to CAS Server 5.0.4

Services Affected

  • CAS

May 10, 2017, 6:00 pm

This release provides improved audit logging of account events for integration with Security Operations monitoring. CMR CHG0030673.

Services Affected

  • Berkeley Person Registry
  • CalNet Admin Tool
  • CalNet Account Manager

Tickets Resolved

TicketComment

CNR-1416

CAM/CAT/reg-service events log


May 5, 2017, 4:15 pm

This release fixes a condition that is causing SGS LDAP imports to fail and removes case-sensativity from email address field in CalNet Account Manager.

Services Affected

  • Berkeley Person Registry

Tickets Resolved

TicketComment

CNR-1462

OpenDJ objects that start with entryuuid= are causing SGS LDAP imports to fail

CM-342

Reset passphrase recovery case insensitive email lookup

May 5, 2017, 10:00 am

This release changes the logic CalNet uses to determine expiration dates and fixes a condition that causes provisioning exceptions. CMR: CHG0030628

Services Affected

  • Berkeley Person Registry

Tickets Resolved

TicketComment
CNR-1451 Update expiry logic
CNR-1460 Provisioning exceptions

May 4, 2017, 5:00 pm

This release fixed a bug in which stale cache was preventing new employees from claiming a CalNet account.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager

Tickets Resolved

TicketComment
CNR-1454 Stale cache - production restart required

April 26, 2017, 5:15 am

In this release a number of CalNet applications are being upgraded to use the Grails 3 framework. This release will be deployed to QA on April 10, 2017. CMR CHG0030578.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • SOR Gateway Service
  • Registry Provisioning
  • Registry Rest Service

Tickets Resolved

See April 19, 2017 release for complete list of ticket resolved.


April 19, 2017, 7:00 am

In this release CalNet Admin Tool is being upgraded to use the Grails 3 framework. This release will be deployed to QA on April 10, 2017. A second release on April 25 will upgrade Berkeley Person Registry and CalNet Account Manager to use the Grails 3 framework. CMR CHG0030548.

Services Affected

  • CalNet Admin Tool

Tickets Resolved

TicketComment
CAT-134 Convert to Grails 3.x
CM-161             Upgrade CAM to Grails 3.x
CNR-1275 Migrate grails-external-groovy-plugin to Grails 3.x
CNR-1276 Regression: Between Groovy 2.4.4 and Groovy 2.4.5 (Grails 3 uses .7) a change was made that as reintroduced a memory leak to external-groovy
CNR-1277 Migrate sor-key-data plugin to Grails 3.x
CNR-1278 Migrate registry-provisioning-scripts to Grails 3.x
CNR-1280 Migrate registry-model plugin to Grails 3.x
CNR-1281 Migrate grails-gorm-util-plugin to Grails 3.x
CNR-1282 Migrate registry-commons to Grails 3.x
CNR-1283 Migrate grails-domain-utils-plugin to Grails 3.x
CNR-1286 Migrate groovy-hashchode-ast to Groovy 2.4.7
CNR-1296 Migrate grails-render-json-plugin to Grails 3.x
CNR-1316 Migrate groovy-sql-util to Grails 3
CNR-1347 Update sorQuery script to accept a SORObjectKey (Grails 3 branch)
CNR-1353 Migrate mock-registry to Grails 3
CNR-1360 Migrate ucb-messaging plugin to Grails 3.x
CNR-1361 Migrate the UCB fork of the grails-routing plugin to Grails 3.x
CNR-1363 Grails 3 registry-model jobAppointments collection not being persisted when person is saved and not being retrieved when person is loaded
CNR-1365 For registry-model Grails 3 branch, type: JSONBType, sqlType: 'jsonb' in mapping is not working
CNR-1368 Property injection into Provision object is not working on Grails 3 branch
CNR-1372 Migrate registry-provisioning to Grails 3.x
CNR-1373 Migrate rest-client-builder-digest-auth to Grails 3.x
CNR-1374 Grails 3 Spring Boot in conjunction with registry-settings is complaining of multiple jms connection factories
CNR-1375 Grails 3 registry-settings doesn't seem to be merging config correctly
CNR-1378 Grails 3 reg-prov: no log output is being produced
CNR-1382 Figure out why grails 3 reg-prov wiped out the database at start-up
CNR-1383 Grails 3 reg-settings needs to set dbCreate to not delete by default
CNR-1384 Migrate sor-gateway-service to Grails 3.x
CNR-1385 Migrate ucb-match to Grails 3.x
CNR-1386 Migrate registry-match service to Grails 3.x
CNR-1391 Migrate registry-rest-client to Grails 3.x
CNR-1393 Migrate registry-service to Grails 3.x
CNR-1394 Migrate rest-queryfilter-plugin to Grails 3.x
CNR-1397 Integration Hub is changing the development AMQ host
CNR-1399 Grails 3 reg-service is having odd transaction management problems
CNR-1401 Grails 3 reg-service doesn't need jmsTransactionManager/ChainedTransactionManager because it only produces JMS and JMS producers aren't transactional
CNR-1402 Grails 3 reg-settings: Add option to create JMS beans but skip the jmsTransactionManager if the app is only using JMS for producing messages
CNR-1403 Grails 3 reg-service still is using ChainedTransactionManager even after removing jmsTransactionManager
CNR-1404 Grails 3 reg-settings: Add an "enable multiple data source" option to reg-settings to work around a Grails 3 bug
CNR-1405 Grails 3 reg-prov's BootStrap.groovy isn't running
CNR-1407 Some Grails 3 registry-service integration tests aren't passing and have been @Ignored
CNR-1408 In order to get Grails 3 reg-service integration tests to pass, had to move setupSpec to setup, but this makes running tests very slow
CNR-1409 SorPeopleAssignmentServiceIntegrationSpec passing locally but is failing on Bamboo
CNR-1417 Grails 3 match-service isn't consuming the newUid queue
CNR-1420 Deadlock between match-service and call out to registry-provisioning's provisionUid in Grails 3 (but probably Grails 2 too)
WA-46 Move ucb-webapp-foundation to Grails 3.1.x
WA-49 Migrate ucb-twitter-bootstrap and ucb-twitter-bootstrap-fields plugins to Grails 3

April 4, 2017, 4:30 pm

This release provides a fix so that alumni already in OU = ADVCON do not get grace notification emails. CMR: CHG0030512

Services Affected

  • Berkeley Person Registry
  • LDAP Provisioning

Tickets Resolved

Ticket

Comment

CNR-1412

Users in ADVCON receiving grace notification emails


March 15, 2017, 3:00 am

This release resumes the CalNet account expiration process and implements grace period email notifications. This release requires a second restart at 6pm on March 16. CMR: CHG0030441.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • CalNet Admin Tool

March 14, 2017, 9:00 pm

Upgrade production shibboleth IDP (shib.berkeley.edu) to version 3.3.0. The upgrade will bring us to the current release and allow us to use the consent model. The change will take place during a change window on Tuesday, March 14, from 9 - 11 pm. The actual change will be within that time and will be a brief, approximate 15 sec delay. The service affects most campus users. CMR: CHG0030422

Services Affected

  • Shibboleth IDP
  • Any system using the Shibboleth IDP for attribute release / authentication

March 9, 2017, 3:00 am

This release includes work in support of the CalNet account expiration process, fixes a bug in CalNet consolidation and refines logic for changing CalNet IDs. This release was originally scheduled for March 8, 2017. CMR: CHG0030440

Services Affected

  • Berkeley Person Registry
  • LDAP Provisioning
  • CalNet Account Manager
  • CalNet Admin Tool

Tickets Resolved

Ticket

Comment

CNR-1371

Berkeley.edu email address should key of alternateIdEmailAddress

CNR-1366

Do not use BPR LDAP Display Name for full name

CNR-1364

Check hql in findPeopleExitingExpiry

CNR-1362

If a person does not have an @berkeley.edu account don't try to send additional emails.

CNR-1359

Registry Service gets wrong values from config in GraceServiceJob

CNR-1358

Refine logic for changing CalNet ID

CNR-1357

Grace Period Notify email still using calnet@berkeley.edu(link sends e-mail) FROM address

CNR-1356

Cannot format given Object as a Date Error

CNR-1349

CNR-1169 Filter out people who does not have a calnetId

CNR-1325      

Disallow future-dated startOfRoleGraceTimes in PersonRoleArchive table
Update provisioning code to set start grace time to current time when source data has a future end date but goes inactive

CNR-1322

CNR-1167 Make adjustments to Grace period jobs

CNR-1308

UIDold and Consolidation date not being written during CAT consolidations

CNR-1302

Send email notification for expired accounts that have been activated again

CNR-1293

CNR-1167 Check if person has berkeley email address before sending email


March 1, 2017, 1:00 am

This release includes minor edits and bug fixes for CalNet Account Manager and CalNet Admin Tool. Also introduces new features to CalNet Account Manager that display user's names and affiliations.  CMR: CHG0030408

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool

Tickets Resolved

Ticket

Comment

CM-334 

Edit CAM Footer

CM-333 

Edit CAM Account Info page

CM-331 

Re-enable change in CM-311

CM-311 

Show more info after user logs into CAM

CAT-118 

An Error Has Occurred message after consolidation in CAT

CAT-117 

Assigning someone SIS View privilege doesn't appear to work

CAT-44 

CAT-37 Make simple / advanced search

CAT-127 

Show more info for user

CAT-122 

CAT-118 Consolidation error bug


February 28, 2017, 5:30 pm

A restart of the PostgreSQL DB behind the prod Berkeley Person Registry (BPR) to allow more active connections will result in a brief outage to allow reconfiguration. Outage anticipated from 5:30pm-5:35pm on Tuesday, February 28. CMR: CHG0030418

Services Affected

  • Berkeley Person Registry

February 27, 2017, 1:00 am

Refining logic for CalNet ID change. Release is in support of new alumni email program.  CMR: CHG0030411

Services Affected

  • CalNet Account Manager

Tickets Resolved

Ticket

Comment

CNR-1358

Refine logic for changing CalNet ID


February 21, 2017, 6:00 am

This release is to patch the OS and JVM for the four servers comprising the CalNet Berkeley Person Registry (BPR) prod tier (registry-p1, bpr-p1, amq-p1, and idm-p2). CMR: CHG0030335

Services Affected

  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry

February 14, 2017, 8:00 pm

This release updates the production Grouper servers, which service calgroups.berkeley.edu, from version 2.2 to 2.3. The upgrade is a precursor to using a new provisioning UI.  CalGroups will be down during the upgrade due to a database upgrade.  CMR: CHG0030385

Services Affected

  • CalGroups
  • CalNet SPAs
  • LDAP Groups

Tickets Resolved

Ticket

Comment

CG-156

Upgrade production Grouper


February 1, 2017, 3:00 pm

This release includes fixes to improve memory usage and upgrading of dependencies. CMR: CHG0030348

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • LDAP

Tickets Resolved

Ticket                         

Comment

CAT-118

 An Error Has Occurred message after consolidation in CAT

CNR-1311

Convert bad HCM job-end dates that are set to 9999-12-31 to be null, which causes the Registry to write the current date as the start-of-grace-time when it encounters such a bad end date. 

CNR-1291

Don't write legacy guest system accounts to LDAP

CNR-1262

New ou determination logic based on roles (but back-port the "don't move to a lesser OU" work-around that was in the old code into the new code)

CNR-1197

Don't provision (IGNORE) to LDAP any new uid missing at least one-LDAP affiliation

CNR-1262

Fixes CNR-1193 and CNR-1256 (dupe of CNR-1193): Records in presir when they should be in ADVCON

CNR-1197

Fixes CNR-1184: Employee Only CS Record provisioned to presir ou because of partial HCM record

CNR-1262

Rewrite OU determination logic to key off of roles instead of identifiers


January 25, 2017, 5:00 am

This release was completed on January 26, 2017, and made additional changes to CalNet ID changing logic and enabled account expiration processes. CHG0030323

Services Affected

  • CalNet Account Manager
  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket

Comment

CNR-1285

Changing recoveryEmailAddress after changing calnetId should not rewrite calnetId

CNR-1267

When setting recovery email address, the oldCalnetId is overwritten with current calnetId in CREDMGMT SOR Object

CNR-1265

Prevent claiming CalNet IDs only defined in KDC

CNR-1239

Send a message to people who are in grace but never received an email

CNR-1217, CNR-1167 

Make cron job to send grace emails

CNR-1213

Track status object must have metadata field to store extra info

CNR-1191, CNR-1167

Create rest endpoint to send email

CNR-1169

Disable account when an account has expired

CNR-1298

LdapInformation endpoint

CNR-1304

Password error in account locking

CM-319

Users not able to claim CalNet IDs they already own in namespace

CM-323

Add custom link in full text to passphrase reset button

CM-327

Fix CalNet ID change screen

January 25, 2017, 3:00 pm

This release implements new Campus Solutions update code to accept real time messages via JMS queue and make database queries on demand for individual student records. It should allow new CalNet accounts to be created in near real time once all the appropriate record creation has been completed in Campus Solutions. Release also includes updates to Registry provisioning logic to support en- of-life account handling. CMR: CHG0030328

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • LDAP

Tickets Resolved

Ticket

Comment

(no CNR)

Fix setting a proper grace start date for the aggregate roles: masterAccountActive and ldapNoExpDate.

CNR-1287

Fix no students in Dev marked as registered

CNR-1292

Close out new Sql instances in an attempt to fix connection pool leak in SGS

CNR-1273

Upgrade SOR Gateway Service to Grails 2.5.5 

CNR-1272

Convert the Camel routes in SGS to use reliable-tx-camel 

CNR-1031

Convert sor-gateway-service to use JTA Transaction Manager 

CNR-1266

Consume CS "person basic sync" messages from IHub to trigger 'real-time' SGS EMPLID querying 

CNR-1297

Replace special 07/28/16 CS affiliation end dates with 01/01/1901 so real dates used instead from other SOR data 

CNR-1289

Create an expirationNotify role

January 8, 2017, 11:45 am

This release fixes a bug in the CalNet Account Manager, in which a CalNet ID change reverts if the user sets their recovery email address in the same session. CHG0030266. (This release rescheduled from 1/6/17, 5:00am).

Services Affected

  • CalNet Account Manager
  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket

Comment

CM-321

Change CalNet ID bug


January 6, 2017, 6:40 am

This Emergency SOR Gateway Service patch deploys a one-liner patch that adds 14 days to the calculation of last semester end date because Campus Solutions indicates the spring semester has started but they have not yet updated the registration service indicators to show spring instead of fall. This affects the berkeleyEduAffiliation: STUDENT-TYPE-REGISTERED value in LDAP.  Tomcat restart on registry-p1 is required. CMR: CHG0030268. (This relesase rescheduled from 1/6/16, 5pm).

Services Affected

  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket

Comment

CNR-1287

No students in Dev marked as registered

 Back to Top


December 19, 2016, 5:00 pm

This release includes functionality to support upcoming term changes, backend registry handling of grace periods, service indicators that prevent students from being unregistered, improvements to how HCM employees and alumni are provisioned, and clearing of stale berkeleyEduExpDates. CMR: CHG0030233

Services Affected

  • Berkeley Person Registry
  • Registry Service
  • LDAP

Tickets Resolved

Ticket

Comment

CNR-917

CNR-860 Determine current or future CS terms

CNR-970

CNR-860 Logic for determining start of next Fall or Spring term for -REGISTERED grace period

CNR-1016

Once CNR-970 taken care of, uncomment the commented code for SERVICE_INDICATOR term checks in CsPersonRoleBuilder

CNR-1189

Provisioning HCM accounts with appointment dates later than the entry date

CNR-1225

Add "is active" logic to HRMS and ADVCON key extractors

CNR-1226

Use "is active" key extractor logic to send HRMS and AVCON SORObjects to match queue if they lack UID and key extractor says they're now active

CNR-1227

Try to get the sor-key-data-extractor to load certain external reg-prov-script classes to execute "is active" logic on the raw SORObject data

CNR-1228

Clear berkeleyEduExpDate when active

CNR-1240

Add support for a numeric sync marker, instead of just a timestamp, to SorObjectChecksum and SorObjectChecksumQuery tables

CNR-1243

Tweaks to registry provisioning scripts for CalNet SOR Person

CNR-1244

Calculate grace delta upon immediately adding a personRoleArchive entry

CNR-1246

berkeleyEduStuID should remain in LDAP after student has gone into grace or expired

CNR-1247

Modify SGS to include new service indicator view for CS query


December 16, 2016, 5:00 am

This release improves the Change CalNet ID function in CalNet Account Manager, and fixes a bug related to alumni accounts. It also includes an update to the instructions regarding claiming accounts and changing accounts. CMR: CHG0030232

Services Affected

  • CalNet Account Manager
  • Registry Service

Tickets Resolved

TicketComment
CNR-1265 Prevent claiming CalNet IDs only defined in KDC
CM-314 Allow alums to change CalNet ID without a recovery email address
CM-313 Change CalNet ID failure bug
CM-312 When user changes CalNet ID and does not have an ext email address do not show error
CM-310 Edit confirmation message when an alum changes CalNet ID
CM-308 Account Manager throwing javax.management.MalformedObjectNameException
CM-305 Stack trace appears on Change CalNet ID page
CM-316 When changing recovery email without previous recovery email address, system reports an error

December 1, 2016, 9:30 pm

To support updating of certain AdvCon (mostly Alumni) CAS customers, a check for CalNetIDs starting with "cads" is now done. The popup dialog triggered then redirects the browser to the Change CalNetID page. Released to QA (auth-test.b.e) November 30, 2016.  CMR: CHG0030193.

Services Affected

  • CAS

Tickets Resolved

Ticket

Comment

OPS-350

Trap CalNetIDs starting with "cads" and redirect to Change ID app


November 18, 2016, 5:00 am

This release added the ability for alumni to set a bConnected key.

Services Affected
  • CalNet Admin Tool
  • Berkeley Person Registry
  • LDAP

Tickets Resolved

Ticket

Comment

CS-26

MMK should allow ou=ADVCON to be able to set a bConn key so that alumni can create bConn accounts.


November 3, 2016, 11:00 am

This release is to provision FORMER employee, affiliate and student statuses , test and guest accounts to LDAP and BPR fixes. It also includes CAM and CAT text and content changes. See CMR: 30120

Services Affected
  • Berkeley Person Registry
  • LDAP
  • CalNet Admin Tool
  • CalNet Account Manager

Tickets Resolved

CNR-1029 Provision FORMER affiliation when an active affiliation is removed
CNR-1163 Modify DownstreamLdapBuilder to add FORMER affiliations
CNR-1171 Modify LdapDownstreamBuilder to add current LDAP affiliation roles based on calculated berkeleyEduAffiliation values
CNR-1174 Report of invalid date format for bECalNetIDUpdatedDate
CNR-1190 Change SGS HRMS Oracle hash query to hash(firstname||lastname) rather than hash(firstname) + hash(lastname)
CNR-1194 Don't provision (IGNORE) TEST accounts to LDAP
CNR-1195 Add a test account role for TEST accounts
CNR-1200 Provision GUEST LDAP affiliation for guest accounts
CNR-1206 Refactor archived role builders to use a builder context to avoid Hibernate exceptions
CNR-1207 Modify registry-model Person to disallow same roles both in assignedRoles and archivedRoles
CNR-1213 Track status object must have metadata field to store extra info
CM-304 Update language in notification when users can't claim an account
CAT-113 Edit email message when account is locked
CAT-112 For locked accounts, allow option to not send email
CAT-111 Show more info for locked accounts lists


October 24, 2016, 6:00 am

Available in QA: October 14th

Update: war built from qa-to-prod-delegation branch is now deployed to cas-p2/p3/p7 (auth) with default theme set to "default" the OS and JVMs also patched on those hosts, the CAS prod tier.

A feature release of Apereo CAS Server 4.1.9 will be deployed to auth-test on 10/14/16 at 6 am and, assuming no regression is found, to auth on 10/24/16 at 6 am. OS and JVM patches will also be applied. The new features include improved performance when showing lists of SPAs, and a delegated authentication option for apps using the test/qa CAS server environments. CMR: CHG0030053.

Services Affected
  • CAS
  • SPA users

October 20, 2016, 12:00 am

This release improves CalNet Admin Tool and adds the ability for an admin to set a CalNet ID on behalf of a user directly from the CalNet Admin Tool. CMR: CHG0030077

Services Affected
  • CalNet Admin Tool
  • Berkeley Person Registry

Tickets Resolved

Ticket

Comment

CNR - 1188

Add rest endpoint to set calnetId

CAT-107

Ability for admin to set a record's CalNet ID

CAT-109 

Update role mapping wiki page 

CAT-110 

Create new role for SIS in QA


October 13, 2016, 4:30 pm

This release fixes a provisioning bug that is picking up inactive records. CMR: CHG0030054

Services Affected
  • Berkeley Person Registry

Tickets Resolved

Ticket

Comment

CNR - 1186

Stop provisioning employee-onlys without a CAMPUS_ID


October 13, 2016, 6:00 am

Updated description: This release updates the CalNet Admin Tool, including adding affiliations, better scrolling, and cache manager naming issue. It also clears up an error when attempting to match records and automates some consolidation functions. CMR: CHG0030051.

Services Affected
  • CalNet Admin Tool
  • Registry Service

Tickets Resolved

Ticket

Comment

CAT-105

Error when attempting to match records

CAT-104

Show a record's current affiliations

CAT-101

Cache manager naming issue on production

CAT-99

Better scrolling for partial match view

CNR-1149

After merge, wrong CalNet ID marked as active

CNR-1178

When merging two records, an error is thrown

October 12, 2016, 3:05 pm

This critical patch will fix a bug that prevented some new employees and affiliates from claiming CalNet accounts. CMR: CHG0030050.

Services Affected
  • Registry Provisioning
  • LDAP
  • OpenIDM

Tickets Resolved

TicketComment
CNR-1176 Add empty-string check for CAMPUS_ID in the SGS CS "employee-only" detection logic
CNR-1182 Rename isNotProd config param in LdapSync to isProd and adjust the code accordingly 
CNR-1183 Fix LdapSync bug where cleanUpMismatchedAssignments() is being called in prod instead of dev/qa 
none Add some hibernate session clearing  calls to try and eliminate a memory leak 

October 4, 2016, 6:00 am

Update to October 4 CalNet Release:

This release has progressed as planned. The legacy Sync Code has been turned off. The new LDAP schema is in place. Approximately 70,000 active accounts are being updated by the Berkeley Person Registry. We anticipate all records to be done updating within one or two days. Additional status updates will be provided as needed.

On October 4, 2016, the CalNet team will retire the legacy LDAP Sync Code and hand control of LDAP provisioning to the Berkeley Person Registry. This step modernizes campus identity data management. CMR: 4816.

Find detailed information about LDAP Schema changes at: https://calnet.berkeley.edu/calnet-technologists/ldap-directory-service/ldap-simplification-and-standardization

See additional information about impacts of the Sync Code Retirement, here: https://calnet.berkeley.edu/news/calnet-sync-code-retiring

Services Affected

  • LDAP Provisioning
  • LDAP Sync Code
  • Berkeley Person Registry
  • CalNet Deputy UAS Portal
  • CalNet Deputy Issue Initial Token Application

Tickets Resolved

Ticket

Comment

CAT-38                       

Replace registry-p1 and idm-p2 scripts with CAT buttons

CAT-62

ability for admin to allow someone to change CalNet ID

CAT-81

Improve view of list of records to be matched

CAT-82

generate an notification email when account is locked / unlocked

CAT-83

edits to account locking/unlocking email content

CAT-93

Missing link to submit all records for rematch

CM-293

switch to berkeleyEduIsMemberOf

CNR-1000

Provision affiliation roles to LDAP

CNR-1007

Provisioning to ADVCON OU

CNR-1013

Remove isLegacy / isOwned / definitiveAttributes from LdapDownstreamBuilder

CNR-1018

Provision berkeleyEduAffID (ucbaffid)

CNR-1021

Rename IdentifierType hrmsEmployeeId to hcmId to avoid future confusion

CNR-1022

Develop API for ADVCON to replace account claiming API to kerb service

CNR-1023

Make REST endpoints for reprovisioning and sorHash/sorQuery

CNR-1024

Add a PersonJob table to the registry schema and add it to the model

CNR-1025

Modify registry-provisioning-scripts to provision to PersonJob table

CNR-1039

Remove hrmsPrimaryApptRcdNo role now that we have PersonAppointment table with an isPrimary flag

CNR-1040

Primary job determination logic needs to be moved to a PostBuilder so there's one one primary job if multiple HRMS SORObjects

CNR-1043

Create endpoint for advcon to use passphrase reset

CNR-1044

Endpoint for ADVCON to set recovery Email address

CNR-1045

Endpoint for ADVCON to set passphrase

CNR-1046

Don't set berkeleyEduUnitHRDeptName because sync code has stopped setting it

CNR-1047

Change berkeleyEduEmpDeptUnitTitleCode to be single-value pointing to primary appointment

CNR-1050

Investigate which HRMS records get an AffId

CNR-1052

Implement Audit in registry-service

CNR-1053

Create an "Archived Identifier" table to store old identifiers

CNR-1056

Add new HCM identifier types to distinguish between employee-specific and affilite-specific HCM identifiers.

CNR-1057

Change prov-script affiliateId and employeeNumber logic to use new hcm IdentifierTypes

CNR-1061

Implement pagination and showing rejected records for PartialMatch service

CNR-1065

Provision HCM employee and affiliate berkeleyEduAffiliations

CNR-1066

Provision ADVCON berkeleyEduAffiliations

CNR-1070

Provision UAS Identifier from LDAP_AFFILIATESOURCE data

CNR-1071

Provision uas affiliate id as part of LDAP berkeleyEduAffID array

CNR-1072

Provision uasAffiliateId as LDAP berkeleyEduCalNetAffID

CNR-1074

changes to NameTypeEnum[] priorityList

CNR-1075

SGS registry-p1 still occasionally throwing deadlock exceptions

CNR-1078

Provision birthday info to LDAP

CNR-1080

Provision berkeleyEduCalNetIDUpdatedDate

CNR-1081

Provision berkeleyEduCalNetUIDConsolidationDate

CNR-1082

Provision berkeleyEduCalNetUIDOld

CNR-1084

prov-scripts needs refactoring for LDAPDownstream to use person objects directly instead of as JSON or a Map

CNR-1085

Provision berkeleyEduUnitHrDeptName

CNR-1086

Registry service should write, when a record is consolidated.

CNR-1090

Disable legacy SIS SOR

CNR-1092

Change legacy SIS isActive logic to always return false now

CNR-1093

Modify LdapSync logic to account for Registry being responsible for provisioning HRMS and ADVCON to LDAP now

CNR-1097

Why is ADVCON cads2986 not matching up to Expired uid 563834 in prod?

CNR-1100

Will need to create ArchiveIdentifier records for any current LDAP identifiers not matched up to a SORObject so they don't get overwritten

CNR-1103

crosswalk service occasionally throws LinkedHashMap exception

CNR-1105

ldapSyncQueue is hanging/crashing/notworking

CNR-1106

Add an "unknown affiliate id" identifier type

CNR-1108

Replace LdapPersonIdentifier json with IdentifierArchive json in PersonSorObjectsJson

CNR-1109

Create dummy web service to trick OpenIDM into resetting its sync key for testing purposes

CNR-1110

Fix deleteTrackStatus, throws an exception

CNR-1111

Write a general LDIF "diff" script to compare two LDIF files for differences

CNR-1114

Don't provision berkeleyEduBirthYear to LDAP

CNR-1115

berkeleyEduBirthDay and berkeleyEduBirthMonth should always be formatted with two digits (leading '0' if necessary)

CNR-687

Add hcmEmployee role(s)

CNR-791

Provision SORObject(SOREnum.CALNET_CREDMGMT) oldCalnetId

CNR-799

Upgrade match-service and match engine to Grails 2.5.4

CNR-988

Provision primary job title code to LDAP

CNR-989

Provision primary department to LDAP

CNR-990

Provision department code to LDAP

CNR-991

Provision employee number to LDAP

CNR-992

Provision employee type to LDAP

CNR-993

Provision person's affiliations to LDAP

CNR-994

Provision person names to LDAP

CNR-995

Provision unique identifiers for a person to LDAP

CNR-996

Provision old CalNet ID to LDAP

CNR-997

Provision ou to LDAP

CNR-999

Refactor LdapDownstreamBuilder

CNR-1116

OpenIDM on registry-d1 isn't moving people from ou=people to ou=advcon people

CNR-1122

Prevent OpenIDM from reprovisioning SPAs to LDAP

CNR-1121

Provision AFFILIATE-TYPE for HCM affiliates into LDAP berkeleyEduAffiliations

CNR-1124

Clear out all berkeleyEduAffiliationsDetailed values now

CNR-1104

Quartz job to observe CsCampusIdMismatchView and set PersonIHub.timeresendrequested and trigger to service to resend those

CNR-1059

After all new apps deployed using hcmId IdentifierType, remove deprecated hrmsEmployeeId from IdentifierTypeEnum and prov-scripts and the table


September 21, 2016

This is a release to deploy endpoints for ADVCON to use Account Manager.  In addition, this release includes new features and improvements to the CalNet Admin tool and a necessary change in the CalNet Account Manager required by the CalGroups service. CMR: 4817.

Services Affected

  • Berkeley Person Registry Services
  • CalNet Admin Tool
  • CalNet Account Manager

Tickets Resolved
TicketComment
CNR-996 Provision old CalNet ID to LDAP
CNR-1022 Develop API for ADVCON to replace account claiming API to herb service
CNR-1023 Make REST endpoints for reprovisioning and sorHash/sorQuery
CNR-1043 Create endpoint for advcon to use passphrase reset
CNR-1044 Endpoint for ADVCON to set recovery Email address
CNR-1045 Endpoint for ADVCON to set passphrase
CNR-1061 Implement pagination and showing rejected records for PartialMatch service
CAT-38 Replace registry-p1 and idm-p2 scripts with CAT buttons
CAT-81 Improve view of list of records to be matched
CAT-82 Generate an notification email when account is locked / unlocked
CAT-83 Edits to account locking/unlocking email content
CM-293 Switch to berkeleyEduIsMemberOf

September 14, 2016, 6:00 am

For this release, we will point the production CAS cluster to a new, more powerful OpenDJ LDAP cluster for back-end directory services. This change will be transparent to both CAS client applications as well as users; it is an internal change for the service with no external impact other than better performance. See CMR: 4787

Services Affected
  • CAS

August 18, 2016, 10:00 pm

This emergency patch is an update to CalNet import code deployed to fix changes to SOR Gateway Service. It should reduce or eliminate the frequent exceptions currently being seen when a data import job is attempted due to Spring JDBC pooling bug. Crosswalk service should not be impacted.

Registry-p1Tomcat restart required. CMR: 4752.

Note: this change during the No Fly Zone has been approved by SIS project team.

Services Affected
  • Berkeley Person Registry
  • LDAP

August 10, 2016

This release is in response to a security advisory by OpenIDM. It contains a patch to OpenIDM 3.1.0 which will be applied to registry-d1 and prevents exposure of vulnerable encryption keys. CMR: 4734

A separate release issues changes to LDAP production. 

Services Affected
  • Registry Provisioning
  • LDAP
  • OpenIDM

Tickets Resolved

TicketComment
CNR-1008 Seed displayName in LDAP to an initial value if not set
Added csRegisteredStudent role and set -REGISTERED affiliation in LDAP

August 9, 2016

This new SOR Gateway service release will fix a bug in the the programming logic that determines employee affiliation as well as implementing newly developed logic for determining terms for registered students. It also deploys a fix for database production errors. CMR: 4729.

Services Affected
  • Berkeley Person Registry
  • LDAP
Tickets Resolved
TicketComment
CNR-987 CS Employees with both an Employee AND Instructor affiliation are still getting into the partial match queue
CNR-917 Determine current or future CS terms
CNR-970 Logic for determining start of next Fall or Spring term for -REGISTERED period
CNR-982 Tweak "employee-only-without-a-CAMPUSID" logic to ignore "APPLICANT/Applied" affiliations when calculating if employee-only or not
CNR-1001    Try to find another way to get a Postgres BaseConnection object in the SGS other than by using custom SafeNativeConnectionExecutor, which may be contributing to SGS exceptions.
CNR-1003 Fix PostgreSQL SGS refreshPersonSorObjectsJson deadlock scenario
CNR-1005 "Already value for key" connection pool exceptions in SGS

August 7, 2016, 6:00 am

The campus CAS server cluster behind auth.berkeley.edu will have the OS patched, the CAS server upgraded to release 4.1.9 and an improved Spring LDAP pooling configuration. These changes are currently in place for the auth-test.berkeley.edu service. No new TLS certificate is involved and no service outage is planned. CMR 4679.

Services Affected
  • CAS
  • LDAP
Tickets Resolved
TicketComment
CM-4679 CAS server upgrade and patching


August 3, 2016

This patch to the SOR Gateway Service changes the validation query on connections in the database connection pool to see if it helps get rid of prematurely closed exceptions that are causing exceptions to be thrown when re-hashing and re-querying. CMR: 4720.

Requires a registry-p1 Tomcat restart.

Services Affected
  • CalNet Admin Tool

August 2, 2016

All CalNet services including CAS (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), LDAP Directory (ldap.berkeley.edu) will be unavailable for a 10 to 15 min window - between 4 and 4:30 am - while new network load balancer equipment is enabled. CMR 4685. 

Services Affected
  • CAS
  • LDAP
  • Shibboleth

August 1, 2016

This releases added account locking and unlocking features within CalNet Admin Tool for CalNet staff. It also contained minor UI edits and created access for additional roles. CMR: 4714.

Services Affected
  • CalNet Admin Tool
  • CalNet Account Manager
  • Berkeley Person Registry

Tickets Resolved

TicketComment
CAT-71 Outgoing email on lock/unlock do not show HTML correctly
CAT-5 Ability for CalNet Staff to lock accounts
CAT-6 Ability for CalNet Staff to unlock accounts
CAT-39 Person must have "locked" flag
CAT-64 Check wording for email sent to user when account is locked
CAT-65 Check wording for email sent to department when account is locked
CAT-66 Check wording for email sent to user when account is unlocked
CAT-68 Create a role and view for Limited View group
CAT-69 Add Recovery Email Address to basic Info
CAT-70 Create role for security
CAT-73 In QA, no form on the CAT home page
CAT-74 CAT does not reflect recovery email address entered in CAM
CAT-75 Ability to update recovery email address for a user with no CalNet ID
CAT-76 Added a way to bump logging levels on server
CAT-78 Testing in QA: unclear error message when searching
CM-289 Change order of menu links
CNR-980: Prevent locked accounts from doing Account Manager service call
CNR-947 Endpoint to lock and unlock account
CNR-980 Make creation of CredManangerSor able to take only recovery email without CalNet ID

July 19, 2016

This release deployed a change that prevents pulling Campus Solutions employee-only records into Berkeley Person Registry/CalNet unless they have a UID already set in CS. This is so we can reliably match CS employees with HCM records.

This release does require a Tomcat restart. CMR: 4682

Services Affected
  • SOR Gateway Service
  • Berkeley Person Registry
  • LDAP

July 9, 2016, 12:00 am

Hotfix: Use csDelegateProxyEmailAddress directly when sending out proxy delegate emails (with a fallback to calnetCredentialRecoveryEmailAddressCalculated). CMR: 4668.

Services Affected
  • CalNet Account Manager
  • Berkeley Person Registry

July 8, 2016, 4:00 pm

This patch fixes a bug in the "CalNet SOR Person" tool (used in the creation of test accounts).  CMR 4666.
Services Affected
  • SOR Gateway Service
  • CalNet SOR Person Creation Tool

July 5, 2016

This patch issues a fix to the SGS nightly LdapSync process that queries for unmatched CS objects to send to the match queue.

Services Affected
  • Berkeley Person Registry
  • LDAP

July 5, 2016

This release deploys fixes for registry-provisioning and registry-service and changes the way Recovery Email Addresses are calculated.

Services Affected
  • Berkeley Person Registry
  • LDAP
Tickets Resolved
TicketResolved

CNR-952

Reset "STU-" affiliations in LDAP, not just "STUDENT-", for CS people.

CNR-953

Modify registry-service PeopleToProvision to include all changed DownstreamObjects in the OpenIDM query, not just for CS people.
(In support of CNR-952 fix)

CNR-957

When person has no SORObject other than LDAP, set DownstreamObject DN to whatever the existing LDAP DN is.
(In support of CNR-952 fix)

CNR-966

Reject all email addresses that end in berkeley.edu for calnetCredentialRecoveryEmailAddressCalculated email type.

July 1, 2016

This release features enhancements recommended by security assessments as well as instructional additions. An additional release at 4pm includes a patch to Registry SOR Gateway Service to assign new CS employees a UID based on the UID they send us instead of fuzzy matching.

Services Affected
  • Berkeley Person Registry
  • CalNet Account Manager
  • LDAP
Tickets Resolved
TicketResolved
CM-284 ASTP Report Action Item: return response header with name "X-Frame-Opt"
CM-286 Refactor rest client calls out of CAM and into plugin to also be used in CAT
CM-287 Added instructions online for users claiming an account but have no recovery email address
CM-288 Added "Affiliate ID" to instructions
CNR-961 Modify SGS to assign SORObject a UID if UID exists in the source key data
CNR-945 ASTP Report Action Item: increase token length to 16 characters

June 29, 2016

Deployment of new code to the CalNet Registry Stack. It also includes a minor bug fix for the registry-service as well as registry upgrades.  New logic to prevent the creation a new UID for employee records from Campus Solutions. UID creation should only happen when a record comes from HCM. CMR 4641.

Services Affected
  • Berkeley Person Registry
    • Provisioning
    • SOR Gateway Service
    • Match Service
  • LDAP
Tickets Resolved
TicketComment
CNR-799 Upgrade match-service and match engine to Grails 2.5.4
CNR-886 Modify SGS and to send CS people that don't have an admit/sircompleted/student affiliation to match queue with matchOnly indicator set to true
CNR-904 The displayName parser may not be parsing lastName, firstName correctly (is this different than normal displayName format?)
CNR-912 @LogicalEqualsAndHashCode refactor for domain classes to improve provisioning performance
CNR-913 Add sysadm.PS_UC_SRVC_IND_VW1 (Service Indicators) to SGS CS query
CNR-919 Prevent circular reference loop in @DomainEqualsAndHashCode hashCode() generator
CNR-924 LDAP DownstreamObject bug when LDAP fields have JSON characters in them
CNR-930 Add a "matchOnly" indicator for match queue messages for registry-match-service
CNR-932 add a sql statement timeout in SGS to avoid deadlocks in the consumer of the SORObject JSON queue
CNR-933 Modify LdapSync to call rematch service on CS SORObjects that haven't yet matched up to a UID
CNR-934 Modify registry-match-service to remove sorObject from PartialMatch when uid assigned
CNR-935 CsPersonRoleBuilder not assigning csEmployee role to all people with active CS jobs
CNR-937 If LdapSync assigns an uid to a SORObject, remove that SORObject from PartialMatch table if it exists
CNR-939 Assign csEmployee role to anyone with a CS EMPLOYEE affiliation

June 28, 2016

This release is an enhancement to the Change CalNet ID form. It improves error handling, updates CalNet ID requirements and includes some minor text changes. It also includes improved search function and enhanced admin capability to update a user's recovery email address. CMR 4640.

Services Affected
  • CalNet Account Manager
  • CalNet Admin Tool
  • Berkeley Person Registry
Tickets Resolved
TicketComment
CAT-4 Ability for CalNet admins and deputies to change recovery email address for user
CAT-50 Simple Search functions not working for certain attributes
CM-281 Refactor PersonUtil out of Account-Manager into registry-commons
CM-280 Format change in Change CalNet ID form
CM-279 Allow CalNet IDs not created by Acct Mgr to be changed
CM-274 Remove SIS links from Acct Mgr Admin Home page
CM-273 Reformat Change CalNet ID form
CM-272 Update CalNet ID requirement
CM-267 Need to check if an account is locked before allowing access
CM-262 When changing calnetId, and the passphrase is wrong, the shown message is not reflecting this.
CM-261 Change instruction text in Change CalNet ID form

June 23, 2016

CalNet ran a job to correct 454 student records that had been incorrectly set to expired status which was affecting email access. A check of impacted records has confirmed that the job was successful.

Services Affected

  • LDAP

June 22, 2016

The auth.berkeley.edu CAS cluster [1] will begin using as primary its current failover dedicated OpenDJ LDAP cluster (dir-auth.calnet.1918.berkeley.edu) [2] beginning Wednesday, June 22 at 6 am.

There is no planned outage for this migration, which will be over at 6:15 am. At that time, the current primary cluster (nds-auth.calnet.1918.berkeley.edu) will become the failover target. See CMR 4577.

The new OpenDJ cluster provides a 50% increase in vCPU capacity (6 vs. 4) and twice the JVM RAM available (14 vs. 7 GB) compared to the current OpenDJ cluster it replaces. The new nodes are running RHEL 7.2 vs. 6.7 for the OS.

[1] auth.berkeley.edu consists of cas-p2.calnet.berkeley.edu, cas-p3.calnet.berkeley.edu, and cas-p7.calnet.berkeley.edu
[2] dir-auth.calnet.1918.berkeley.edu consists of dir-p4.calnet.1918.berkeley.edu, dir-p5.calnet.1918.berkeley.edu, dir-p10.calnet.1918.berkeley.edu.
These new OpenDJ VMs are running OpenDJ 2.6.4 with 6 vCPUs and 24 GB RAM each using tuned 14 GB OpenJDK 8 JVMs on RHEL 7.2 servers.

Services Affected
  • CAS
  • LDAP
  • Shibboleth
Tickets Resolved
TicketComment
OPS-332 Convert auth.berkeley.edu cluster to use dir-auth.calnet.1918.b.e OpenDJ cluster

June 17, 2016

Hotfix being deployed to production to fix bug causing large "cn" values, leading to problems in LDAP. No Tomcat restarts anticipated due to change happening in external provisioning scripts. See CMR 4623.

Services Affected
  • LDAP
  • Berkeley Person Registry
Tickets Resolved
TicketComment
CNR-924 LDAP DownstreamObject bug when LDAP fields have JSON characters

June 14, 2016

Fixes bug in which users with numeric values for CalNet IDs encounter errors in ID creation. 

Separate release enhances CalNet Account Manager to allow use by people not associated with CS. CMR: 4631.

Services Affected

  • CalNet Account Manager
  • LDAP
  • Berkeley Person Registry
Ticket Resolved
TicketComment
CM-265 MAP@Berkeley(link sends e-mail) users with all numeric CalNet IDs can't create a CalNet ID
CNR-915 Need to always write beKerberosPrincipalString to LDAP when someone has a CREDMGMT SORObject

June 10, 2016

This release includes a bug fix to correct matches and show claim token. Feature enhancement includes showing LDAP record, search function improvements and revamped UI.

Services Affected
  • CalNet Admin Tool

Tickets Resolved

TicketComment
CAT-58 Match fails in prouction CAT
CAT-3 Reconciliation Manager stops displaying new partial matches
CAT-8 Ability to see LDAP record
CAT-12 Make login interval longer
CAT-25 Whan app times out, require user to log in
CAT-26 Display search result in list format
CAT-31 Create another access role for view only with raw data
CAT-42 CAT master is failing Bamboo tests, preventing deployment to prod
CAT-45 Reconcile mis a button to click when matching records
CAT-47 Hide SSN in SR
CAT-48 CAT does not show tokens - this is needed for support

June 3, 2016

Update: This release is complete. Known issues with CAT search results are being investigated.

This release improves LDAP provisioning performance and CalNet Admin Tool and Account Manager, as well as fixes various bugs. Fixes include changes to permissions and processes for those using the Account Manager to change their CalNet IDs and addressing inconsistency in CalNet Admin tool searches to yield improved search results. Due to changes in this release, reprovisions will be required within the registry stack. See CMR 4613.

Services Affected
  • Berkeley Person Registry
    • Provisioning
  • CalNet Admin Tool
  • Account Manager
  • LDAP

Tickets Resolved

TicketComment
CAT-22 Inconsistent search results
CM-255 Change email address for Change CalNet ID notices
CM-256 Allow CalNet ID change to existing name if UID owns it
CM-257 Only allow CalNet ID change with CM tool for IDs created through CM
CM-260 Update "from" email in prod.
CM-271 Delegate email changes - critical changes requested
CNR-779 registry-service endpoint to allow calnetID change
CNR-822 Add newCalnetId to change calnet id track status
CNR-824 REST endpoint to check if a calnet id was created by account-manager
CNR-826 Registry Service Endpoint URL changes for checkForExistingCalnetId now with UID
CNR-827 Endpoint for checkForExistingCalnetId must take into account uid
CNR-828 Inconsistent search result - interim solution
CNR-841 Move LDAP attr-determination scripts from OpenIDM to registry-provisioning-scripts and write JSON to DownstreamObject table
CNR-844 Add LDAP attributes to SGS LDAP querying that are used in LdapDownstreamBuilder
CNR-849 Have the SGS pull in all LDAP attributes except metadata like timestamps and modifiedBy etc
CNR-850 Modify peopleToProvision service to read from DownstreamObject table
CNR-862 Set OpenIDM to "own" CS people with CS Student affiliation
CNR-863 Endpoint to disable and enable password reset request
CNR-864 Reset passphrase should be prevented if flag is set in registry
CNR-866 A provisionUid bug somewhere in the SOR Gateway Service processing chain
CNR-867 Create a second provisionUidBuild queue for "bulk" operations like from queueChangedIdentities.sh
CNR-876 Don't write berkeleyEduOfficialEmail and mail back to LDAP
CNR-877 Improve CollectionUtil.sync performance

May 27, 2016

Emergency patch to OpenIDM in production to not write to berkeleyEduOfficialEmail and mail attributes. This will require an OpenIDM restart.

When: Approx 11:10am.

See CMR 4606. 

Services Affected
  • LDAP Provisioning

May 25, 2016

Available for testing on auth-test: May 19, 2016

The CAS service for the auth.berkeley.edu cluster will use Spring LDAP pooling for SPA lookups. This improves the efficiency of those searches so that CAS queries to populate the SPA pick list occur more quickly.

See CMR 4591. 

Services Affected
  • CAS
  • LDAP
  • CalGroups
Tickets Resolved
TicketComment
OPS-334 Spring LDAP pooling for CAS SPA lookups

May 22, 2016

RHEL 6.x OS patching for production MIT Kerberos KDC cluster completed.

See CMR 4558.

Services Affected

  • Campus MIT Kerberos

Tickets Resolved

TicketComment
OS patching MIT Kerberos KDCs.

May 21, 2016

Edits made to delegate email to make claiming a delegate account more user friendly. 

Services Affected

  • CalNet Account Manager

Tickets Resolved

TicketComment
 CM-271 Delegate email changes - critical changes requested

May 18, 2016

People in CS with only student affiliation and not admit or SIRCompleted affiliations are now getting "berkeleyEduAffiliations: STUDENT-TYPE-NOT REGISTERED" set in LDAP.

Services Affected

  • Berkeley Person Registry
  • LDAP Provisioning

Tickets Resolved

TicketComment
CNR-862 Set OpenIDM to "own" CS people with CS Student affiliation.

May 16, 2016

The obsolete DNS CNAME records for auth2.berkeley.edu and ncas.berkeley.edu were removed from DNS today.

See CMR 4579.

Services Affected

  • CAS

May 13, 2016

Edited logic to deal with duplicates in Berkeley Person Registry. Implemented redirect for idc.berkeley.edu to calnetweb.berkeley.edu. 

Services Affected

  • Berekely Person Registry
  • LDAP Provisioning
  • idc.berkeley.edu

Tickets Resolved

TicketComment
CNR-848 Move CS SORObjects between dupe uids according to some logic
OPS-333

Redirect idc.berkeley.edu to calnetweb


May 10, 2016

Bug fixes and URL update for Calnet Admin Tool. Redirect for mycalnet.berkeley.edu implemented.

Services Affected

  • Account Manager

May 3, 2016

Data import enhancements to recognize additional role types in the Berkeley Person Registry for students in Campus Solutions and employees in HCM.  
Updated LDAP provisioning logic to allow CalNet ID changes for all account types via the Account Manager. See CMR 4553.

Services Affected
  • Berkeley Person Registry
  • Account Manager
  • LDAP Provisioning

Tickets Resolved

TicketComment
CNR-687 Add HCM roles.
CNR-790 Re-enable assigning csUndergraduate/csGraduate/csStudent roles in Registry and also add csExtension and csAdvisor roles.
CNR-794 Upgrade to Grails 2.5.4.
CNR-795 Upgrade to Grails 2.5.4.
CNR-805 Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_verif_v view.
CNR-806 Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_verif_v view.
CNR-807 Change SGS HCM query for better recognition of Peoplesoft effective dating in hrms.employee_di_v view. (Partially complete. Next release will have further mods).
CNR-832 Always write berkeleyEduKerberosPrincipalString and berkeleyEduCalNetIDUpdatedFlag.

May 1, 2016

As part of the SIS 5.3 Release, CalNet will be coordinating with bCourses, CalCentral and MAP@Berkeley(link sends e-mail) to update the CAS URLs their clients are using from auth2.berkeley.edu(link is external) to auth.berkeley.edu(link is external). See CMR 4547.

Services Affected

April 27, 2016 

Update feature in CalNet Account Manager.

Services Affected
  • CalNet Account Manager

Tickets Resolved

TicketComment
CM-255 Change email address for Change CalNet ID notices

April 24, 2016 

A CAS 4.1.7 security patch is scheduled for deployment on Sunday 4/24/16 at 6am. This version is already deployed to auth-test.b.e. There will be a 1 minute outage during the restart of all CAS nodes. See CMR 4529.

Services Affected
  • CAS

April 21, 2016

Minor updates CalNet Account Manager.
Services Affected
  • CalNet Account Manager

Tickets Resolved

TicketComment
CM-249 Text Corrections
CM-250 Disallow SPA's to make any changes

April 20, 2016

New features to the CalNet Account Manager and Berkeley Person Registry allow users to change CalNet ID. Minor updates to menu and message language.
Services Affected
  • CalNet Account Manager
  • Berkeley Person Registry

Tickets Resolved

TicketComment
CM-234 Ability for emps/students to change calnet ID
CM-236 Change menu item label
CM-244 Edit message for those claiming an account but who already have one
CM-246 Error message for people who can't reset password via CM
CNR-779 Registry-service endpoint to allow calnetID change

April 17, 2016 - deferred

Delayed, to be rescheduled.
CAS URL updated to auth.berkeley.edu(link is external) for Account Manager and MAP@Berkeley(link sends e-mail) delegated authentication.
Services Affected
  • CAS delegated authentication
  • CalNet Account Manager

April 11, 2016

Summary

  • Added new features to the CalNet Account Manager application to allow users to reset their passphrase and change their recovery email address. 
  • Added error reporting to calnet-systems@berkeley.edu(link sends e-mail).
  • Added filter to disallow undergraduate admits who have not SIR'ed from creating a CalNet ID. 
  • Revised code to allow users with CalNet ID's that are all-numeric or begins with "CADS" to be able to create a new CalNet ID. 
  • Revised code to check the namespace before granting a CalNet ID.
  • Revised code to check that a delegate does not have CalNet ID before allowing them to create one.
  • Minor webpage and email content edits.

Services Affected

  • CalNet Account Manager
  • Berkeley Person Registry
  • LDAP Provisioning

Known Bugs with this Release

This issues are being addressed and will be resolved as soon as possible.

  • Requesting an update to an empty external email address currently isn't working.
  • When a requestor submits their recovery email address to reset their passphrase, CalNet Account Manager is erroneously showing the requestor's non-employee and non-student accounts, if they exist, to be reset. This functionality doesn't work and will be addressed in a later version.

Tickets Resolved

TicketComment
CM-123 Ability for emps/students/delegates to reset forgotten passphrase
CM-169 Of the admitted undergrads, only those who accepted their offers can claim CalNet ID
CM-187 NPE in DelegateService.bindDelegateCommands
CM-188 If a delegate account already has a CalNet ID don't let them claim
CM-192 Change polling delegates timing
CM-197 Delegate account email "I already have a CalNet ID" doesn't work.
CM-206 Check namespace for CalNet ID availability
CM-213 Update Account Manager Main Menu
CM-214 Allow people with all numeric or cads calnet ids to create a new calnet id
CM-223 PW reset Email Invite Format changes
CM-224 Add contact info in CalNet Account Manager
CM-225 Send Error log entries to calnet-systems@berkeley.edu(link sends e-mail)
CM-227 Testing Findings Using QA Stack
CM-228 Revise Reset Passphrase form
CM-230 Testing Reset Passphrase Using Dev
CM-231 Testing Reset Passphrase Using QA
CM-232 Username and Email address are Null for slate student
CM-235 Update to account creation page
CM-236 Change menu item label
CM-237 Edit email confirmation to delegates - SIS request
CM-238 Account manager CAS configuration needs updating

April 8, 2016 - deferred

Deferred until we determine how to support LDAPS via the SLB/VIP for ldap.berkeley.edu.

Update and patch the OS and JVM for the nds-auth LDAP directory cluster nds-p4/-p5/-p10 (used by the auth.b.e CAS cluster) and perform a rolling upgrade of the OpenDJ servers to the 2.6.4 release.

Services Affected

  • CAS and LDAP

April 7, 2016

Registry Provisioning and OpenIDM bug fixes and preparations for new account manager functionality.

Services Affected

  • LDAP Provisioning

Tickets Resolved

TicketComment
CNR-754 provisionUid is removing and re-adding the same identifiers every time it reprovisions
CNR-765 Create csDelegate role in Registry
CNR-766 Make it so none of the provisioning-scripts builders run if the SORObject is isDeleted=true
CNR-767 Distinguish between active (future) and inactive (ex) STUDENT-TYPE-NOT-REGISTEREDs.
CNR-768 Don't set STUDENT-TYPE-NOT REGISTERED if STUDENT-TYPE-REGISTERED is set.
CNR-770 OpenIDM throwing exceptions trying to rename namespace entries
CNR-771 OpenIDM needs to refire recon-by-id somehow after LINK and UNLINK operations
CNR-775 Probable bug where the CS IdentifierBuilder is not detecting properly when there is only one job and its active
CNR-776 isActive on HRMS identifier possibly set incorrectly.
CNR-785 Remove LDAP Student expiration dates when adding an active CS affiliation

March 29, 2016

Three releases scheduled. Upgrade to production ActiveMQ 5.13.2 on amq-p1. Bug fix for CalAccess that repaired the service that checks on FERPA requirements for a user.

Scheduled CAS upgrade in which default CAS Authorization was pushed into production at auth.berkeley.edu was disabled because of a bug in LDAP. We are investigating the issue and will update you with our plans going forward as we are able to.

Services Affected

  • Berkeley Person Registry
  • LDAP Provisioning
  • CalAccess
  • CAS

Tickets Resolved

TicketComment
CNR-758 Upgrade to ActiveMQ

CA-299

FerpaService fails to authenticate


March 28, 2016

Emergency fix to remove blocker for LDAP provisioning.

Services Affected

  • OpenIDM
  • LDAP Provisioning
TicketComment
CNR-770

OpenIDM throwing exceptions trying to rename namespace entries


March 20, 2016

Bug fix to handle account creation issues reported by users.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • LDAP Provisioning
  • Kerberos Provisioning

Tickets Resolved

Ticket

Comment

CM-220

Account Creation is failing

CM-218

Production Account Manager is throwing locking exceptions


March 18, 2016

Feature enhancements for the following:

  • ability for delegates to create their CalNet ID accounts

  • ability for CalNet ID account holders to change their external email addresses

Code fixes for the following:

  • error handling when an expired token is used to claim an account

  • changes to confirmation email content and format

  • checking that a user’s requested CalNet ID is not already in namespace

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • LDAP Provisioning

Tickets Resolved

Ticket

Comment

CM-147

ability for emps/students/delegates to change recovery email

CM-179

Delegates can claim account directly

CM-180

When user tries to use an expired token, they see a CAS login

CM-183

edit delegate email invitation to create CalNet ID

CM-198

edit confirmation email message when a CalNet ID is activated

CM-199

format changes for confirmation message when a delegate's CalNet ID is created

CM-200

Confirmation page for undergrads is broken

CM-201

send email to existing accounts about the change request for recovery email address

CM-202

content for email to continue process for recovery email address creation

CM-207

account-manager must verify calnetId on new checkForExistingCalnetId endpoint in registry-service

CM-209

send email to new account to confirm completed recovery email address process

CM-211

New wording change for delegate invite mail

CM-217

Edit email confirmation message for delegates again!

CNR-717

Registry-service endpoint to store and verify recovery email address

CNR-723

Write CalNet ID to namespace upon creation


March 17, 2016

This was a fix for bug that was allowing new users to create CalNet IDs that had already been reserved by some other system.  Usually an email alias or mail list name.  42 affected CalNet IDs were changed to resolve the conflict and new code was deployed to improve namespace updates when new CalNet IDs are created.

Services Affected

  • Berkeley Person Registry
  • CalNet Account Manager
  • LDAP Provisioning

Tickets Resolved 

TicketComment
CN-723    Write CalNet ID to namespace upon creation

March 16, 2016

Bug fix release to improve logging and to deploy updates to the account creation process to do more thorough namespace checking.
Services Affected

  • CalNet Account Manager
  • Berkeley Person Registry
  • LDAP Provisioning

Tickets Resolved

TicketComment
CM-207 account-manager must verify calnetId on new checkForExistingCalnetId endpoint in registry-service
CNR-537 Remove the SOR Sql objects from SGS resources.groovy
CNR-682 Make CS_DELEGATE hash/query timestamp-aware
CNR-692 SisStudentIdentifierBuilder.isActive is not handling multiple terms nor disregarding past terms
CNR-709 in registry-provisioning-scripts, use parseFullName() as an additional way to try to parse out individual name components from displayName
CNR-718 Don't make "sorObject not found" a "fatal" error in NewUidService
CNR-719 Add INFO log statement when oprId, security key, or email changes for CS_DELEGATE

 Back to Top