Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleIn Progress

This release is planned. Therefore the information presented here is incomplete and inaccurate.
For information regarding the latest stable release please see Release 3.7.1

Watt

Release 3.8 is a twenty sixth midPoint release code-named Watt. The 3.8 release brings major performance and scalability improvements. There are also provisioning, security and user interface improvements.

...

Panel
titleJames Watt

James Watt (1736 - 1819) was Scottish inventor best known for his significant improvement of the steam engine. Watt steam engine was more powerful and efficient than early steam engines. Those improvements contributed to economic viability of steam engine, which was a crucial element of industrial revolution.

Similarly to Watt's steam engine, midPoint 3.8 brings major improvements to performance, efficiency and scalability. MidPoint 3.8 is designed to handle millions of identities with even higher scaling potential. While fundamental data model of midPoint remains basically the same (and compatible), there were significant improvements to the methods how the data are stored in the database. Handling of the data and especially processing of data changes was also improved. Therefore midPoint 3.8 should be faster. But even more importantly - midPoint 3.8 should be able to work in deployments that were traditionally considered to be beyond the reach of a comprehensive identity management and governance solution.

 

Table of Contents

Credits

Majority of the work on the Watt release was done by the Evolveum team. However, this release would not be possible without the help of our partners, customers, contributors, friends and families. We would like to express our thanks to all the people that contributed to the midPoint project both by providing financial support, their own time or those that maintain a pleasant and creative environment for midPoint team. However, midPoint project would not exist without proper funding. Therefore we would like to express our deepest gratitude to all midPoint subscribers that made midPoint project possible.

Features

midPoint 3.8 provides following features:

Changes with respect to version 3.7

  • User interface improvements
    • User-friendly policy selection
    • User-friendly entitlement association management
    • GUI support for more complex data in object extension (containers), improved GUI customization (experimental)
    • Simple GUI pages for cases (internal midPoint tickets) contributed by Exclamation Labs
    • Support for custom static web content in midpoint home directory
    • Support for experimental annotation
    • Ability to override experimental and deprecated annotations
    • Minor user experience improvements
  • Data model improvements
    • Full implementation of subType property
    • Properties locality, costCenter, preferredLanguage, locale, timezone, emailAddress and telephoneNumber moved up from UserType to FocusType.
    • Customizable PolyString normalization
  • Security improvements
    • Password Policy: prohibited projection values
    • Negative item enumeration in authorizations (exceptItem)
    • Expression code requires just execution-phase authorizations, it does not need request-phase authorizations any more
    • Improved password metadata
  • Provisioning
    • Provisioning Propagation
    • Ad-hoc provisioning script execution
    • Improved error handling, especially criticality of ITSM errors
    • Provisioning dependencies may use filter in dependency specification
  • Performance and scalability improvements
  • Miscellaneous improvements
    • Improved handling of function library updates
    • Minor mapping improvements
    • Basic data protection features (experimental)
    • Improved SMS gateway support (HTTP POST method)
    • Support for configuration variable in inbound mappings
    • Start scripts for ninja tool (ninja.sh, ninja.bat)
    • Improved documentation
  • Connectors
    • CSV connector supports script execution
    • Active Directory connector supports CredSSP version 5 and 6 (see CVE-2018-0886)

Oracle database 11g is no longer supported. It is replaced by Oracle 12c database support.
Support for PostgreSQL 9.4 and earlier is deprecated. PostgreSQL 8.4.x and earlier is no longer supported.
MySQL 5.6 and earlier is no longer supported.
Microsoft SQL 2008 and 2008 R2 are no longer supported. Microsoft SQL Server 2012 support is deprecated.

Quality

Release 3.8 (Watt) is intended for full production use in enterprise environments. All features are stable and well tested - except the features that are explicitly marked as experimental or partially implemented. Those features are supported only with special subscription and/or professional services contract.

Limitations

  • MidPoint 3.8 comes with a bundled LDAP-based eDirectory connector. This connector is stable, however it is not included in the normal midPoint support. Support for this connector has to be purchased separately.
  • There is an option to modify midPoint to support LDAP and CAS authentication by using Spring Security modules. This method is used in several midPoint deployments. However, such authentication modules are not officially supported as part of usual midPoint subscriptions. Only community-level support is provided for those modules. Commercial-grade support for this authentication method is available, but it has to be explicitly negotiated in a subscription contract.
  • MidPoint user interface has flexible (fluid) design and it is able to adapt to various screen sizes, including screen sizes used by some mobile devices. However, midPoint administration interface is also quite complex and it would be very difficult to correctly support all midPoint functionality on very small screens. Therefore midPoint often works well on larger mobile devices (tablets) it is very likely to be problematic on small screens (mobile phones). Even though midPoint may work well on mobile devices, the support for small screens is not included in standard midPoint subscription. Partial support for small screens (e.g. only for self-service purposes) may be provided, but it has to be explicitly negotiated in a subscription contract.
  • There are several add-ons and extensions for midPoint that are not explicitly distributed with midPoint. This includes midPoint plug-in for Eclipse IDE, extension of Jasper studio, Java client library, various samples, scripts, connectors and other non-bundled items. Support for these non-bundled items is limited. Generally speaking those non-bundled items are supported only for platform subscribers and those that explicitly negotiated the support in their contract. For other cases there is only community support available. For those that are interested in official support for IDE add-ons there is a possibility to use subscription to help us develop midPoint studio (
    JIRA
    serverEvolveum Jira
    serverId701b45f2-090c-3276-8ac9-f45eedf731bc
    keyMID-4701
    ).

Platforms

MidPoint is known to work well in the following deployment environment. The following list is list of tested platforms, i.e. platforms that midPoint team or reliable partners personally tested with this release. The version numbers in parentheses are the actual version numbers used for the tests.

...

Support for some platforms is marked as "deprecated". Support for such deprecated versions can be removed in any midPoint release. Please migrate from deprecated platforms as soon as possible.

Java

  • OpenJDK 8 (1.8.0_91, 1.8.0_111, 1.8.0_151)
  • Sun/Oracle Java SE Runtime Environment 8 (1.8.0_45, 1.8.0_65, 1.8.0_74, 1.8.0_131)

Web Containers

  • Apache Tomcat 8 (8.0.14, 8.0.20, 8.0.28, 8.0.30, 8.0.33, 8.5.4)
  • BEA/Oracle WebLogic 12c (12.2.1.3.0) - (warning) special subscription required

...

Note
titleWeb container (application server) support

Currently there are no plans to remove support for deployed midPoint installation using a WAR file. However, it is possible that this deployment form will get phased out eventually unless there are active subscribers preferring this deployment method. MidPoint subscription is strongly recommended if you plan to use this method in the future.

Databases

  • H2 (embedded). Supported only in embedded mode. Not supported for production deployments. Only the version specifically bundled with midPoint is supported.
    H2 is intended only for development, demo and similar use cases. It is not supported for any production use. Also, upgrade of deployments based on H2 database are not supported.
  • PostgreSQL 9 (9.1, 9.2, 9.3, 9.4, 9.4.5, 9.5, 9.5.1). Support for PostgreSQL 9.4 and earlier is deprecated.
  • MariaDB (10.0.28)
  • MySQL 5.7 (5.7)
  • Oracle 12c
  • Microsoft SQL Server 2012, 2014. Microsoft SQL Server 2012 support is deprecated.

Supported Browsers

  • Firefox (any recent version)
  • Safari (any recent version)
  • Chrome (any recent version)
  • Opera (any recent version)
  • Microsoft Internet Explorer (version 9 or later)

...

Microsoft Internet Explorer compatibility mode is not supported.

Important Bundled Components

ComponentVersionDescription
ConnId1.4.3.11ConnId Connector Framework
LDAP connector bundle1.6LDAP, Active Directory and eDirectory connector
CSV connector2.2Connector for CSV files
DatabaseTable connector1.4.2.0Connector for simple database tables

Download and Install

Note
titleStand-alone deployment model

MidPoint 3.7 deployment method has changed. Stand-alone deployment is now the default deployment method. MidPoint default configuration, scripts and almost everything else was adapted for this method.

Upgrade

MidPoint is software that is designed for easy upgradeability. We do our best to maintain strong backward compatibility of midPoint data model, configuration and system behavior. However, midPoint is also very flexible and comprehensive software system with a very rich data model. It is not humanly possible to test all the potential upgrade paths and scenarios. Also some changes in midPoint behavior are inevitable to maintain midPoint development pace. Therefore we can assure reliable midPoint upgrades only for midPoint subscribers. This section provides overall overview of the changes and upgrade procedures. Although we try to our best it is not possible to foresee all possible uses of midPoint. Therefore the information provided in this section are for information purposes only without any guarantees of completeness. In case of any doubts about upgrade or behavior changes please use services associated with midPoint subscription or purchase professional services.

Upgrade from midPoint 3.0, 3.1, 3.1.1, 3.2, 3.3, 3.3.1, 3.4, 3.4.1, 3.5, 3.5.1, 3.6 and 3.6.1

Upgrade path from MidPoint 3.0 goes through midPoint 3.1, 3.1.1, 3.2, 3.3, 3.4.1, 3.5.1 and 3.6.1. Upgrade to midPoint 3.1 first. Then upgrade from midPoint 3.1 to 3.1.1, from 3.1.1 to 3.2 then to 3.3, then to 3.4.1, 3.5.1, 3.6.1, 3.7.1 and finally to 3.8.

Upgrade from midPoint 3.7 and 3.7.1

MidPoint 3.8 data model is essentially backwards compatible with previous midPoint versions. However, there were changes that may affect some deployments:

...

  • Version numbers of some bundled connectors have changed. Therefore connector references from the resource definitions that are using the bundled connectors need to be updated.

Changes in initial objects since 3.7 and 3.7.1

MidPoint has a built-in set of "initial objects" that it will automatically create in the database if they are not present. This includes vital objects for the system to be configured (e.g. role superuser and user administrator). These objects may change in some midPoint releases. But to be conservative and to avoid configuration overwrite midPoint does not overwrite existing objects when they are already in the database. This may result in upgrade problems if the existing object contains configuration that is no longer supported in a new version. Therefore the following list contains a summary of changes to the initial objects in this midPoint release. The complete new set of initial objects is in the config/initial-objects directory in both the source and binary distributions. Although any problems caused by the change in initial objects is unlikely to occur, the implementors are advised to review the following list and assess the impact on case-by-case basis:

  • 000-system-configuration.xml: renamed file to "000" to allow polystring normalizer configuration on initial import, updated logging setting (hibernate)
  • 030-role-superuser.xml: changed roleType to subtype
  • 040-role-enduser.xml: changed roleType to subtype, authorizations for function library
  • 041-role-approver.xml: changed roleType to subtype, authorizations for function library
  • 042-role-reviewer.xml: changed roleType to subtype, authorizations for function library
  • 043-role-delegator.xml: changed roleType to subtype, authorizations for function library
  • 200-lookup-languages.xml: new supported languages: Italian, French
  • 210-lookup-locales.xml: new supported locales: Italian, French

Bundled connector changes since 3.7 and 3.7.1

  • The LDAP connector and AD Connector were upgraded to the latest available version. The reason is a vulnerability in CredSSP protocol version 4 and earlier (CVE-2018-0886). Microsoft implemented CredSSP versions 5 and 6 to mitigate the issue. However those versions are incompatible with previous versions, therefore new implementation has to be done in the connector.
  • CSV connector now supports script execution (executing operating system commands).

Behavior changes since 3.7 and 3.7.1

  • Parsing of search filters was made a bit more strict: certain classes of errors related to type and exists filter clauses are now checked during filter parsing instead of previous approach that checked them when the filter was to be applied. This means that roles or other objects containing such malformed filters are only partially usable: they can be read from the repository (to be used during midPoint execution, displayed via standard GUI or on Repository objects page); however, such objects cannot be modified in any way. The only way how to modify them is to fix malformed filters first using Repository objects page.
  • Result of a task object is not returned by default. It has to be explicitly requested.

Public interface changes since 3.7 and 3.7.1

  • REST interface was extended with experimental password reset method.
  • Audit table was extended and modified
    • id column in m_audit_event table is now generated by default (auto increment)
    • Columns delta and fullResult in m_audit_delta table are compressed using GZIP

Important internal changes since 3.7 and 3.7.1

These changes should not influence people that use midPoint "as is". These changes should also not influence the XML/JSON/YAML-based customizations or scripting expressions that rely just on the provided library classes. These changes will influence midPoint forks and deployments that are heavily customized using the Java components.

  • Definition of Unified Connector Framework (UCF) interface was changed to improve error handling. As this is experimental interface, please see source code history for description of changes.
  • Definition of Java manual connector interface (abstract classes) was changed. As this is experimental interface, please see source code history for description of changes.

Known Issues and Limitations

There is a support to set up storage of credentials in either encrypted or hashed form. There is also unsupported and undocumented option to turn off credential storage. This option partially works, but there may be side effects and interactions. This option is not fully supported yet. Do not use it or use it only at your own risk. It is not included in any midPoint support agreement.

...

This may seem a little bit harsh at a first sight. But there are very good reasons for this policy. And in fact it is no worse than what you get with most commercial software. We are just saying that with plain language instead of scrambling it into a legal mumbo-jumbo.

See Also