12.8.1

Updated the branding for Bravura Security within the product installer for a few remaining areas.

Updated "Connectors Being Removed" pre-installation check URL

The "Connectors Being Removed" pre-installation check now points to the correct URL on the docs.bravurasecurity.com domain for the "Deprecated connectors" documentation page.

Event action strings help updated with new exit trap macros

The in-product "Event action strings help" popup now documents four new exit trap macros: MGRNAME (manager full name), MGREMAIL (manager email), EXPACCTHOST (target system IDs of affected accounts), and EXPACCTLONGID (long IDs of affected accounts).

ManageableAccountSearch performance optimization

The ManageableAccountSearch query has been optimized by removing a bound variable that was causing 15 GB memory grants in SQL Server, significantly improving performance in large-scale deployments.

WstnPwdReqList performance optimization

The WstnPwdReqList query has been optimized for faster workstation password request listing, reducing response times when managing large numbers of workstation password requests.

KMKeyGetByAccount external scanner fallback mapping

Introduced a fallback mechanism in KMKeyGetByAccount so that when standard host/IP/DNS cross-reference lookups fail, external scanners such as Qualys can resolve credentials via a registry-based account/domain/resource mapping. The feature is disabled by default and can be enabled explicitly where needed without affecting existing deployments. For environments previously using the Qualys-specific registry value, rename it to the new generalized name while preserving the accountname domain resource_id format.

New forceactionable option for pwdconflicts.exe

Added a new forceactionable command-line option to pwdconflicts.exe that allows administrators to force-randomize non-actionable password conflicts. Existing behavior is unchanged unless the option is explicitly used. Inactive accounts are still filtered out regardless.

KMKeyGetByAccount external scanner fallback mapping

Added KMKeyGetByAccount fallback mapping so that when host/IP/DNS lookups fail, external scanners can resolve credentials via a registry‑based account/domain/resource mapping, with the feature remaining disabled unless the registry key is configured.

More robust enrollment completion navigation

Improved the enrollment completion flow so that newly triggered notifications are handled correctly, and users are redirected back to the expected pages after completing registration and password change steps, instead of occasionally encountering a broken UI.

OAuth support for global-mail-plugin

Implemented OAuth-based SMTP authentication (XOAUTH2) in the global-mail-plugin so that customers can use modern mail servers where basic authentication is being retired.

HTML formatting for request macros in email

When HTML mail content is enabled, request macros such as %REQUESTBATCHDETAILS%, %REQUESTPURPOSE% and %REQUESTLINKS% are now wrapped in <pre> tags so line breaks and spacing are preserved, improving readability of request emails that use customer-specific HTML templates.

Scalability improvement for requests with many tasks

Handling of requests containing a large number of tasks (for example, roles with 70 or more groups) has been improved so that the 50-task display limit is enforced more gracefully and the behavior is documented. Roles that exceed this limit should be broken into smaller sub-roles.

Safer psupdate use in shared schema environments

In shared schema environments, running auto discovery from a non-primary node now shows a clear warning and blocks psupdate execution, preventing silent changes to scheduler settings that previously caused scheduled psupdate jobs to fail on both nodes.

Updated the scheduled report configuration page to allow editing and saving the previously saved scheduled report on a patch version upgraded instance.

Added "Parent role ID" and "Parent role description" columns to the Certification details and Review certification details reports to show parent role information for role member entitlements.

Guacamole session correlation logging

A unique common identifier is now present in both guacd logs and BSF audit records, enabling administrators to match Guacamole session log entries to Bravura Privilege disclosure executions.

More accurate idmsuite.log timestamps

The logging service for idmsuite.log now periodically flushes file buffers on a configurable interval so the file's modification timestamp reflects recent logging activity. This makes it easier for administrators to see when logs were last written, without relying solely on log entry content.

ASP.NET Core 8.0.23 security baseline

Updated the bundled ASP.NET Core runtime and related packages from 8.0.10/8.0.11 to 8.0.23 to address Microsoft security vulnerabilities (CVE-2024-43498, CVE-2024-43499, CVE-2024-43500).

Cache-Control headers on sensitive API responses

Cache-Control: no-store and Pragma: no-cache response headers are now added to sensitive API endpoints (account details, user profiles, OAuth userinfo) so browsers do not cache authenticated responses to local disk. Static assets (SVGs, localization JSON) remain cacheable. Addresses pentest finding "Cacheable HTTPS response."

Skip serverinfo validation for TargetPAMAssociatedCredential_set

The IDMConfig API no longer performs the serverinfo validation check when mapping managed accounts via TargetPAMAssociatedCredential_set, aligning API behavior with the GUI tool psa.exe.

Updated the IDAPI Login function to return a generic error Invalid username or password  or the specified user has insufficient privileges when login fails in the following cases to prevent username enumeration:

Database indexes for get_account_attributes performance

Added three new database indexes (metaattr_idx_4, targetobjattr_idx_4, and targetobjattr_file_idx_2) to optimize the performance of the REST API get_account_attributes operation, reducing query execution time in environments with large numbers of account attributes.

Exit traps for help desk operations in REST API calls

Added exit trap support for help desk operations invoked through the idmlib REST API, enabling event-driven automation (such as email notifications or external integrations) when help desk actions are performed via the API.

Database query optimization for ObjAssociateInitial and UserList

Updated database queries in the ObjAssociateInitial and UserList operations to use OPTION(MAXDOP 1), which restricts SQL Server to a single-threaded execution plan. This improves performance by avoiding parallel plan overhead in environments where parallelism introduces contention.

Saved report lists honour display limits

The "My saved reports" and "Other users' saved reports" pages now correctly honour the configured "Records to display" value. Saved reports with missing or unreadable spool files remain in the list but have their selection and action controls disabled, instead of silently reducing the number of rows shown.

Profiles with trailing whitespace now supported

Fixed handling of profiles whose identifiers include leading or trailing whitespace so that requests such as MOVE-IN-ORG no longer fail with "Recipient identification ambiguous", and related profile reports now return the expected results.

The autores command line utility now skips and warns for roles that are disabled and/or unassignable when submitting.

A warning notification is presented in the role assignment user interface if a selected role is disabled and/or unassignable.

Fixed data race on clipboard field in HIDSessmon ParseMessage()

The clipboard boolean field in HIDSessmon.java is now declared volatile to ensure proper memory visibility across threads per the Java Memory Model.

Consolidated auto-denied PAM checkout request email notifications

When a PAM checkout request expires without approval, the system now sends a single consolidated "Request Denied" email instead of one email per authorizer, while preserving individual notifications for manual denials. A configuration option controls this behavior, addressing email overload scenarios where dozens of denial emails were generated per expired request.

Improved VIM display in Guacamole PAM sessions

Upgraded the bundled Guacamole component to address a VIM display bug where lines appeared duplicated when scrolling, improving readability for users working in terminal sessions through PAM disclosures.

Tomcat updated from 9.0.94 to 9.0.109

Error message when browser extension plugin process fails to launch

Added an error message box that displays when the browser extension plugin process cannot be launched, providing clear feedback instead of failing silently.

Windows Authentication support for MSSQL system type

Added support for Windows Authentication when connecting to MSSQL target systems, allowing Bravura Privilege to manage SQL Server accounts using integrated Windows credentials instead of requiring SQL Server authentication.

Local Reset Extension controls restored

The pslocalr.ocx and related controls have been added back to the product, along with the pslocalr-x64.msi and pslocalr.msi Local Reset Extension installers. The cgilocalr.cfg sample script has also been updated for the pslocalr control.

Immediate WebSocket reconnect on tunnel disconnect

The TunnelClient now retries the WebSocket connection immediately upon disconnect before applying TunnelRetryDelay (default 5 minutes). The backoff delay only kicks in after the immediate retry fails. This significantly reduces downtime for proxy-dependent operations (logins, password verifications, PAM sessions) during transient network interruptions.

Mail plugin OAuth configuration

Added documentation describing how to configure OAuth authentication for the global-mail-plugin, including new settings and example configuration steps. See Modifying global mail settings.

Notification client manual install docs and tests

Reviewed and updated documentation and testing guidance for manually installing the Bravura Security notification client from a network share, consolidating best practices from KB content into the main product docs. See Notification Client (psntfclient).

The installer now validates that the database compatibility level meets the minimum requirement of 130.

instdump.exe now outputs connector pack binary versions

Fixed instdump.exe so that it correctly outputs global connector pack binary versions in its diagnostic output, making it easier to verify which connector pack version is deployed on each node.

Fixed an issue with the Websocket Connector Proxy to add mitigations to prevent exceptions when connecting to the proxy tunnel.  This was previously causing connection issues when multiple nodes were configured.

Fixed unhandled exceptions that could occur during proxy shutdown, improving application stability.

Guacamole high CPU from infinite NumberFormatException loop

Fixed an unhandled NumberFormatException in HIDSessmon.ParseMessage() (line 79) that caused Tomcat worker threads to spin at 100% CPU indefinitely when malformed (non-numeric) session data was received. The exception is now caught and logged, and the affected message is skipped.

UserclassIsMember stored procedure runtime error

Fixed a runtime error in the UserclassIsMember stored procedure caused by the SQL optimizer executing operations out of order, which led to data type conversion failures. The fix ensures the query plan evaluates type-safe operations in the correct sequence.

UserClassPointLoadFromCache NULL criteria handling

Fixed a runtime error in the UserClassPointLoadFromCache stored procedure that occurred when the userclasspoint.criteriap field contained a NULL value, which could happen for user class points with no criteria defined.

DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD false positive during system reboot suppressed

The alert was triggered during normal service initialization when the queue_delay is initialized to INT_MAX before any records are processed. The alert is now suppressed when the value is INT_MAX within 10 minutes of system boot. No functional impact to data consistency or replication.

SSH session recording playback with Guacamole 1.6 fixed

SSH session recordings previously showed a gray/black screen during playback in the Sessmon App, although live viewing worked correctly. The issue was specific to the Guacamole 1.6 SSH recording/playback pipeline. RDP sessions were not affected.

Lost guacamole-rdp access disclosure plugin attributes resolved

When ARCHIVE_ONBOARDED_SYSTEM processed a DELETE action, the WstnClean stored procedure could inadvertently delete all guacamole-rdp disclosure attributes for unrelated systems. The cleanup logic is now scoped correctly.

Guacamole HIDSessmon clipboard data race

Fixed a data race on the clipboard boolean field in HIDSessmon.java where concurrent access by HIDSessmonReader and HIDSessmonWriter threads lacked synchronization. The field is now declared volatile to ensure proper memory visibility per the Java Memory Model.

Guacamole clipboard Ctrl+V paste in RDP sessions

Pasting clipboard contents via Ctrl+V in Guacamole RDP sessions no longer triggers unintended actions (folder creation, dialog interactions). The sidebar clipboard was injecting content using simulated key events that included modifier keys; right-click Paste was unaffected.

Changes to Create OTP user request:

Updated stored procedure TargetDelete to use RECOMPILE when deleting from targetobj to ensure that an unsuitable (from a performance perspective) cached query plan is not used when deleting large target systems.

Removed an SQL upgrade script that modifies the value of the discovery option Link accounts on this target system to subscribers for the target system discovery template NT_TEMPLATE and for all discovered systems created from NT_TEMPLATE.

Fixed issues with date timezones for Ajax and the product UI in general related to setting the preferred timezone environment variable.

Session monitoring package removal error handling

Fixed the session monitoring service (idsmpg) to treat "file/path not found" as a successful result for both single and multi-session package removal, preventing spurious errors when cleaning up session packages that have already been removed.

Fixed the session monitor recording icon label branding.

PAM Linux components migrated to LINUX_NG connector

Adjusted the pam_system_type_linux component and other related components to use the LINUX_NG connector instead of the legacy LINUX connector, aligning PAM Linux target system management with the current supported connector.

Vault account PDR system info link access denied resolved

A parameter shift in LoadDisplayManagedSystem caused DEFAULTUSERGROUP=0 (REQUEST_CAPACITY_INVALID) to be passed to the system info page, preventing users with vault trustee privilege from accessing vault system info links. The correct function overload is now used.

Guacamole clipboard paste in RDP sessions fixed

Pasting text containing special characters or modifier key sequences (CTRL+C, ALT+TAB, etc.) from the Guacamole sidebar clipboard into an RDP session via CTRL+V no longer causes random actions such as creation of folders. Right-click paste was not affected.

Guacamole high CPU (infinite exception loop in HIDSessmon ParseMessage) fixed

When malformed non-numeric data was received, Integer.parseInt() threw NumberFormatException in a tight loop with no exception handling, causing Tomcat worker threads to spin at 100% CPU. Proper input validation and error handling are now in place.

Resolved an issue with the Login Assistant / SKA when upgrading from version 12.4.x to 12.8.1 and up.  Upgrading to 12.5.0 and up caused an upgrade issue due to rebranding from Hitachi ID to Bravura Security.

Fixed an issue where operation SRES (User self-reset result) is logged per account for both self-service and help-desk reset, which should be one operation per reset action and for self-service reset only. Also updated the Session activity report to generate the proper statistics for both self-service and help-desk change passwords.

Resolved an issue with Login Assistant / SKA to retain the value for the vpn-connect-terminate registry key on upgrade.  The value was previously being dropped after upgrading Login Assistant.

Resolved an issue with Login Assistant / SKA to retain the values for -vpnurl and -vpnurlsearch for the cmd registry key on upgrade.  The vpn-url and vpn-url-search registry keys are also now added for new Login Assistant / SKA installations.  These registry keys must be manually added prior to an upgrade of the SKA.

Fixed unexpected quit during password reset when the browser client IP was too long.

Fixed an issue when unlocking accounts, changing passwords, and detaching accounts for users when the accounts ended with .x.  Previously this caused these operations not to be successful.

Active Directory interceptor backward compatibility

Fixed a compatibility issue where the newer version of the Active Directory interceptor could not communicate with older versions of Bravura Security Fabric and the Password Manager service (idpm). The interceptor now works correctly in mixed-version environments during staged upgrades.

ODBC Q&A authchain compatibility with 12.9 address format

In 12.9, NULL target type stores the address in key-value pair format ({server=<DSN>;}) instead of the plain DSN name used in 12.7. The odbcqa.exe plugin now correctly parses the new format to extract the DSN name for SQLConnectW.

Missing hostid on LDEL operations in exit traps

The LDEL (link detach) operation now correctly populates the hostid field in exit trap account data. Previously, hostid was returned as None, causing exit trap scripts that filter by target system (e.g., SuccessFactors detach workflows) to fail silently.

"Recipient identification ambiguous" errors for some profiles

Fixed a defect where profiles created from accounts with trailing spaces in identifiers could not be used as recipients in certain PDRs and did not appear correctly in profile reports, removing spurious "Recipient identification ambiguous" errors.

Request search by requester notes

Fixed All Requests filtering so searches on Requester Notes correctly return matching requests, including those stored in legacy columns, restoring expected behavior for help desk and identity users relying on note text queries.

Updated the Orgchart graph page to load the current user's manager, even if the manager is in an orphaned Orgchart tree (calculated level is -1).

The autores utility now skips and warns for roles that are disabled and/or unassignable when submitting.

A warning message is given in the role assignment user interface if the role is disabled and/or unassignable.

Resolved a certificate link failure with SAML authentication.

Adjusted IDWFMServiceGetto only return a service with matching serverid and actingserver fields if picking a random server

OTP account creation API regressions

Resolved breaking behavior changes where WFRequestActionsGet returned F after PDR completion (instead of S) and WFRequestAttrsGet did not return created PAM UTIL account information, impacting integrations such as DTCC's PAMUtil automation.

REST API datetime output now respects time zones

Fixed the REST API to correctly include time zone information in datetime output fields. Previously, datetime values were returned without time zone context, which could lead to incorrect time interpretation by API consumers in different time zones.

discoveryId added to auto-discovery REST API output

Added the discoveryId field to the auto-discovery operation output for target systems in the REST API, enabling API consumers to correlate discovery results with specific discovery runs.

Added missing fields to ReqBatch.

Fixed an issue in the Requests app where the delegation manager was unable to delegate an implementer task on behalf of the selected primary implementer.

Updated requests app to not list requests with Calculating authorizers status with Active filter on.

HTML formatting for request macros in email

Corrected handling of request macros like %REQUESTBATCHDETAILS%, %REQUESTPURPOSE%, and %REQUESTLINKS% when MAIL CONTENT TYPE is enabled so multi-line values render with proper HTML line breaks instead of being collapsed into a single unreadable line.

Updated the idtm service to suppress operation failure emails when agent returns ACTryAgainLater.

Users with "View workflow requests" permission could not see request details

Fixed an issue where users with the "View workflow requests" (viewworkflow) permission were unable to view request details on the request popup page, despite having the correct permission assigned.

rbacenforce.exe failed request output format corrected

Modified rbacenforce.exe to properly save requests that failed to submit, using the same KVG format as the wizard produces. Previously, the saved file used a different format that could not be reprocessed.

First-time registration flow stability

Resolved an issue where the first-time registration process could crash the UI before the password change step completed, particularly when multiple notifications were triggered. The flow now consistently returns users to the expected notification and password change pages.

False user lockouts from proxy communication failures

The auth chain no longer increments the invalid password lockout counter when a proxy tunnel communication failure (agent error code 25 / PLUGIN_ERROR_PROCESS) occurs. Previously, transient proxy outages during WebSocket reconnect cycles caused agtaddn.exe failures to be treated as failed password attempts, locking out users whose passwords were never validated. Users now receive a system connectivity error instead of "incorrect password."

Profile attributes now correctly fall back to the next-priority mapped account attribute when the highest priority attribute is removed.

System onboard PDR displays "request not submitted" for Cisco IOS devices despite successful processing

When system verification took longer than expected (e.g., 64 seconds for agtssh), the batch record lookup returned before the batch was created, causing the UI to display a false failure message. The timing/polling logic is now corrected.

Saved reports honor record limits

Fixed saved report pages so the "Records to display" setting is respected. Reports with missing or unreadable spool files are shown but their controls are disabled instead of silently dropping the rows.

Cookie check bypass for "forgot password" flow

Added a fix to bypass the cookie validation check when using the "forgot password" flow, which was incorrectly blocking password reset attempts when cookies were not yet established.

OAuth2 Authentication Port label typo corrected

The address parameter label "OAuth2 Autentication Port" has been corrected to "OAuth2 Authentication Port" in the en-us-errmsg.kvg resource file, affecting the configuration screens for the Azure Active Directory and Exchange connectors.

psupdate scheduler corruption on non-primary node

Fixed an issue in shared schema environments where manually running auto discovery from a non-primary node could silently change local scheduler settings and leave both nodes configured as the scheduled psupdate node, causing scheduled runs to fail.

During discovery, the order of precedence in target attribute overrides is obeyed when listing target attributes.

Fixed runtime error in ObjDiffAssociate stored procedure during auto discovery when handling duplicate accounts (sharing the same stable ID) across different targets with cross-target relationships.

Targetsync.exe now correctly updates password expiry data

Previously, targetsync.exe created a separate _exp.db file containing outdated expiry values, causing incorrect password expiration emails. A full discovery would fix the values, but subsequent targetsync runs reverted them.

Saved reports record count and paging

Resolved an issue where saved reports pages did not respect the "Records to display" setting and appeared to show fewer results than configured, particularly when some spool files were missing or unreadable.

Boolean filters behave correctly for "No"

Fixed Boolean request attribute handling in the "Managed account check-outs / check-ins" report so that searching for "No" returns the correct results, matching how values are stored in the database.

Updated scheduled report configuration page to allow editing and saving the previously saved scheduled report on a patch version upgraded instance.

Modified the component uninstallation to check if the table exists before removing component data.  This previously caused an issue/exception for hid_extdb to show an error for "no such table".

IDPM GetClientIP() now respects X-Forwarded-For

The GetClientIP() function in idpmactcgi.cpp has been aligned with the AJAX code path (ajax.cpp) to honour X-Forwarded-For and TRUSTED_REVERSE_PROXY configuration. Previously, audit logs for IDPM events (e.g., pss_reset_success) recorded the ALB/proxy IP instead of the real client IP in reverse-proxy environments (Cloudflare → ALB → IIS → BSF).

Frozen idmsuite.log modification time

Fixed a threading issue that could cause the idmsuite.log file's modification timestamp to stop updating even though new log entries were being written, which made it appear as though logging had stopped when it had not.

If relevant, the Link accounts on this target system to subscribers discovery option for the target system discovery template "NT_TEMPLATE" and for all discovered systems created from NT_TEMPLATE should be reviewed.  By default, this setting is disabled upon installation.

Added strings vpn-url and vpn-url-search.  During the upgrade, these registry keys must be manually added to construct the runurl command line (cmd registry key). To do this:

ODBC Q&A authchain: address format change in 12.9

If upgrading from 12.7 to 12.9+, NULL target type address values are stored in key-value pair format ({server=<DSN>;}) instead of plain DSN names. The odbcqa plugin now handles both formats, but administrators should verify their external question set configuration after upgrade.

Use a full build to upgrade to apply the fix for the certificate link failure with SAML authentication.

Multi-node shared-schema upgrade pause required

A pause is required after the primary node's Post Upgrade Tasks complete. During this pause, run setup.exe on all secondary nodes and wait for their Post Upgrade Tasks to complete. Then proceed on the primary node ("Next"), and finally on each secondary node. Command-line installations must accommodate this pause step.

Optional KMKeyGetByAccount fallback configuration

For environments previously using the Qualys-specific fallback registry value, administrators should rename the KMKeyGetByAccount mapping value to the new generalized name while preserving the accountname domain resource_id format so external scanners continue to function after upgrading.

Embedded Python security update for supported pre-12.10 branches

Updated the embedded Python runtime to 3.11.15 (a security bugfix release for the legacy 3.11 series) for supported release branches earlier than 12.10.0; validate any environment-specific Python dependencies against the updated binary.

SQL Server 2025 / ODBC Driver 18+ compatibility

All sqlcmd invocations now include the -C (TrustServerCertificate) flag. If your environment uses self-signed certificates, no action is needed. If your test automation calls sqlcmd directly outside of the product framework, add -C to those invocations as well.

Multi-node upgrades via command line: pause/sequence support

Added setup.exe --pause-after-tasks for silent/command-line upgrades to support required coordination in multi-node shared-schema (and similar) environments: after post-upgrade tasks complete and before services start, the installer writes upgrade-pause.signal to the instance directory and waits until automation removes the file. Use with -U -silent to coordinate primary/secondary node sequencing.

Cache-Control headers on API responses

Sensitive API responses now include Cache-Control: no-store. HTTP clients or proxies that relied on caching authenticated API responses will no longer be served from cache. Static assets remain cacheable.

Apply ASP.NET Core 8.0.23 guidance

When upgrading to this release, ensure that server environments meet the documented ASP.NET Core 8.0.23 (or later) requirements for Hosting Bundle, Runtime, and Desktop Runtime, and redeploy Bravura Security Fabric instances so that bundled DLLs are updated to the secured versions.

A fix was added to clear the SAML Session ID on failure to prevent authentication bypass.

In addition this will require a change to the custom component Functional.hid_authchain_saml_auth in the authselect_default.py.

In the process function, when checking that the SAMLSessionID exists, it returns an array [''], which will always evaluate to True, so the first string value must be extracted and tested against:

--- if self.authchain.sessdata.get('SAMLSessionID') and sess_userid:
+++ sess_id = self.authchain.sessdata.get('SAMLSessionID')
+++ if isinstance(sess_id, list):
+++     sess_id = sess_id[0]
+++
+++ if sess_id and sess_userid:
        # Successful SAML authentication.
        self.authchain.chains.allow_chain('SUCCESS')
        log.info("Successful authentication of user "
                  "[{}] using SAML".format(sess_userid))

Plan OAuth transition for global-mail-plugin

For environments using global-mail-plugin with Exchange or other OAuth-capable SMTP servers, plan to configure OAuth settings (client ID, client secret, token endpoints) ahead of Microsoft's basic-auth retirement date to avoid mail delivery interruptions.

Optional log flush interval tuning

Administrators who want tighter control over idmsuite.log timestamp updates can adjust or disable the new periodic flush interval using the flush-interval-ms registry setting for the logging service. The default interval is low-overhead and suitable for most deployments; no change is required unless you have specific logging or performance needs.

Validate psupdate scheduling on shared schema

In shared schema environments, verify that psupdate is only configured to run from the intended primary node after applying these builds, and update operational procedures so administrators always initiate auto discovery from that node to avoid future scheduler conflicts.

TunnelClient immediate reconnect behavior change

The TunnelClient now retries immediately on disconnect. The default TunnelRetryDelay (5 minutes) remains unchanged but now only applies after the first immediate retry fails. No configuration changes are required, but administrators who set very low TunnelRetryDelay values to work around the previous behavior may wish to restore defaults.