Skip to main content

12.10.1

Features and improvements

Core

  • Hangfire QueuePollInterval changed from zero to 2 seconds

    Hangfire previously polled SQL Server ~60–100 times/second even with no jobs queued, creating constant database load. The poll interval is now 2 seconds, reducing SQL queries by ~99.4 %. Async provisioning jobs may start up to 2 seconds later on average (below the threshold of perceptible delay).

  • Added an overwrite-avoidance option to the migratedata utility

    The migratedata utility adds a new -avoid_overwrite option so it imports Q&A data only for profiles that don't already have Q&A data on the target instance.

  • Reduced IIS app pool cold-start delays

    Bravura Security Fabric enables AlwaysRunning mode and application initialization for the fox-api and fox-identity IIS app pools, eliminating the 10 to 30 second cold start that previously occurred after the periodic app pool recycle.

  • Enabled IIS dynamic compression for JSON API responses

    Bravura Security Fabric enables IIS dynamic compression and adds the application/json MIME type to the dynamic compression list, reducing JSON API response size.

  • Added cache-control headers for static assets

    Bravura Security Fabric adds Cache-Control headers for content-hashed static assets, so browsers no longer re-download unchanged files on every visit.

  • Added ASP.NET Core response compression

    Bravura Security Fabric adds ASP.NET Core response compression middleware with Brotli and gzip support for dynamic content.

  • Guarded against a missing CGI variable in authentication chain matching

    The check_match_cgi function no longer raises a TypeError when a CGI variable such as HTTP_REFERER is absent, for example when stripped by a Referrer-Policy: no-referrer header, during a contains or notcontains match.

Database

  • Fixed a self-resync timeout caused by missing schema in dump procedures

    The dump procedures for the OpenIddictCertificate and UserSetting REST tables now include the schema, resolving a timeout in the self-resync utility.

Bravura Privilege

  • Fixed data race on clipboard field in HIDSessmon ParseMessage()

    The clipboard boolean field in HIDSessmon.java is now declared volatile to ensure proper memory visibility across threads per the Java Memory Model.

  • Removed legacy branding from one-time disclosure file names

    One-time disclosure downloads no longer include legacy "hitachi" branding in the file name.

Authentication and authorization

  • Fixed the hid_authchain_recaptcha component upgrade path

    The Functional.hid_authchain_recaptcha component now upgrades correctly from version 1.0 to 1.1 during an in-place upgrade; previously the component upgrade task failed and left the component stuck at version 1.0.

  • Added an OIDC-based MFA module with Duo Universal Prompt

    Bravura Security Fabric adds a new OIDC-based multifactor authentication module, fedidp_oidcauth, with Duo Universal Prompt as the first supported provider, including HS256 and HS512 JWT signing and verification, an admin UI with a test-connection button, and audit logging for authentication events.

Workflow

  • Fixed Group ID and group description search in Role app entitlement members

    The managed-group conditional search on the Role app entitlement-members step now sources Group ID and group description from the correct fields; previously it compared the wrong field for Group ID and pulled the wrong field for group description, so searches did not return correct results.

Security

  • Cache-Control headers on sensitive API responses

    Cache-Control: no-store and Pragma: no-cache response headers are now added to sensitive API endpoints (account details, user profiles, OAuth userinfo) so browsers do not cache authenticated responses to local disk. Static assets (SVGs, localization JSON) remain cacheable. Addresses pentest finding "Cacheable HTTPS response."

REST API

  • sessionLogs endpoint ACLs enabled for authenticated users

    Authenticated users can now query the /api/rest/v2/sessionLogs endpoint filtered by their own requester ID. OData $filter, $top, and $orderby are supported. The React dashboard uses this endpoint to display "last login" on the user profile card.

  • OpenIddict token introspection caching (30 s TTL)

    Every authenticated API request previously made an HTTP round-trip to the identity server for token validation, adding 500–1000 ms per call. Introspection results are now cached in IMemoryCache keyed by SHA-256 of the token, with a TTL of min(30 s, time-until-token-expiry). This eliminates redundant introspection calls during page navigation, reducing per-page auth overhead from 2.5–10 s to near zero. Session-extension logic remains piggybacked on real introspection calls and self-heals on the next cache miss.

User interface

  • React UI npm audit vulnerabilities resolved (1 critical, 14 high, 6 moderate)

    Security vulnerabilities in handlebars, vite, lodash/lodash-es, brace-expansion, defu, flatted, and tar dependencies are resolved.

  • In-flight API queries are canceled during logout to prevent 401 errors

    The dashboard's user profile query is now canceled during session teardown, preventing unnecessary 401 console errors.

  • Deduplicated users() API calls by sorting $select parameters deterministically

    Multiple callers requesting the same user fields now produce identical React Query cache keys, eliminating duplicate network requests on page load.

  • AppBar decluttered: language and theme controls moved into user menu

    The language selector and theme toggle are moved from the top-level AppBar into the user menu dropdown, reducing visual noise in the header.

  • OData controller query performance: server-side filtering before materialization

    Multiple controllers (Attributes, SessionLogs, Credentials, Settings, Operations, Users, Groups, Accounts — 21 occurrences across 8 controllers) previously called ToListAsync() to load entire tables into memory before applying OData $filter/$top/$skip. A request for $top=10 on a 50 000-row table now loads only the matching rows at the database level instead of materializing the full table.

  • Default OData pagination (MaxTop=500)

    EnableQueryFeatures() now enforces MaxTop=500. Endpoints that previously returned all records when the client omitted $top are now capped. The React frontend already sends $top=25 and is unaffected. See Upgrade Actions for compatibility details.

  • Translation pre-loading at application startup

    The TranslationService static Translate() method (called by AutoMapper) previously used .GetAwaiter().GetResult() on async database calls, blocking thread-pool threads. On cold cache with 100 entities this could cause thread-pool starvation. All translations from the Language table are now pre-loaded into a static cache during ApplicationInitializationService startup, eliminating runtime database round-trips for translations.

  • React dashboard query consolidation

    The "At a Glance" dashboard section previously issued 7 separate API calls (4 of which independently scanned the accounts table). These have been consolidated into 1–2 navigation-property calls with client-side aggregation, reducing total API time from ~4.7 s to ~500 ms and API round-trips by 75 %.

  • Navigation-property pattern for user-scoped account queries

    User-scoped account queries now use /users({id})/accounts instead of /accounts?$filter=user/id eq X, which is 4–5× faster (241–327 ms vs 1 233–1 628 ms) because it starts with a PK lookup and follows the FK index rather than scanning the accounts table.

  • $select added to OData queries

    All useApiData calls now include $select to limit returned fields to what the component actually uses, reducing response sizes by 73–90 % (e.g., user profile from ~2 KB to ~200 B).

  • Keyboard navigation and accessibility features

    Focus management, tab order, keyboard shortcuts, skip links, landmark regions, proper ARIA attributes, and screen-reader compatibility have been implemented in the React application.

  • Performance: Cache OpenIddict token introspection results

    Every authenticated API request previously made a full HTTP round-trip to the identity server for token validation. A 30-second in-memory cache (keyed by SHA-256 of the token) now eliminates redundant introspection calls, reducing auth overhead from 2.5–10 s per page load to near zero for cached tokens.

  • Performance: Change Hangfire QueuePollInterval from zero to 2 seconds

    With QueuePollInterval=Zero, Hangfire polled SQL Server 60–100 times per second even with no queued jobs. Setting the interval to 2 seconds reduces idle SQL polling by approximately 99.4%. Background jobs may start up to 2 seconds later on average.

  • Angular: Refactor cgi.service.ts custom-link parameter passing

    Duplicated COMPONENT_ID and CUSTOM_LINK_TITLE parameter-passing logic in cgi.service.ts has been extracted to a shared helper and covered with unit tests, reducing fragility in future updates.

  • Side menu auto-expand when single item present

    Side menus with only one top-level item that has children now auto-expand on load, eliminating an unnecessary extra click.

  • Added action categorization, filtering, and search to the dashboard

    The dashboard adds action categories and tags, filtering controls, search, and a personalized recommended-actions section.

  • Upgraded Node.js and Angular for security compliance

    Bravura Security Fabric upgrades the bundled Node.js from 18.12.1 to 22.22.2 and Angular from 15 to 19 for security compliance.

  • Added a React configuration interface for customer branding

    The customer branding configuration interface adds logo upload with client-side validation, color selection, and live preview, built in React.

  • Fixed the language switcher to reflect installed languages

    The React language switcher now queries the instance for installed language packs instead of showing a hardcoded list of English, Spanish, and French.

  • Fixed a misleading session error on the idle login page

    The login page no longer shows "The session is invalid. Please log in again" when left idle before the user has logged in.

  • Fixed dark theme visual inconsistencies

    Bravura Security Fabric corrects color, contrast, and styling inconsistencies in the React UI dark theme.

  • Optimized vendor chunk splitting for delivery performance

    The React UI splits its single vendor chunk into four chunks grouped by update frequency, improving parse time and download performance for SaaS and mobile delivery.

  • Consolidated duplicate notification provider wrappers

    The React UI consolidates the duplicate NotificationProvider and NotificationsProvider wrappers into a single provider.

  • Fixed the pre-login spinner color

    The loading spinner shown before the login page appears now uses the theme's primary color instead of white.

  • Fixed the secondary branding color in the Angular UI

    The secondary color defined in branding.json now overrides the default secondary color in the Angular UI; previously only the primary color applied from the branding file, and the secondary color required a manual edit to _common.scss.

  • Moved the Angular UI build output to the /v1/ path

    The Angular UI build output and base href move to the /v1/ path.

  • Hid the legacy side menu on React-embedded pages

    The Angular layout-side-menu is now hidden on React-embedded pages, so it no longer renders alongside the React sidebar.

  • Added German, Japanese, Portuguese, and Chinese to the React UI

    The React UI adds German, Japanese, Portuguese (Brazil), and Chinese (Simplified) to its supported languages, in addition to English, French, and Spanish.

  • Fixed the dev proxy leaking the backend host on redirects

    The Vite development and preview proxy now rewrites the host in upstream redirect Location headers, preventing the backend host from leaking to the browser and causing a CORS failure.

  • Fixed a white login page background in Dark Mode after upgrade

    After upgrading, the login page background now matches the Dark Mode setting instead of appearing white.

  • Fixed legacy side menu theme mismatch in dark mode

    The legacy Angular side menu now matches the light theme of legacy page content instead of rendering dark when the React UI is set to dark mode.

  • Added a modern footer with a visible version number to the React UI

    The React UI adds a footer that keeps the version number visible while showing secondary content, such as copyright and links, unobtrusively.

  • Fixed relative timestamps that stopped updating in background browser tabs.

    Relative timestamps in the new user interface now keep listening for visibility and language changes even when a component mounts while its browser tab is in the background, so timestamps resume updating correctly when the tab becomes visible again.

Reporting

  • Fixed inconsistent data across report output formats

    Downloading a saved report after changing its search condition previously returned the updated results only in CSV format, with PDF and HTML formats showing the original condition's results; all formats now reflect the current condition.

Proxy servers

  • Immediate WebSocket reconnect on tunnel disconnect

    The TunnelClient now retries the WebSocket connection immediately upon disconnect before applying TunnelRetryDelay (default 5 minutes). The backoff delay only kicks in after the immediate retry fails. This significantly reduces downtime for proxy-dependent operations (logins, password verifications, PAM sessions) during transient network interruptions.

Resolved issues

Discovery

  • Targetsync.exe now correctly updates password expiry data

    Previously, targetsync.exe created a separate _exp.db file containing outdated expiry values, causing incorrect password expiration emails. A full discovery would fix the values, but subsequent targetsync runs reverted them.

Database

  • DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD false positive during system reboot suppressed

    The alert was triggered during normal service initialization when the queue_delay is initialized to INT_MAX before any records are processed. The alert is now suppressed when the value is INT_MAX within 10 minutes of system boot. No functional impact to data consistency or replication.

  • Fixed a missing index causing replication delays

    A missing filtered index on wstnpwdchkout_full that caused PolicyRuleComputerPrepare to run a full table scan, blocking database replication on large environments, is fixed.

Bravura Pass

  • React UI: hid_password_policy_haveibeenpwned plugin rejects all passwords

    In the React UI, the hid_password_policy_haveibeenpwned password policy plugin evaluated passwords successfully (confirmed by logs) but did not return the pass/fail status to the UI. All passwords appeared rejected regardless of whether they were compromised. The legacy (v1) interface was unaffected. The plugin result is now correctly propagated to the React UI.

Bravura Privilege

  • Guacamole HIDSessmon clipboard data race

    Fixed a data race on the clipboard boolean field in HIDSessmon.java where concurrent access by HIDSessmonReader and HIDSessmonWriter threads lacked synchronization. The field is now declared volatile to ensure proper memory visibility per the Java Memory Model.

  • SSH session recording playback with Guacamole 1.6 fixed

    SSH session recordings previously showed a gray/black screen during playback in the Sessmon App, although live viewing worked correctly. The issue was specific to the Guacamole 1.6 SSH recording/playback pipeline. RDP sessions were not affected.

  • Lost guacamole-rdp access disclosure plugin attributes resolved

    When ARCHIVE_ONBOARDED_SYSTEM processed a DELETE action, the WstnClean stored procedure could inadvertently delete all guacamole-rdp disclosure attributes for unrelated systems. The cleanup logic is now scoped correctly.

  • Fixed disclosure plugin launch from Checkouts > Active

    Clicking Login on a saved session from the Checkouts > Active screen now launches the disclosure plugin, such as Remote Desktop, instead of downloading a file named download.htm.

  • Fixed a TypeError when creating a saved session for a disclosure plugin

    Creating a saved session for a disclosure plugin with override-allowed attributes no longer throws a JavaScript TypeError in _cloneUserDisclosure.

Bravura One

  • iOS and Android metrics and data points fail to load

    On Fabric 12.10.0 build 42390 with Cloud Proxy CGI, metrics and data points failed to load on both iOS and Android devices. On iOS, login after authentication took several minutes. Android displayed net::ERR_TOO_MANY_RETRIES. This has been resolved.

Authentication and authorization

  • False user lockouts from proxy communication failures

    The auth chain no longer increments the invalid password lockout counter when a proxy tunnel communication failure (agent error code 25 / PLUGIN_ERROR_PROCESS) occurs. Previously, transient proxy outages during WebSocket reconnect cycles caused agtaddn.exe failures to be treated as failed password attempts, locking out users whose passwords were never validated. Users now receive a system connectivity error instead of "incorrect password."

  • Fixed the Duo Universal Prompt showing the wrong tag name on mobile devices.

    When users authenticate through an OIDC-based authentication chain configured with Duo Universal Prompt, the prompt now displays the chain's actual tag name instead of a generic label on mobile devices.

  • Clarified the Redirect URI field description for the Duo Universal Prompt authentication chain.

    The OIDCAUTH authentication chain configuration page now includes clearer guidance for the Redirect URI field, helping administrators complete Duo Universal Prompt setup correctly.

Workflow

  • Fixed rehire requests stuck pending approval for AD account creation

    A rehire whose profile and Active Directory account had been deleted, but who had a new source-of-record change, could generate a request that stayed stuck pending approval instead of routing as a new-employee request. This has been fixed.

  • Fixed entitlement search failures in the Role app's update-entitlements step

    Selecting certain specific drop-down options when searching entitlement members while creating or updating a role caused the search to fail. Entitlement search now returns results correctly for these options.

REST API

  • REST API v2 unit test failures for SessionLogs and TargetSystems

    Fixed 20 failing unit tests (14 in v2, 6 in v1) in the REST.Test suite that were failing since the c270987d commit.

  • OTP account creation API regressions

    Resolved breaking behavior changes where WFRequestActionsGet returned F after PDR completion (instead of S) and WFRequestAttrsGet did not return created PAM UTIL account information, impacting integrations such as DTCC's PAMUtil automation.

Security

  • Fixed a cacheable HTTPS response finding

    HTTPS responses that could contain sensitive information are no longer cacheable by the browser, resolving a moderate-severity penetration test finding.

User interface

  • System onboard PDR displays "request not submitted" for Cisco IOS devices despite successful processing

    When system verification took longer than expected (e.g., 64 seconds for agtssh), the batch record lookup returned before the batch was created, causing the UI to display a false failure message. The timing/polling logic is now corrected.

  • Fix refresh loop causing unexpected logout in React UI

    Eliminated the infinite refresh loop between /#/__refresh and /#/ that eventually caused session timeouts and unexpected logouts. Dashboard cache clearing now uses React Query's invalidateQueries() method.

  • Momentary spinner flash during page navigation eliminated

    A loading spinner that appeared on the current page before navigation completed has been removed, and the sidemenu now prevents additional clicks during navigation.

  • PAM refbuild "Manage Resources" custom link now displayed on React PSF screens

    When RefBuild.pam_team_management is installed, the "Manage Resources" custom link now appears correctly on the React PSF screens, matching the legacy (Angular/CGI) behavior.

  • Iframe reference race condition during logout

    Fixed a race condition where the Angular legacy app sent a postMessage to show the iframe before the React iframe ref was mounted, producing "Cannot show iframe: no iframe reference" warnings during logout transitions.

  • MUI anchorEl warning in UserMenu during logout transition

    The UserMenu's anchorEl reference became stale when the component tree unmounted during logout, causing MUI's Popover to attempt positioning against a removed DOM element.

  • Angular header and sidebar flash during login page load

    The Angular header and sidebar briefly flashed on the login page during initial load and every ~75 s session refresh because the body[data-transaction="C_AUTHCHAIN_LOGIN"] CSS selector was not applied until Angular bootstrapped. The data-transaction attribute is now set in index.html so the header starts hidden by default.

  • Double headers intermittently shown on UI pages

    A duplicate header bar was sometimes rendered when clicking through pages or performing a browser refresh.

  • Duplicate session-expiry error messages

    When a session expired, both the Angular and React session-expiry handlers fired, producing two overlapping error messages. A single handler now owns the notification.

  • Login page idle session-expiry error

    The login page displayed "The session is invalid. Please log in again." when left idle. This spurious error is now suppressed so the login page remains clean after idle periods.

  • Double headers sometimes shown in UI pages

    Navigating between pages or performing a browser refresh intermittently caused duplicate page headers to appear. This rendering issue has been resolved.

  • Left side menu remains on login prompt after session timeout

    When a session timed out, the left navigation menu persisted on the login prompt page. The menu is now correctly hidden on the login screen.

  • PAM RefBuild.pam_team_management "Manage Resources" custom link not displayed on React PSF screens

    When RefBuild.pam_team_management was installed, the "Manage Resources" custom link appeared on legacy (Angular/CGI) screens but was missing on React PSF screens. The link now renders on both.

  • Fix the profile picture not displaying

    The profile picture now displays correctly in the React UI.

  • Fix delayed language updates on the dashboard

    The dashboard All Actions and Other Actions sections now update their translated text immediately when the display language changes.

  • Fix the side menu remaining visible on the login prompt after a session times out.

    When a user's session expires, the new user interface now hides the left side menu along with the rest of the authenticated layout while the login prompt is shown.

Proxy servers

  • Fixed an unhandled exception in the proxy tunnel that could crash the web server process.

    Bravura Security Fabric no longer crashes w3wp.exe when a WebSocket connection through TunnelHost.dll is disposed unexpectedly; the tunnel now handles the exception gracefully.

Logging and metrics

  • IDPM GetClientIP() now respects X-Forwarded-For

    The GetClientIP() function in idpmactcgi.cpp has been aligned with the AJAX code path (ajax.cpp) to honour X-Forwarded-For and TRUSTED_REVERSE_PROXY configuration. Previously, audit logs for IDPM events (e.g., pss_reset_success) recorded the ALB/proxy IP instead of the real client IP in reverse-proxy environments (Cloudflare → ALB → IIS → BSF).

Upgrade actions

Security

  • Cache-Control headers on API responses

    Sensitive API responses now include Cache-Control: no-store. HTTP clients or proxies that relied on caching authenticated API responses will no longer be served from cache. Static assets remain cacheable.

Core

  • Hangfire poll interval increased to 2 seconds

    Asynchronous REST mutation jobs (Users, Settings, Credentials, TargetSystems, Policies, Platforms, Groups, Accounts, ManagedAccounts/Secrets, ApplicationSettings, PasswordPolicies) may now start up to 2 seconds after submission instead of near-instantly. Average added latency is ~1 s, well below the perceptible threshold for admin operations. No client-side changes are required.

User interface

  • OData pagination cap (MaxTop=500)

    OData endpoints now enforce MaxTop=500. The React frontend already sends $top=25 and is unaffected. However, Angular legacy UI pages, customer integrations, and admin scripts that expect unbounded result sets from the REST API v2 may need to implement client-side pagination. This is a potentially breaking change for consumers that omit $top or set $top above 500.

Connectors

  • Connector Pack upgrade procedure

    Review the updated Connector Pack upgrade documentation for clarified guidance on whether to use the upgrade option or uninstall/reinstall.

Proxy servers

  • TunnelClient immediate reconnect behavior change

    The TunnelClient now retries immediately on disconnect. The default TunnelRetryDelay (5 minutes) remains unchanged but now only applies after the first immediate retry fails. No configuration changes are required, but administrators who set very low TunnelRetryDelay values to work around the previous behavior may wish to restore defaults.