Release Notes¶
AuthControl Sentry 4.2.3 (6939)¶
Overview¶
This release includes several bug fixes and enhancements to improve the functionality and stability of AuthControl Sentry. Below, you will find details about the resolved issues and improvements in this version.
Bug Fixes¶
SMTP Changes Apply Without Tomcat Restart (Bug)¶
- Description: In the previous version, SMTP configuration changes did not take effect until Tomcat was restarted. This issue has been resolved, and SMTP changes now apply immediately without requiring a Tomcat restart.
- Resolution: The software now dynamically applies SMTP configuration changes.
Date Filters in Log Viewer (Bug)¶
- Description: Date filters in the log viewer were not functioning as expected. This issue has been fixed, and date filters now accurately filter log entries.
- Resolution: Date filters in the log viewer have been corrected.
SMTP Logging Issue (Bug)¶
- Description: SMTP logging was not functioning correctly, leading to a lack of log records. This issue has been addressed, and SMTP logging now works as intended.
- Resolution: SMTP logging has been fixed to record all relevant events.
Disabling XML Logging (Bug)¶
- Description: Disabling XML logging also disabled other log types, which was not the intended behavior. This issue has been rectified, and disabling XML logging now affects only XML logs.
- Resolution: XML logging can now be disabled without affecting other log types.
PINless Users in ACD with PINless TURing (Bug)¶
- Description: PINless users were able to log into ACD with PINless TURing, which was not intended. This security concern has been addressed, and PINless users can no longer access ACD without proper authentication.
- Resolution: Security measures have been implemented to prevent unauthorized access.
Append PIN to OATH Fails in RADIUS (Bug)¶
- Description: The process of appending a PIN to OATH tokens in RADIUS was failing. This issue has been resolved, and the PIN append functionality now works correctly.
- Resolution: PIN appending to OATH tokens in RADIUS is functioning as expected.
Circular Definition in XSL (Bug)¶
- Description: A circular definition issue in XSL has been identified and fixed. XSL definitions no longer result in circular references.
- Resolution: Circular definitions in XSL have been eliminated.
ConcurrentModificationException in ActiveMQManager (Bug)¶
- Description: An issue causing ConcurrentModificationException in ActiveMQManager when accessing statistics for all transport queues has been addressed. The software now handles concurrent access without errors.
- Resolution: ConcurrentModificationException in ActiveMQManager has been resolved.
ActiveMQ Failure - “Timer Already Cancelled” (Bug)¶
- Description: An issue related to “Timer already cancelled” failures in ActiveMQ has been fixed. These errors no longer occur.
- Resolution: The “Timer already cancelled” issue in ActiveMQ has been resolved.
Configuration Sync Group Names Display (Bug)¶
- Description: Configuration sync group names were not displayed in the Status page, making it challenging to track configuration changes. This issue has been resolved, and sync group names are now visible.
- Resolution: Configuration sync group names are now shown on the Status page.
SMTP to SMSGateway Start TLS (Bug)¶
- Description: The SMTP to SMSGateway transport did not allow the use of Start TLS for secure communication. This limitation has been removed, and Start TLS is now supported.
- Resolution: Start TLS is now available for SMTP to SMSGateway transport.
Reprovision OATH Token in Mobile App (Bug)¶
- Description: Users encountered difficulties when attempting to reprovision OATH tokens in the mobile app. This issue has been fixed, and token reprovisioning is now seamless.
- Resolution: Reprovisioning OATH tokens in the mobile app is functioning correctly.
Assigning Tokens to Users with \ in Their Names (Bug)¶
- Description: Assigning tokens to users with backslashes \ in their names resulted in errors. This issue has been resolved, and tokens can now be assigned to users with special characters in their names.
- Resolution: Token assignment now supports users with special characters in their names.
OATH Tokens Page for Helpdesk Users (Bug)¶
- Description: Helpdesk users were unable to access the OATH tokens page. This issue has been addressed, and the OATH tokens page is now accessible to helpdesk users.
- Resolution: Helpdesk users can now view the OATH tokens page.
Conclusion¶
We believe that these bug fixes and improvements will enhance your experience with AuthControl Sentry. Please feel free to reach out to our support team if you have any questions or need further assistance.
Thank you for your continued trust in our software.
AuthControl Sentry 4.2.2 (6854)¶
Released: June 2023
New Features
- Log4j Update
- The update of log4j to version 2.19.0 in this release is an important and necessary step in ensuring the security and stability of our software. With the recent discovery of vulnerabilities in log4j version 2, it is imperative to take measures and mitigate any potential risks. Updating log4j is not only a matter of addressing security concerns but also to ensure that the software remains up-to-date and compatible with other systems or dependencies. In addition, the update done stores logs directly in a database, making the stand-alone logviewer obsolete, and making log searching much faster.
- Spring Framework Update
- This release features an important update to the Spring Framework, which addresses vulnerabilities present in previous versions. The Spring Framework is a widely-used Java-based framework that provides developers with an extensive set of tools and features for building enterprise-grade applications. This update ensures that the software remains secure and stable, providing customers with greater peace of mind. By mitigating these vulnerabilities, the update protects the application and ensures the integrity of customer systems. The update also ensures that the software remains compatible with other systems and technologies, providing a seamless experience for customers. Overall, this update to the Spring Framework represents a significant step in the commitment to providing secure and reliable software solutions.
- New transport integration with SaudiAlert
- This release features an exciting new integration with Saudialert, a leading cloud-based SMS gateway provider based in Saudi Arabia. This integration enables Middle East customers to leverage Saudialert’s reliable SMS infrastructure directly from the software, allowing them to send SMS alerts and notifications with ease. This integration also offers greater flexibility and customization options for customers in the Middle East, allowing them to tailor their SMS messages to specific regions and languages. Overall, the integration with Saudialert SMS gateway provider provides a powerful and efficient SMS solution for Middle East customers to enhance their communication efforts.
- New Reports Available
- This release includes the addition of new reports in Sentry, following several customer requests. These reports provide customers with valuable insights and analytics on their data, allowing them to make more informed decisions. The new reports cover a range of topics and have been designed to be user-friendly and intuitive. Customers can customize and filter the reports to meet their specific needs, and can easily export the data for further analysis. This new feature is a valuable addition to the application and demonstrates the commitment to meeting customer needs and providing a superior user experience.
- Appliance Identification
- This release includes an important new feature for customers using the high-availability architecture of the product. The feature enhances the ability to identify whether writing to a shared database is being done by the primary or standby appliance. This is accomplished through the identification of the appliance in logs whenever a write occurs. In addition, the feature includes the ability to set different default configurations for scheduled jobs where required. This provides customers with greater visibility and control over their high-availability architecture, enabling them to monitor and manage the appliances more effectively.
Improvements
- Enhanced Authentication Error Messages
- This release includes an important improvement to authentication error messages. Authentication errors are now more explicit and informative, providing administrators with a clearer understanding of the reason for the failed authentication. This feature provides system administrators with greater visibility into the cause of authentication failures, enabling them to more effectively manage user accounts and ensure the security of the system.
- Enhanced SCPinPad parameter handling
- This release includes an enhancement in the SCPinPad API’s parameter handling. The padno parameter, which was originally intended to distinguish between multiple requests for the same username, has been updated to support a new behavior. These updates will provide improved flexibility and usability for integrations using the SCPinPad API.
Bug Fixes
- User Exist API fix
- The User Existence API has been fixed to address an issue where it would check all user attributes, leading to inconsistencies or false positives. With this update, the API will only check for the username or altusername attribute, ensuring accurate results and reducing the potential for errors. It will also check any attributes defined as alternative usernames for the Agent making the request. This fix improves the reliability and accuracy of the User Existence API.
- API Improved Error Response
- This issue was related to an API that previously would not provide a clear and descriptive error response when the request structure was incorrect. Instead, logs would print a Java error due to the lack of XML content in the response. With the bug fix, the API now provides an XML response that is more user-friendly and that indicates the reason for the error, making it easier to diagnose and address any issues.
- Database Pooled Connection Error
- This bug fix addresses an issue where the application logs were throwing an error due to a null pointer exception caused by a missing object in a specific scenario. The fix corrects the code to properly handle the missing object and prevent the error message.
- Fixed User Sync Crashing due to license limit
- Previous Sentry versions would crash the user sync service when the user license limit was reached. However, this issue has been resolved in the current version, and the user sync service will no longer crash when the user license limit is reached.
- Append PIN option not copied to TOTP on upgrade
- In the previous version, the Append PIN option for OATH policies was only copied to HOTP on upgrade and not to TOTP. This led to inconsistencies in policy settings and configuration issues. With the latest bug fix this is properly copied to both HOTP and TOTP during upgrades, ensuring consistent policy settings for both types of OATH policies.
- Fixed incorrect message sent to user upon undelete or un-disable
- In previous versions, when a user was undeleted or un-disabled, an incorrect message stating that the user was “unlocked” was sent. This has now been fixed, and the proper message is now sent to the user. This ensures that users receive accurate and appropriate messages, improving the overall user experience.
- Fixed issue with OATH and MobileApp
- Previously, if a user with an OATH token entered a mobile app code, the OATH would fail and the logic would assume that the mobile app code was not applied. This issue has been fixed, and users with OATH tokens can now enter mobile app codes without any issues.
- Issues after switching from Shipping Database
- A fix has been implemented for an issue related to switching from shipping database mode. The issue was caused by new flags in the database which required a tomcat restart. The issue has now been resolved and switch from shipping database mode will not cause previous issue.
- API locked policy
- In Sentry last version, AdminAPI status flags had changes and “locked” attribute was no longer valid. Instead, the attribute “lockedByAdmin” should be used. For backward compatibility, both attributes will be accepted.
AuthControl Sentry 4.2.1 (6751)¶
Released: January 2023
New Features
- OATH code visibiity (past, present and future) in User strings
- Administrators can have a pick in the past OTCs and futures OTCs. This feature is helpful to fully understand the policies applied to OATH and possible issues that could be resolved with policies.
- Customization and logs insertion for new modules and features in Sentry logs
- New availability to add logs to Sentry; tailor made solutions will have even more information added to the logs
- Addition of dedicated policies for TOTP and HOTP token
- New customization for specific types of token configured. Dedicated policies helps administrators to setup and define configuratio of token types
- MDM available in AuthControl Sentry to control AuthControl Desktop in domained workstations
- Similar to user synchronisation, this new module allows Sentry to sync computers in domain to remotely install AuthControl Desktop, manage availability of MFA on workstations, enable and disable agent remotely along with a dedicated Dashboard related to workstations authentication activities
- Tomcat update to version 9.0.68
- Upgrading to version Sentry 4.2.1 updates Tomcat to version 9.0.68 which have important security updates. Please refer to release notes of Tomcat 9.0.68
- PIN expiry management
- Ancillary application to help on PIN expiry-renewal process using Sentry APIs 2.2
Bug Fixes
- Last OTP sessions synchronisation fix
- Correction to SyncXML so that Last OTP replicates on standby appliance
- User lock flag adjustments
- Fix on previous update which marks deleted users as locked instead of deleted
- Appliances with zipped logs boot fix
- Fixed issue that happened in some cases starting the appliance when there are too many zipped log
- OATH authentication fix for users with PINless policy
- Issue fixed for users using PINless and OATH privileges
- Database upgrade fixes (NAME_ID_FORMAT)
- Database upgrade script in some cases would not add the required column which is now fixed in this version
- Fail logins message adjustments
- Messages adjustments to properly identify the reason why authentication has failed
- Mobile app policies initialisation fixes
- Duplicated entries in Mobile App policies fix
- Fix for password field not displayed for admin login after logout
- Password field was not coming to display after admin logout the web application
- Fix logs with LOCK_USER messages
- Fixed logs being filled with unnecessary information of LOCK_USER
- Fix for Helpdesk policy on users creation
- Helpdesk policy fix to allow helpdesk user to create users
- New dispatcher-servlet.xml to fix deployment of appliance web apps
- File update to fix some cases that SSO Portal would not start properly
- Fix characters display of appliance web apps
- Special characters adjustments
- Session start fix to point to imageserver
- Fix for session start that was pointing to pinsafe server instead of image server
- Account unlocked audit message uses wrong subject fix
- Mailing fix to set subject properly for accounts unlocked
- Refactoring of libraries
- Duplicated libraries and old version libraries refactor
AuthControl Sentry 4.2.0 (6612)¶
Released: 1st June 2022
Sentry Core:
- Push notification authentication can now be configured using reverse proxy
- Database migration process from older appliances is improved
- Database migration process from older MSSQL databases is improved
- Login sessions now sync via database
- IP addresses reserved for user VPN account can be sent via RADIUS and retrieved from AD
- Reporting now includes source IP and authentication method used by the user
- Group display order is now consistent across all screens
- Policy for account lockout time
- AD password management in User Portal
- Account ‘claim code’ feature for users with no email or telephone in repository
- Self management: users can now change their PIN with account locked
- Self management: users can now unlock the account with Reset PIN or Change PIN option
AuthControl Single Sing-On Portal:
- Local applications can be defined in SSO portal with new PAM method / user known credential storage
- Local applications can be defined in SSO portal with new P2AM method / user will never know credentials
- Web applications supporting OAUTH2 can be integrated in SSO portal
- Web applications supporting OpenID can be integrated in SSO portal
Bug Fixes:
- Log4J updated to 2.17.1 and necessary maintenance undertaken to make this compatible
- Name ID format now available in SAML SSO integrations
- PINless policy and PINpad implementation caused duplicated digits to be displayed, now handled
- Handling of special non UTF-8 digits in passwords to avoid invalid characters logging
- Reset password option was ignored unless policy indicated that password is required. Fixed option by resetting password irrespective of whether password required policy is set / not set.
- User groups with . character in the name were not being assigned to repository on first sync
- Connectivity loss during User Sync now results in aborted sync
- Latest ActiveMQ libraries updated to fix vulnerabilities
- App provision issues for usernames containing spaces rectified by URL decode fix
- Fixed reported behaviour conflict of timed lock-out policy with other policies
Recommendation:
- Any reports that reference the policy flags table, PINSAFEC, will not work with Sentry version 4.2 or later, and must reference the new status flags table, PINSAFES.
AuthControl Sentry 4.1.3 (6442)¶
Released: 1st October 2021
Sentry Core:
- Active Directory Agent for multiple endpoints
- Support for authentication with multiple repository servers
- PINpad and PICpad added to Sentry login page
- Security improvements : Tomcat 9.0.48
- Improved Push notification with Firebase for Mobile applications.
- Random password generation for selected repositories
- Improved transport for HTTP GET and SOAP
- Syslog improvement for remote server logging
- Offline strings remaining count for WCP
- Addition of Purge users options as a scheduled service
- Voice transport and Push transport view in User Administration
- Improvements to SMS transport
- User history with authentication method information
- Improvements on welcome page in User Portal
- Push notification with Biometrics, Confirmation or a combination of both
- RADIUS Push notification improvement
- SMTP service unified for SSL and TLS protocols
- Upgrade of the security in provision codes
AuthControl Mobile Applications:
- Improved Push notification with Biometrics option
- Security Compliance improvement for different devices using AndroidOS
- Push platform upgrade
- Bug Fixes
AuthControl Sentry 4.1.2 (6358)¶
Released: 7th April 2021
Sentry Core:
- RADIUS NAS entries can now specify a range of IP addresses, using CIDR notation.
- It is possible to specify how many re-uses of an OATH OTP are allowed. Our latest release 4.1.1, removed re-use altogether, but this causes problems where the OTP is specified correctly but authentication fails for other reasons.
- An error is shown on the User Administration page when attempting to reprovision a user that has an OATH token allocated. It is not permitted to have both an OATH token and an OATHbased mobile app, but previously this error was logged silently and reprovision appeared to have failed.
- A bug has been fixed whereby transports were not shown in the user administration in certain circumstances.
- The API call to initiate user sync has now been fixed.
- More improvements to session replication
- Password checking for Simple LDAP repository has been fixed.
- An option has been added to generate a random password for new users per repository.
- The RADIUS server is no longer restarted when certain irrelevant configuration changes are made.
- Sending security strings by email has been fixed.
- Line breaks in the FoxBox transport have been fixed.
- Timeout options have been added to more transports that previously would hang indefinitely.
- Support has been added for Push feature in future mobile apps, and it has been made easier to update these for future support.
- Support has been added for future versions of the mobile app that allow multiple accounts.
User Portal:
- Added Japanese translation.
- Improved support for internationalisation.
- Fixed security hole that allowed users access to user portal without authentication in some circumstances.
AuthControl Sentry 4.1.1 (5560)¶
Released: 1th March 2021
Sentry Core:
- Improved Session Synchronisation Algorithm
- The ability to synchronise sessions with more than 1 other appliance
- Improved the usability of the automatic deprovision
- Security improvements : Tomcat build is now 9.0.37.
- Prevent OATH token OTPs being used more than once
- New helpdesk policy to disable editing user policy
- User Portal: Add description panel to PIN change
- User Portal: Disable mobile provisioning or show message if user not permitted
- Increment lock count if password is incorrect.
- Removed restriction on number of groups / attributes.
- Changes to the way “Check Password with Repository” works on RADIUS and Agents.
AuthControl Mobile:
- Increase the usability of apps.
- Optimize the mobile apps functionality and its relation with the high latency scenarios.
- Stability improvement.
- Resource Usage improvement
- Bug Fixes.
- Provisioning and deprovision flow review and improvement
Security improvements:
- Upgrade the security appliance with new OS.
- Upgrade the Java Version.
- Upgrade the DataBase engine.
- Encrypted management and structure with cloud
- On rest data also encrypted.
- Triple handshake in the Java Version.
- Enviroment upgrade with new appliance.
- Vulnerabilities removed due to analysis in:
- Improve the security in the admin remote Access.
- Delete the support on “not compliance or unsecure ” algoritms.
- Mitigation of SSH vulnerabilities.
AuthControl Sentry 4.1.0 (6095)¶
Released: 4th March 2020
Bug fixes:
- RADIUS repository password check was not working since build 6062. Now fixed.
- Whole CSV import failed if one user failed to import. Now logs single user failure but continues.
Security improvements:
- Tomcat 9.0.31
AuthControl Sentry 4.1.0 (6082)¶
Released: 23rd January 2020
Bug fixes:
- NAS identification fix in previous release was incomplete. Now fixed.
- PIN expiry no longer uses timed lockout: users are locked on PIN expiry until released by helpdesk.
Security improvements:
- Tomcat 9.0.30
AuthControl Sentry 4.1.0 (6074)¶
Released: 15th January 2020
Bug fixes:
- RADIUS NAS identification now checks both IP address and NAS Identifier
- Deleting repository groups or attributes no longer causes errors
AuthControl Sentry 4.1.0 (6062)¶
Released: 19th December 2019
New Features:
- Multi NAS RADIUS capability
- RADIUS VIP for HA environments
- Push and NEXMO-VOIP on the same core is now supported
- Disk Space Check before config operation
Bug fixes:
- Non ASCII characters on HTML messages (Japanese, Chinese, Arabic, Cyrilic)
- PIN change not requiring upper/lower case matching on userportal (now coherent with the core authentication)
- User Portal Confirmation code is now supported on non persistent sync (appliance sync)
- Auto reconnect on Repository Sync Job connection drop
Security improvements:
- Tomcat 9.0.29
- Customized error pages (information disclosure control)
AuthControl Sentry 4.1.0 (5995)¶
Released: 9th August 2019
Bug fixes:
- Fixed Android push error
- Fixed Provisioning URL in SMTP transport
AuthControl Sentry 4.1.0 (5974)¶
Released: 5th August 2019
NOTE: from version 4.1, the appliance database service is required for the user portal as well as Sentry SSO. If you are not using Sentry SSO and are using an external database for the Sentry Core, you will need to ensure that the appliance database service is running BEFORE updating.
AuthControl Sentry 4.0.5 (5560)¶
Released: 19th September 2018
Maintenance update:
- Renewed Apple push certificates
AuthControl Sentry 4.0.5 (5535)¶
Released: 29th August 2018
Bug Fixes:
- Fixed error using MSSQL Server and Oracle Databases regarding Attribute column size being to large
AuthControl Sentry 4.0.5¶
Released: 27th July 2018
Version 4.0.5 introduces new features and fixes others
New Features:
Windows Credential Provider (requires WCP v5.4.2.1):
- Biometric Fingerprint for Windows Credential Provider - Now WCP can enrol fingerprint and can identify users and be used to authenticate as 2FA. (Requires: Nitgen biometric reader or Windows 10 biometric authentication with integrated fingerprint reader)
- Windows Credential Provider is configurable as 2FA with Risk Based Authentication.
Sentry Core:
- Generate random pin for Helpdesk in user management
- Mobile app settings were removed and are no longer used: “Allow user to choose how to extract OTC”, “Provision is numeric”, “VPN URL Scheme”
- Provision code will always be numeric
- New transport: ReachData SMS Transport, MEO SMS Gateway Transport, Rand and Rave (Rapide) SMS Transport
- Possibility to limit SC and DC String Requests by time, if many requests are done in a period of time, access will be denied
- Added Fingerprint remove option (User Management -> View -> Attributes)
- Added new vendor radius Sophos
- Improved HTTP requests with HSTS, CSRF and XSS security handling
- Tomcat 9.0.10 support
- Added Trademark Registration
- Added possibility to view current OATH token to User Administration (within View Strings)
User Portal changes:
- Login with Confirmation code to increased security. Needs to be enabled in .swivel/user-portal/settings.properties with “showconfirmationcode=true”
- Confirmation code blocked after too many attempts
- Change Pin now requires entering new pin twice and shows policy errors
Sentry SSO changes:
- Authentication before Applications list (configurable by admin)
- Now SSO can show Applications by user group
- Added logout button
- Password field is now configurable to show or not
- Windows Credential Provider integration (for RBA only)
- Azure AD Integration (without federation)
- Possibility to add custom SAML Attributes per application. For more details: https://kb.swivelsecure.com/w/index.php/Authcontrol_v4_Sentry_SSO_and_Adaptive_Authentication#Defining_Applications
- Added Trademark Registration
Bug Fixes / Enhancements to existing features:
- Fixed Session Sharing issues in HA
- User Portal: fixed visual issues in IE with compatibility mode, fixed issue with QR Code not working
- Fixed RADIUS with Push not working on some VPNs
- Fixed RADIUS change PIN not being able to change the length of the PIN
- Fixed Bulk Provisioning in Oracle database
- Fixed OATH tokens not being assigned on user sync from AD
- Fixed OATH tokens to remove existing allocations before assigning new token to user.
- Fixed Clickatell Transport not working due to API change
- Fixed PacketMedia Transport not working due to API change
- Fixed IPModem Transport crash if no response received from modem
AuthControl Sentry 4.0.4¶
Released: 27 March 2017
Version 4.0.4 introduces new features and fixes another
Note: A new licence key will be required to run the new features that have been rolled out in June 2016 To request a new licence key please go to https://supportdesk.swivelsecure.com and create a new ticket, quoting the name that your current licence is issued in.
New Features:
- Adaptive Authentication and Single Sign On: This is a means by which you can manage the way users access a range of on-premise and cloud applications. Specifically, if and how they need to authenticate in order to gain access to those services. For more details: https://kb2.swivelsecure.com/index.php/Sentry_User_Guide.
- New Branding, colours and logos on the Swivel Core have changed.
- New Name: “pinsafe” is now “sentry”.The main effect on existing users is that the context path for web URLs is now “sentry”, rather than “pinsafe”. When integrating with existing products, you will need to change the context from the default. As integration products are updated, the default context will be changed to fit with the new naming.
- AuthControl Mobile App is the new naming of the mobile app
- This version allows the Swivel Mobile App to be configured as an OATH token
- Default SMTP templates for Credentials and App Provisioning have been added. A new option on the menu has been added to allow customers to replace or add new images to the templates
- Defined default configuration for single instances
- A new policy has been included on Policy > Password that allows to hide the Reset Password button from Admin Console
- Admin and Helpdesk users can invalidate a user session from User Admin, View Strings screen. The sessions that can be invalidate are the single and on-demand dual channel ones
- Log Viewer Standalone version that automatically imports the logs from Swivel Core and stores them on a database
Bug Fixes/ Enhancements to Existing Features:
- Deleting Agents no longer causes errors
- Sending Message for Alternative Username
- Deleting users with repository doesn’t delete them from the Swivel Core when the policy Delete Users with repository is set to NO
- Allow expired passwords set to NO doesn’t allow authentication
- Positive ID is not supported anymore and it has been removed from Messaging Screens
- Removed Manual App Provisioning action
Updated terminology:
- Transports is now called Messaging
- OneTouch is now called Push
- Mobile Client is now Mobile App.
- Quick Provision is now App Provision
For more details, see the [[:File:404ReleaseNotes.pdf|Release Notes]].
There was a beta release 4.0.3 and updating it to 4.0.4 enhances it
Swivel 3.11.5¶
Version 3.11.5 introduces 1 new feature and enhances/fixes another
NOTE: Swivel Secure software versions 3.x are not compatible with Java version 8.
Changes:
- Support for One Touch over RADIUS PAP
- Fix for SecureSMTPTransport and Support for Start TLS
For more details, see the [[:File:ReleasesNotesForVersion3.11.5.pdf|Release Notes]].
Swivel 3.11.4¶
Version 3.11.4 introduces 4 new features, and 2 bug fixes
New Features:
- RADIUS vendor class to support ACL on Cisco
- RADIUS vendor class for Dell SonicWall
- RADIUS vendor class to return a single group: primarily aimed at Juniper Pulse
- Bulk mobile client provision feature
Bug Fixes:
- The database upgrade code for Oracle database now works correctly
- The option to allow self-signed certificates for LDAPS on Active Directory and Simple LDAP now works.
For more details on the changes, please see the [[:File:ReleasesNotesForVersion3.11.4.pdf|release notes]]
Swivel 3.11.3¶
Version 3.11.3 is a bug-fix release for issues found in 3.11.2 and earlier versions
Network connections now closed promptly on error
It was found that, if network connections failed for whatever reason, the connections were not closed immediately, but were left to be closed by Tomcat automatically. As this could take some time, in a busy environment this could result in connections running out, or depending on the environment, running out of memory or database failures. This fix ensures that, if a connection fails for any reason, it is closed immediately.
SMTP authentication now works
Due to a typographical error, authentication to the SMTP server was never applied in versions 3.10.6 and 3.11.2. This has now been corrected.
SMTP connection pooling is now configurable
SMTP connection pooling was introduced in versions 3.10.6 and 3.11.2. Unfortunately, the default settings meant that connections in the pool could expire and so SMTP messages fail. In this version, 3 new options were added:
- Use Connection Pooling: this allows administrators to enable or disable connection pooling. However, disabling pooling could mean that some messages may fail if a large number of messages are sent in a short time.
- Connection Idle Timeout: this sets the length of time a connection remains valid after being used. The default is 30 seconds, but individual administrators may need to experiment, based on mail server settings.
- Max. No. Messages per Connection: this sets the maximum number of messages that will be sent by a single connection. The default is 10. The setting for this will depend on mail server settings.
Deleting Agents no longer causes errors
It was found that deleting several Agents could cause the Agents configuration screen to crash, although the Agents were deleted. Restarting Tomcat fixed this problem, but this is not convenient. This release fixes this problem.
Changes to RADIUS authentication for unknown users
- Now uses the correct username to pass to LDAP
The feature that allows users not in the Swivel database to authenticate through RADIUS using repository password only only worked if the username used to authenticate to the repository was the primary username for the repository. In other words, the attribute for authenticating unknown users, set in the NAS, was not used. There was a workaround: to create an Agent with exactly the same name as the NAS and set the attribute on that. However, when checking unknown users, RADIUS authentication now correctly checks the NAS username attribute, rather than the Agent attribute.
- Uses domain prefix to select repository
Previously, the ability to authenticate unknown users to the repository was restricted to one named repository. Now, if the username is entered in the form “domainusername”, Swivel will attempt to identify the repository from the domain prefix. It first checks against any domain prefix specified for the repository, and if there is no match, against the repository name. If the domain does not match, it is simply ignored, and the default repository is used.
Reset PIN without Resetting Password
The API call to reset PIN using a confirmation code now takes an additional option to specify whether or not the user’s Swivel password should also be reset. Previously, if the user had a Swivel password, it would always be reset along with the PIN. Now, it is possible to reset just the PIN. As this is an API call, it requires that client applications, such as the User Portal, should be updated to support this option.
Swivel 3.11.2¶
Version 3.11.2 supports both the previous and new licencing method. Customers on versions 3.10.5 or below do not need to update their licence immediately unless [[SentryUserGuide|Sentry]] is being added to the licence. Version 3.11.2 also includes the changes in 3.10.6.
Swivel 3.11¶
Version 3.11 requires a different licence key to previous versions, please ensure you obtain a 3.11 licence key before updating any production instances. However, 3.11.2 onwards supports both licences
This is a new full release, but because of the requirement for a new licence key upgrades will require you to contact Swivel prior to completing the upgrade.
New licence keys are free to customers with fully paid support.
NOTE: 3.11 is based on 3.10.5, and does not include any changes made in 3.10.6.
New Licence Model
- Install new licence key
- Any upgrades you purchase will be added to your Swivel installation without the need for you to install new licence key
- Swivel core needs to be able to contact Swivel Licence server to be updated
Mobile Client Local Mode
- Deploy client in local mode
- Client never needs to contact the Swivel Core Server
- Swivel Client generates its own security strings locally
Mobile Client Index
- Mobile client stays in sync if user accidentally enters an index greater than the one expected (and the authentication fails)
New Transports
- Nexmo SMS supported
- SMTP over TLS supported
Bug Fixes
- View Strings for Mobile client no works for non-dual channel users
- User admin screen speed issues for MS SQL installations resolved
- Timed lock-out issues remedied
- Session replication over TLS on V3 Appliances fixed
Swivel 3.10.6 (3476)¶
Released 4th February 2016
NOTE: version 3.10.6 is later than version 3.11, but does not include support for the new licence format.
- Fixed bug when attempting to log on with no security string
Swivel 3.10.6 (3395)¶
Released: 13th January 2016
- Fixed count limit when syncing ADAM repository
- Fixed speed issue viewing User Administration page
- Removed Repository view from Editable repositories, because of speed issues
- Automatic single-user sync in Editable repositories
- Refactored User Sync Job to improve speed
Swivel 3.10.5 (3030)¶
Released: 12th October 2015
Oath Tokens
- The dates on which tokens are imported and allocated to users are now recorded
- Reporting options now available for tokens
- Tokens can now be allocated using Active Directory attributes
- Helpdesk users can be permitted to administer tokens
User Administration
- There is a new Repository view in the User List page
- User edit for helpdesk users fixed
Custom Attributes * The domain qualifier can be added to any attribute, not just the username * Option not to synchronise attributes with repository now works correctly
General * Optionally, a new dual-channel string will not be sent if the user already has a valid string * Optionally, repository password will still validate even if the user’s password has expired * Special security string image for sight-impaired users * Account locked message will now only be sent once each time a user is locked * Enhancements to Modem transport, including flash support * Clickatell transport now supports flash SMS
Bug Fixes * Fixed problem where HTML messages could break the configuration * RADIUS NAS entries now correctly support alternative attributes * Date format for report parameters now respects the global date format
Swivel 3.10.4 (2701)¶
Released: 18th June 2015
- OneTouch Out of band Mobile APP and OneTouch Voice Authentication
- Provision Mobile Client using a QR Code Provision
- User Attributes
- Swivel Remote Sync Client
- Mobile Client fingerprinting options
- Helpdesk API token allocation
- API token allocation
- Restore original license if new license fails to install
- MSCHAP RADIUS fix
- XML Repository username with a ‘_’ purge fix
- User Administration Search fixes
- Username containing ‘’ fix for domainusername
- SQL DB Attribute field database fix
- RADIUS fix secret when existing NAS is deleted
- Deleting multiple items from a list no longer causes crashes
- Add Prefix for Telephone number bug fix
- Fix for user sync when users are not marked as deleted
- Fix for log viewer issues
Swivel 3.10.3 (2014)¶
Released: 29th October 2014
- Send Dual Channel string - failed authentication sends out a new string fix.
- One Touch iPhone Client.
- Mobile Clients - Remaining Keys badge indicating the number of keys or security strings stored.
- Two-stage RADIUS with no password.
- Third Party Authentication.
- Synchronised Mobile Client could not retrieve strings via the Appliance proxy - Fixed.
- Using MSCHAP, tokens could lose sync and not regain sync - Fixed.
Swivel 3.10.2 (1950)¶
Released: 12th September 2014
- Users can be Pinned for Single Channel (TURing, PINpad) and Pinless for dual channel (SMS, Mobile Phone Client)
- Alpanumeric strings can be used for TURing, SMS and Mobile Phone Apps and still allow the numeric PINpad to still function
- OATH OCRA Token API support
- Test Sync button
- Auto Provision Mobile alert on user creation option
- Mobile Client Policy to show/hide policies on the Mobile Phone Client
- Mobile Client Policy to allow Mobile Phone Client to show synchronisation status and keep existing security strings if the server is not reachable
- Provision code for Mobile Phone Client on account creation policy
- Accounts Marked as deleted cannot become locked
- OATH works now with MSCHAP
- Helpdesk Groups can optionally be administered by Helpdesk users
- PINpad now logs one session start instead of ten
- Helpdesk Admin Pin reset message corrected
- MIGRATE issues from Internal to Oracle, MySQL, MSSQL resolved
- MySQL user creation initial imported credential issue resolved
- Group Membership rule added to SAML integration (Authentication Manager)
Patched release (build 1950 - Sep 25, 2014): * Fix for non-sending of security strings
Swivel 3.10.1 (1701)¶
Release (limited availability): 29th July 2014
- OATH TOTP Token support
- Agent XML Extended User Attribute support
- Phone number prefix remove/replace fix
- Non ASCII characters for XML repository fix
- You are now able to purge token users
- Sync job deleting users fix
- Helpdesk users can manage other helpdesk users
Related Updates
- Swivel Remote Sync Client (SRSC)
- User Portal transient data storage deployment
- USAM IDP X509 certificate verification
Swivel 3.10 build 1947¶
Bug fix patch
Swivel 3.10 build 1703¶
Released: 9th June 2014
- Mobile App One Click Provisioning and in API
- Mobile App new unified Wizard interface
- Mobile App Blackberry 10 support
- Mobile App enhanced iPad support
- Mobile App ‘,’ removed in need for authentication
- Enhanced SAML - Untrusted IP source users are prompted for Swivel authentication, trusted users can use just Username and Password
- User Administration Quick Provision, sends out a URL to configure and provision the mobile in one click
- User Administration Manual Provision, send the user a SiteID and Provision code to manually provision the mobile
- Configuration replication shared secret added
- Voice Transport added
- Reports by Email
- Appliance Synchronisation shared secret fix
- Synchronisation Administration shared secret added
- Inbound Servlet issues fixed
- User Attributes index fix
- PINpad display issues fixed
- Log Viewer screen sizing issue fixed
- HTML embedding displays security strings correctly
- Token Migration from MySQL fixed
- RADIUS proxy for alternative usernames using User Exists fixed
- TokenIndexImage and TokenIndex now accessible through the appliance proxy
- LDAP path names may now include ‘#’
- Session replication errors fixed
- Agent-XML bug fix
Patched release (build 1947 - Sep 25, 2014): * Fix for non-sending of security strings
Helpdesk Rights Update Patch for Version 3.10 (build 1747)¶
This patch updates version 3.10 with enhanced helpdesk rights management. See the notes on the helpdesk rights patch for version 3.9.6 below for more information.
Swivel 3.9.7 (1300)¶
Released: 12 March 2014
- Configuration Replication, see Administration Synchronisation
- Admin API support for multiple user Attributes
- RADIUS debug log writes to standard log
- RADIUS LEAP new security string fix
- RADIUS calling station ID returns the client IP address where supported
- RADIUS challenge may optionally return username:
- RADIUS 2-stage automated subsequent authentication for correct password and internal IP
- Provision URL
- New User security string bug fix
- Copy strings to alert fix
- LDAP Browser now detects correct Base DN for AD Global Catalog
- Helpdesk Group Rights retained on upgrade
- Repository ID fix for User Sync job
- Error checking on Token seed entry added
- iOS Client Policy fix
- Base DN Global Catalog browser fix
- Improved handling of invalid OATH seeds
- Fix for RADIUS with LDAP passwords containing special characters
Swivel 3.9.6 (1046)¶
Released: 1st October 2013
- Transport changes take immediate effect without need for User Sync
- Support for OATH HOTP Tokens
- Management for OATH Token in Administration console
- Redirect filter for Admin login when not allowed
- Configurable Site ID (SSD) For mobile client settings
- Ability to send Site ID by transport
- Users marked with a * have been edited but not had a user sync
- New SMS Transports
- RADIUS Two stage Authentication, optionally do not send string after first stage
- RADIUS Two stage Authentication, allow unknown users to authenticate using only repository password
- RADIUS Two stage Authentication, allow different challenges to be sent after the first stage based on group membership
- LDAP Sync enhancement
- Resend credentials if destination changes, option removed
- Transport Attribute support using %{attr_name} Where attr_name is the name of the attribute, see Transport Configuration
NOTE: this build fixes the following issues found in the original release of 3.9.6 (build 896)
- Some User Administration functions would not work for usernames containing underscores and other special characters (fixed in build 927)
- Swivel would attempt to send messages even if no transport destination had been set (fixed in build 927)
- A slow memory leak was discovered if user syncs were scheduled too close together (fixed in build 927)
- Initial dual channel security strings were not sent out upon user creation (fixed in build 1046)
Helpdesk Rights Patch for Version 3.9.6 (build 1777)¶
Recent changes have given more control over which helpdesk users can manage which other users. However, in doing this, we removed the ability for helpdesk users to manage other helpdesk accounts. A number of customers have objected to this restriction, so version 3.10.1 made it possible to re-enable this feature. This patch is provided for 3.9.6, for customers who prefer not to upgrade. Note that this patch should only be applied to an appliance that already has version 3.9.6 installed. As it is an appliance patch, it must be applied using the method described in Patch Management.
Note that this update does not immediately re-enable the ability for helpdesk users to manage other helpdesk users. Rather, it allows administrators to decide whether or not this feature should be permitted. To change helpdesk rights in the Administration Console, go to ‘’Repository’’ -> ‘’Groups’’ and click the Group Rights button. See the documentation on that page for more information.
Swivel 3.9.5 (550)¶
Released: 20 May 2013
- Change PIN and Change Password independent
- Admin logout check for PINless user
- Appliance Session Replication (virtual or hardware)
- LDAP Based DN fix
- Helpdesk groups fix
- Group Membership display fix
- Policy PIN and OTC User Help updated
- DBRepository default attributes corrected
Swivel 3.9.4 (415)¶
Released: 15 March 2013
- SSD Server for simple deployment of mobile client settings though a site-id
- Smart Phone site-id code entry to retrieve settings from SSD server
- Automatic or Manual Extraction from PIN, defineable as an option for mobile clients
- Helpdesk users report
- New repository enhancements for helpdesk actions
- SMS Spam STOP option
- LDAP writeable bug fix
- User Attributes database Migration bug fix
- Reporting display bug fixes
- Administration console user administration attributes now visible for SQL databases
Swivel 3.9.3 (250)¶
Released: 14 Jan 2013
Maintenance Release
- Resolved issue with Groups and attributes causing error when editing them in Agents, RADIUS NAS and Transports
- Browsing LDAP group members with non-ASCII characters resolved.
- Resolved issue using a password for editable repositories which caused user sync to fail.
- Logging error due to context never set in AdminConsoleFilter resolved.
- Missing language strings for SMPP transport added
- Added Additional parameters required for SMPP transport
- Destination Attribute appearing twice on transports screen now only shows once
- Transports from Transport -> General can now be deleted
- Default user attributes email, phone, expanded to include username, alt-name (i.e. alternative username), family-name and given-name
- Additional transports
- PaloAlto RADIUS support. If a NAS has been configured to support PaloAlto vendor attributes when a VPN submits the correct credentials, the Swivel core now returns the name of the first group the user is a member of that contains the RADIUS group keyword. Now returns this data as the 5th value off a vendor specific attribute, vendor number 25461.
Swivel 3.9.2 (5052)¶
Released: 15 Oct 2012
- Monochrome or orange Single Channel images and backgrounds
- HTML preview for SMTP transports
- HTML case issues with SMTP resolved
- User search by different attributes such as surname
- Swivel natively supports PINpad for numerical security strings
- Insert personal names within any transport message using %{attrname}
- Admin API reports license entitlement
- Helpdesk API includes read functionality and allows requests from Agents that are not repository names
- Specify different transitory data locations for multiple instances
- Transitory data files missing from the 3.9.1 release now moved to external location
- Allow multiple authentication attempts supports security string index and standard security string delivery
- Multiple instances of Swivel with the ‘’SwivelHome’’ environment variable
- MIGRATE allows users to be Appended to an existing data store
Swivel 3.9.1 (4908)¶
Released: 30 July 2012
- Easier upgrades. Configuration files, data, xml repository, logs and reports are now stored externally to the Swivel application
- Importing of additional attributes from repository, such as multiple usernames For example, with Outlook Web Access, users can potentially log in using their usual username (sAMAccountName), their userPrincipalName (e.g. user@domain.local) or their email address.
- Status page shows number of queued messages
Swivel 3.9 (4900)¶
Released: 20 July 2012
Swivel 3.9 (4854)¶
Released 14 June 2012
- Telephony based authentication
- Report Scheduling
- Multiple writable repositories for OpenLDAP, ADAM and XML.
- Granular Helpdesk rights
- Improved LEAP support
- SSL support for SMTP
- Improved transports model
- Improved Federation (SAML 2.0) support
- Swivel logs changed to save logs by date rather than number of files
- Compressed log files
- Improved scheduler for sync jobs
- User can change repository
- Show next Mobile Token Index
- Import users from a CSV file
Swivel 3.8.2 (4691)¶
Released: 19 March 2012
- Several new transports
- Option to hide password field and auto-display TURing on admin login
- Fixes for SMTP transport: better HTML support, security strings working
- Domain suffix no longer added twice
- Bug fix: could not authenticate to Swivel for 10 minutes after mobile client provision.
- Bug fix for account unlocked message
- Bug fix: timed lockout didn’t work with self-reset
- Bug fixes: various PositiveID issues
- New user details reports for admin API
- Bug fix: helpdesk users were unable to reset PINs in certain circumstances
Swivel 3.8.1 (4256)¶
Released: 23 August 2011
- Banned Credentials fixed
- VoiceSage Transport timeout added
- Two Stage authentication through RADIUS proxy fixed
- Reprovision for Mobile Phone Client users and not dual channel users
- ChangePIN policy enforcement
- Invalid LDAP FQDN on usernames caused by repository switches
- Case sensitivity fixes for various issues
- Corrected formatting of delimited transport strings
Swivel 3.8 (3958)¶
Released: 18 February 2011
- Two Way Authentication, to send a message to the SMS gateway
- Resend user credentials when their transport details change is now an option
- Copy Security string to Alert allows two destinations for security strings
- Transport group now defined as strings repository group
- Option to use vertical security strings
- Optional time based lockout for accounts
- Mobile Phone App Provisioning Security restrictions
- Optional Self Provision of Mobile Client
- Banned PIN numbers
- Custom Phone Number formatting by repository
- AD Domain suffix/prefix for a repository
- Check Password with Repository by XML-Agent or RADIUS NAS
- Reporting within the Administration console and exportable to CSV or XML
- GUI can now expand/collapse configuration options for simplification
- Manual Lock, to lock an account from the Administration Console
- RADIUS Proxy Option No User session to RADIUS proxy against another Swivel instance when no session is started
Swivel 3.7.3727¶
Released: 2010
Minor fixes and extended logging for debugging
==== Known Issues With 3.7.3727 ====
There is a known issue with this version only: every time a user sync is run, it generates a file in the logs folder (/usr/local/tomcat/webapps/pinsafe/WEB-INF/logs on an appliance) with a name beginning with “profile”. These files can safely be deleted, as they are for diagnostic purposes only, and were not intended for production.
Swivel 3.7.3474¶
Released: 3 December 2009
- RADIUS challenge and response
- RADIUS proxy
- RADIUS passing of group membership using specific vendor attributes
- Use of security strings to be valid for more than one authentication
- Helpdesk users can be allowed/disallowed from setting PIN’s to a known value
- Helpdesk users can be allowed/disallowed from adding/deleting users to the XML repository
- SMS Transports “replace previous message” option is replaced by the Normal/Replace/Flash options
- View a users Security Strings
Swivel 3.6.3369¶
Released: 19 October 2009
- Supports IPv6
- Animated Turing, PATtern, BUTton (requires Java 1.6 or later for animation)
- Additional Single Channel parameters
- Security String Index number can be requested when sending multiple security strings
- LDAP browser in Swivel Administration console
- RADIUS NAS Agents can be configured to allow only certain authentication modes
- XML Agents can be configured to allow only certain authentication modes
- Auto PIN reset, a new PIN can be sent on account expiry
- Account expiry, dates can be set when an account will expire
- Idle account status, allows idle accounts to be visually identified
- On Demand delivery, allows a new dual channel security string to be sent to user
Java Class paths are different to previous versions
Swivel 3.6.3275 users should upgrade to 3.6.3369
Swivel 3.5.2989¶
Released: December 2008
- Single Channel request sessions can be shared across a Swivel HA pair
- Mark as deleted option so deleted accounts can be recovered, keeping the users PIN
- Search in User Admin and usability features
- Job schedules changed from cron to user friendly format
- Helpdesk users can be restricted to their own repository or global
- All configuration passwords are now encrypted
- More than one syslog server can be defined
- Stack traces are written to the log files
Swivel 3.4.2503¶
Released: 27 May 2008
- Transport Attributes setting allows transport attribute to be defined for repository
- Admin/Helpdesk API to allow external applications make Create, Read, Update and Delete operations
- Reporting API
- Repository password checking
- Audit emails for account creation and deletion
- Repository Sync Jobs refinement for speed and reliability
- RADIUS Vendor Group Class attribute support
- OWA Integration option ‘Allow non-PINsafe Users’ requires Swivel 3.4 or higher.
Swivel 3.3.2304¶
Released: November 2007
- Multiple Data Sources, such as multiple AD and LDAP data sources
- Repository Groups, allowing mutiple data sources for each group
- Repository Group Management user views
- Repository deletion
Swivel 3.2.1811¶
Released: 16 February 2007
- External Databases can be defined, such as MySQL, MSSQL, Oracle
- LDAP data source support
- IP Filter lockdown for Swivel Administration Console
- Ignore AD infrastructure change option
- Resend tab in user administration to send user a new PIN without knowing what the PIN is
- User has no security strings bug fix
NOTE: config.xml cannot be copied from Swivel versions earlier than 3.2. Information must be entered manually
Swivel 3.1.4.716¶
Released: October 2006
- Agent Groups can be defined based on IP
- PINless option where an OTC is sent without PIN protection for SMS or as a CAPTCHA for Single Channel
- PIN Policy to prevent user choice of sequential or repeated digits
- Customisable security string text
- Address ranges may be specified for agents
- Improved XML sync times
Swivel 3.1.3, 3.1.3a, 3.1.3b, 3.1.3c¶
Released: May 2006
- Peer and Proxy against other Swivel servers
- Authentication Policies including PIN expiry, Change PIN on first login
- SMTP Alerting
- Syslog for Swivel logging
- Improved User Administration including user locking, searching and view by status
Swivel 3.1.2¶
- Rotating characters for Single Channel
- Security string may now also include upper case and lower case or mixed case letters
- On Demand Authentication where the security string is not automatically sent
- Self Reset utility so a user can request a new PIN and unlock an account
- Usernames can be case sensitive on insensitive
- User Administration supports pages and includes a search facility
- RADIUS support for MS-CHAP and MS-CHAPV2
Swivel 3.1.1¶
- User Repository API to support repositories in addition to AD and LDAP
- AD integration
- MySQL database replaced by an XML repository
- RADIUS supports CHAP
- Administration Console redesigned
- Windows GINA integration
Swivel 2.2.6¶
- Agent API, AgentXML has been developed to exchange data between the Agent and the Swivel server.
- Administration Roles added
- Logging and reporting
- Static Password support
- Swivel MIDlet re-engineered for mobile phones updated and New Administration Pages
- Updated Administration Console
Swivel 2.1.5¶
- Multiple Language Support
- GSM MODEM support
- SMTP Support for security strings
- Updated and New Administration Pages
Swivel 2.1¶
- Variable PIN lengths (4-10 digits)
- PINsafe PIN Admin System
- Authentication by username supported in addition to Session ID
- Licensing Added
- SLIDEbar interface has been removed
Swivel 1.4 and 2.0¶
- RADIUS Proxy Support
- PATTern and KEYpad user interfaces
- Database support
- Windows installer has been updated to support the use of MS SQL and Oracle.
- LINUX installer has been updated to support PostgreSQL