Safewhere Identify 5.14 Release Notes

New features and improvements

Authenticate HSM vault using the client certificate

You can now use the Identify Configurator to create a new Identify instance that uses certificate authentication to access Azure Managed HSM

ic_new_tenant_signing_hsm

where you need to input the client secret value in the following format: Certificate:Thumbprint=CertificateThumbprint, e.g., Certificate:Thumbprint=123456b0d7d012345687acfb009e102fa4123456

Moreover, you can modify an existing instance to use certificate authentication for accessing Azure Managed HSM

ic_reconfigure_tenant_signing_hsm

Extend the OCES3 environment support

We updated its options in the Settings page to reflect recent changes from DanID for the OCES3 environment.

oces3-environment-514

OCES environement Description
OcesII_DanidEnvLocal Identify validates if OCES II certificates are issued by Root certification Authority: TRUST2408 O2DEV Primary CA.
OcesII_DanidEnvIntegration Identify validates if OCES II certificates are issued by Root certification Authority: TRUST2408 Systemtest IX Primary CA.
OcesII_DanidEnvPreprod Identify validates if OCES II certificates are issued by Root certification Authority: TRUST2408 Systemtest VII Primary CA.
OcesII_DanidEnvProd Identify validates if OCES II certificates are issued by Root certification Authority: TRUST2408 OCES Primary CA.
OcesIII_DanidEnvTest Identify validates if OCES III certificates are issued by Root certification Authority: C = DK, O = Den Danske Stat, OU = Test - cti, CN = Den Danske Stat OCES rod-CA.
OcesIII_DanidEnvProd Identify validates if OCES III certificates are issued by Root certification Authority: C = DK, O = Den Danske Stat, CN = Den Danske Stat OCES rod-CA.

Disable OCES2 certificate revocation check after OCES2 support is shutdown

All OCES2 certificates support will end, and all OCES2 certificates for support systems must be transitioned to OCES3 by May 30, 2023. However, some systems may still be using these OCES2 certificates and have not yet migrated to OCES3.

A new switch has been added to turn off revocation checks for OCES2 certificates in web.config files of the Identify instance (both the Admin and Runtime).

<add key="TurnOffOCES2RevocationCheck" value="false"/>  

When TurnOffOCES2RevocationCheck is set to true, revoked OCES2 certificates will be permitted to request tokens as no revocation checks will be performed on them.

However, this switch does not affect OCES3 revocation checks, which continue to be executed as usual.

When Safewhere Identify performs an Environment check to verify its supported environments, it requires building an OCES certificate object. This action leads to a download of the certificate CAs. Unfortunately, OCES2 certificate CAs have not been available since Q4 2023. The "Unable to connect to the remote server" message is logged for the OCES2 certificate status validation, even though the key TurnOffOCES2RevocationCheck is enabled.

Workaround

As this issue is related to a deprecated version of OCES - the OCES2 - no changes will be made. Instead, the following workaround can be applied to avoid the error:

  • Enable Cetificate validation full offline mode enabled setting.
  • Download the compressed file.
  • Uncompress it and move its CAs in the "CRL folder" directory.

settings-oces2-offline

Bug fixes

  • Fixed: #100030 [CLI] Tenant replication - Users are enforced to input the certificate to LocalMachine\TrustedPeople when replicating the tenant using a signing certificate from Window store.
  • Fixed: #98089 [Databasevalidator] The certificate which uses self-signed CA is verified as valid on certificate validation.
  • Fixed: #91978 [STS][Databasevalidator] Object reference not set to an instance of an object has returned when Identify uses certificate database validation to do the revocation check, and the client certificate does not exist on the data store.