12.10.1
Features and improvements
Core
Hangfire QueuePollInterval changed from zero to 2 seconds
Hangfire previously polled SQL Server ~60–100 times/second even with no jobs queued, creating constant database load. The poll interval is now 2 seconds, reducing SQL queries by ~99.4 %. Async provisioning jobs may start up to 2 seconds later on average (below the threshold of perceptible delay).
Added an overwrite-avoidance option to the migratedata utility
The
migratedatautility adds a new-avoid_overwriteoption so it imports Q&A data only for profiles that don't already have Q&A data on the target instance.Reduced IIS app pool cold-start delays
Bravura Security Fabric enables AlwaysRunning mode and application initialization for the
fox-apiandfox-identityIIS app pools, eliminating the 10 to 30 second cold start that previously occurred after the periodic app pool recycle.Enabled IIS dynamic compression for JSON API responses
Bravura Security Fabric enables IIS dynamic compression and adds the
application/jsonMIME type to the dynamic compression list, reducing JSON API response size.Added cache-control headers for static assets
Bravura Security Fabric adds Cache-Control headers for content-hashed static assets, so browsers no longer re-download unchanged files on every visit.
Added ASP.NET Core response compression
Bravura Security Fabric adds ASP.NET Core response compression middleware with Brotli and gzip support for dynamic content.
Guarded against a missing CGI variable in authentication chain matching
The
check_match_cgifunction no longer raises a TypeError when a CGI variable such asHTTP_REFERERis absent, for example when stripped by a Referrer-Policy: no-referrer header, during a contains or notcontains match.
Database
Fixed a self-resync timeout caused by missing schema in dump procedures
The dump procedures for the
OpenIddictCertificateandUserSettingREST tables now include the schema, resolving a timeout in the self-resync utility.
Bravura Privilege
Fixed data race on clipboard field in HIDSessmon ParseMessage()
The clipboard boolean field in
HIDSessmon.javais now declaredvolatileto ensure proper memory visibility across threads per the Java Memory Model.Removed legacy branding from one-time disclosure file names
One-time disclosure downloads no longer include legacy "hitachi" branding in the file name.
Authentication and authorization
Fixed the hid_authchain_recaptcha component upgrade path
The
Functional.hid_authchain_recaptchacomponent now upgrades correctly from version 1.0 to 1.1 during an in-place upgrade; previously the component upgrade task failed and left the component stuck at version 1.0.Added an OIDC-based MFA module with Duo Universal Prompt
Bravura Security Fabric adds a new OIDC-based multifactor authentication module,
fedidp_oidcauth, with Duo Universal Prompt as the first supported provider, including HS256 and HS512 JWT signing and verification, an admin UI with a test-connection button, and audit logging for authentication events.
Workflow
Fixed Group ID and group description search in Role app entitlement members
The managed-group conditional search on the Role app entitlement-members step now sources Group ID and group description from the correct fields; previously it compared the wrong field for Group ID and pulled the wrong field for group description, so searches did not return correct results.
Security
Cache-Control headers on sensitive API responses
Cache-Control: no-storeandPragma: no-cacheresponse headers are now added to sensitive API endpoints (account details, user profiles, OAuth userinfo) so browsers do not cache authenticated responses to local disk. Static assets (SVGs, localization JSON) remain cacheable. Addresses pentest finding "Cacheable HTTPS response."
REST API
sessionLogs endpoint ACLs enabled for authenticated users
Authenticated users can now query the
/api/rest/v2/sessionLogsendpoint filtered by their own requester ID. OData$filter,$top, and$orderbyare supported. The React dashboard uses this endpoint to display "last login" on the user profile card.OpenIddict token introspection caching (30 s TTL)
Every authenticated API request previously made an HTTP round-trip to the identity server for token validation, adding 500–1000 ms per call. Introspection results are now cached in
IMemoryCachekeyed by SHA-256 of the token, with a TTL of min(30 s, time-until-token-expiry). This eliminates redundant introspection calls during page navigation, reducing per-page auth overhead from 2.5–10 s to near zero. Session-extension logic remains piggybacked on real introspection calls and self-heals on the next cache miss.
User interface
React UI npm audit vulnerabilities resolved (1 critical, 14 high, 6 moderate)
Security vulnerabilities in handlebars, vite, lodash/lodash-es, brace-expansion, defu, flatted, and tar dependencies are resolved.
In-flight API queries are canceled during logout to prevent 401 errors
The dashboard's user profile query is now canceled during session teardown, preventing unnecessary 401 console errors.
Deduplicated users() API calls by sorting $select parameters deterministically
Multiple callers requesting the same user fields now produce identical React Query cache keys, eliminating duplicate network requests on page load.
AppBar decluttered: language and theme controls moved into user menu
The language selector and theme toggle are moved from the top-level AppBar into the user menu dropdown, reducing visual noise in the header.
OData controller query performance: server-side filtering before materialization
Multiple controllers (Attributes, SessionLogs, Credentials, Settings, Operations, Users, Groups, Accounts — 21 occurrences across 8 controllers) previously called
ToListAsync()to load entire tables into memory before applying OData$filter/$top/$skip. A request for$top=10on a 50 000-row table now loads only the matching rows at the database level instead of materializing the full table.Default OData pagination (MaxTop=500)
EnableQueryFeatures()now enforcesMaxTop=500. Endpoints that previously returned all records when the client omitted$topare now capped. The React frontend already sends$top=25and is unaffected. See Upgrade Actions for compatibility details.Translation pre-loading at application startup
The
TranslationServicestaticTranslate()method (called by AutoMapper) previously used.GetAwaiter().GetResult()on async database calls, blocking thread-pool threads. On cold cache with 100 entities this could cause thread-pool starvation. All translations from the Language table are now pre-loaded into a static cache duringApplicationInitializationServicestartup, eliminating runtime database round-trips for translations.React dashboard query consolidation
The "At a Glance" dashboard section previously issued 7 separate API calls (4 of which independently scanned the accounts table). These have been consolidated into 1–2 navigation-property calls with client-side aggregation, reducing total API time from ~4.7 s to ~500 ms and API round-trips by 75 %.
Navigation-property pattern for user-scoped account queries
User-scoped account queries now use
/users({id})/accountsinstead of/accounts?$filter=user/id eq X, which is 4–5× faster (241–327 ms vs 1 233–1 628 ms) because it starts with a PK lookup and follows the FK index rather than scanning the accounts table.$selectadded to OData queriesAll
useApiDatacalls now include$selectto limit returned fields to what the component actually uses, reducing response sizes by 73–90 % (e.g., user profile from ~2 KB to ~200 B).Keyboard navigation and accessibility features
Focus management, tab order, keyboard shortcuts, skip links, landmark regions, proper ARIA attributes, and screen-reader compatibility have been implemented in the React application.
Performance: Cache
OpenIddicttoken introspection resultsEvery authenticated API request previously made a full HTTP round-trip to the identity server for token validation. A 30-second in-memory cache (keyed by SHA-256 of the token) now eliminates redundant introspection calls, reducing auth overhead from 2.5–10 s per page load to near zero for cached tokens.
Performance: Change
HangfireQueuePollInterval from zero to 2 secondsWith
QueuePollInterval=Zero,Hangfirepolled SQL Server 60–100 times per second even with no queued jobs. Setting the interval to 2 seconds reduces idle SQL polling by approximately 99.4%. Background jobs may start up to 2 seconds later on average.Angular: Refactor
cgi.service.tscustom-link parameter passingDuplicated
COMPONENT_IDandCUSTOM_LINK_TITLEparameter-passing logic incgi.service.tshas been extracted to a shared helper and covered with unit tests, reducing fragility in future updates.Side menu auto-expand when single item present
Side menus with only one top-level item that has children now auto-expand on load, eliminating an unnecessary extra click.
Added action categorization, filtering, and search to the dashboard
The dashboard adds action categories and tags, filtering controls, search, and a personalized recommended-actions section.
Upgraded Node.js and Angular for security compliance
Bravura Security Fabric upgrades the bundled Node.js from 18.12.1 to 22.22.2 and Angular from 15 to 19 for security compliance.
Added a React configuration interface for customer branding
The customer branding configuration interface adds logo upload with client-side validation, color selection, and live preview, built in React.
Fixed the language switcher to reflect installed languages
The React language switcher now queries the instance for installed language packs instead of showing a hardcoded list of English, Spanish, and French.
Fixed a misleading session error on the idle login page
The login page no longer shows "The session is invalid. Please log in again" when left idle before the user has logged in.
Fixed dark theme visual inconsistencies
Bravura Security Fabric corrects color, contrast, and styling inconsistencies in the React UI dark theme.
Optimized vendor chunk splitting for delivery performance
The React UI splits its single vendor chunk into four chunks grouped by update frequency, improving parse time and download performance for SaaS and mobile delivery.
Consolidated duplicate notification provider wrappers
The React UI consolidates the duplicate NotificationProvider and NotificationsProvider wrappers into a single provider.
Fixed the pre-login spinner color
The loading spinner shown before the login page appears now uses the theme's primary color instead of white.
Fixed the secondary branding color in the Angular UI
The secondary color defined in
branding.jsonnow overrides the default secondary color in the Angular UI; previously only the primary color applied from the branding file, and the secondary color required a manual edit to_common.scss.Moved the Angular UI build output to the /v1/ path
The Angular UI build output and base href move to the
/v1/path.Hid the legacy side menu on React-embedded pages
The Angular
layout-side-menuis now hidden on React-embedded pages, so it no longer renders alongside the React sidebar.Added German, Japanese, Portuguese, and Chinese to the React UI
The React UI adds German, Japanese, Portuguese (Brazil), and Chinese (Simplified) to its supported languages, in addition to English, French, and Spanish.
Fixed the dev proxy leaking the backend host on redirects
The Vite development and preview proxy now rewrites the host in upstream redirect Location headers, preventing the backend host from leaking to the browser and causing a CORS failure.
Fixed a white login page background in Dark Mode after upgrade
After upgrading, the login page background now matches the Dark Mode setting instead of appearing white.
Fixed legacy side menu theme mismatch in dark mode
The legacy Angular side menu now matches the light theme of legacy page content instead of rendering dark when the React UI is set to dark mode.
Added a modern footer with a visible version number to the React UI
The React UI adds a footer that keeps the version number visible while showing secondary content, such as copyright and links, unobtrusively.
Fixed relative timestamps that stopped updating in background browser tabs.
Relative timestamps in the new user interface now keep listening for visibility and language changes even when a component mounts while its browser tab is in the background, so timestamps resume updating correctly when the tab becomes visible again.
Reporting
Fixed inconsistent data across report output formats
Downloading a saved report after changing its search condition previously returned the updated results only in CSV format, with PDF and HTML formats showing the original condition's results; all formats now reflect the current condition.
Proxy servers
Immediate WebSocket reconnect on tunnel disconnect
The
TunnelClientnow retries the WebSocket connection immediately upon disconnect before applyingTunnelRetryDelay(default 5 minutes). The backoff delay only kicks in after the immediate retry fails. This significantly reduces downtime for proxy-dependent operations (logins, password verifications, PAM sessions) during transient network interruptions.
Resolved issues
Discovery
Targetsync.exe now correctly updates password expiry data
Previously,
targetsync.execreated a separate_exp.dbfile containing outdated expiry values, causing incorrect password expiration emails. A full discovery would fix the values, but subsequenttargetsyncruns reverted them.
Database
DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD false positive during system reboot suppressed
The alert was triggered during normal service initialization when the queue_delay is initialized to INT_MAX before any records are processed. The alert is now suppressed when the value is INT_MAX within 10 minutes of system boot. No functional impact to data consistency or replication.
Fixed a missing index causing replication delays
A missing filtered index on
wstnpwdchkout_fullthat causedPolicyRuleComputerPrepareto run a full table scan, blocking database replication on large environments, is fixed.
Bravura Pass
React UI:
hid_password_policy_haveibeenpwnedplugin rejects all passwordsIn the React UI, the
hid_password_policy_haveibeenpwnedpassword policy plugin evaluated passwords successfully (confirmed by logs) but did not return the pass/fail status to the UI. All passwords appeared rejected regardless of whether they were compromised. The legacy (v1) interface was unaffected. The plugin result is now correctly propagated to the React UI.
Bravura Privilege
Guacamole
HIDSessmonclipboard data raceFixed a data race on the
clipboardboolean field inHIDSessmon.javawhere concurrent access byHIDSessmonReaderandHIDSessmonWriterthreads lacked synchronization. The field is now declared volatile to ensure proper memory visibility per the Java Memory Model.SSH session recording playback with Guacamole 1.6 fixed
SSH session recordings previously showed a gray/black screen during playback in the Sessmon App, although live viewing worked correctly. The issue was specific to the Guacamole 1.6 SSH recording/playback pipeline. RDP sessions were not affected.
Lost guacamole-rdp access disclosure plugin attributes resolved
When
ARCHIVE_ONBOARDED_SYSTEMprocessed a DELETE action, theWstnCleanstored procedure could inadvertently delete all guacamole-rdp disclosure attributes for unrelated systems. The cleanup logic is now scoped correctly.Fixed disclosure plugin launch from Checkouts > Active
Clicking Login on a saved session from the screen now launches the disclosure plugin, such as Remote Desktop, instead of downloading a file named
download.htm.Fixed a TypeError when creating a saved session for a disclosure plugin
Creating a saved session for a disclosure plugin with override-allowed attributes no longer throws a JavaScript TypeError in
_cloneUserDisclosure.
Bravura One
iOS and Android metrics and data points fail to load
On Fabric 12.10.0 build 42390 with
Cloud Proxy CGI, metrics and data points failed to load on both iOS and Android devices. On iOS, login after authentication took several minutes. Android displayednet::ERR_TOO_MANY_RETRIES. This has been resolved.
Authentication and authorization
False user lockouts from proxy communication failures
The auth chain no longer increments the invalid password lockout counter when a proxy tunnel communication failure (agent error code 25 /
PLUGIN_ERROR_PROCESS) occurs. Previously, transient proxy outages during WebSocket reconnect cycles causedagtaddn.exefailures to be treated as failed password attempts, locking out users whose passwords were never validated. Users now receive a system connectivity error instead of "incorrect password."Fixed the Duo Universal Prompt showing the wrong tag name on mobile devices.
When users authenticate through an OIDC-based authentication chain configured with Duo Universal Prompt, the prompt now displays the chain's actual tag name instead of a generic label on mobile devices.
Clarified the Redirect URI field description for the Duo Universal Prompt authentication chain.
The
OIDCAUTHauthentication chain configuration page now includes clearer guidance for the Redirect URI field, helping administrators complete Duo Universal Prompt setup correctly.
Workflow
Fixed rehire requests stuck pending approval for AD account creation
A rehire whose profile and Active Directory account had been deleted, but who had a new source-of-record change, could generate a request that stayed stuck pending approval instead of routing as a new-employee request. This has been fixed.
Fixed entitlement search failures in the Role app's update-entitlements step
Selecting certain specific drop-down options when searching entitlement members while creating or updating a role caused the search to fail. Entitlement search now returns results correctly for these options.
REST API
REST API v2 unit test failures for SessionLogs and TargetSystems
Fixed 20 failing unit tests (14 in v2, 6 in v1) in the
REST.Testsuite that were failing since thec270987dcommit.OTP account creation API regressions
Resolved breaking behavior changes where
WFRequestActionsGetreturnedFafter PDR completion (instead ofS) andWFRequestAttrsGetdid not return created PAM UTIL account information, impacting integrations such as DTCC's PAMUtil automation.
Security
Fixed a cacheable HTTPS response finding
HTTPS responses that could contain sensitive information are no longer cacheable by the browser, resolving a moderate-severity penetration test finding.
User interface
System onboard PDR displays "request not submitted" for Cisco IOS devices despite successful processing
When system verification took longer than expected (e.g., 64 seconds for
agtssh), the batch record lookup returned before the batch was created, causing the UI to display a false failure message. The timing/polling logic is now corrected.Fix refresh loop causing unexpected logout in React UI
Eliminated the infinite refresh loop between
/#/__refreshand/#/that eventually caused session timeouts and unexpected logouts. Dashboard cache clearing now uses React Query'sinvalidateQueries()method.Momentary spinner flash during page navigation eliminated
A loading spinner that appeared on the current page before navigation completed has been removed, and the sidemenu now prevents additional clicks during navigation.
PAM refbuild "Manage Resources" custom link now displayed on React PSF screens
When
RefBuild.pam_team_managementis installed, the "Manage Resources" custom link now appears correctly on the React PSF screens, matching the legacy (Angular/CGI) behavior.Iframe reference race condition during logout
Fixed a race condition where the Angular legacy app sent a postMessage to show the iframe before the React iframe ref was mounted, producing "Cannot show iframe: no iframe reference" warnings during logout transitions.
MUI anchorEl warning in UserMenu during logout transition
The UserMenu's
anchorElreference became stale when the component tree unmounted during logout, causing MUI's Popover to attempt positioning against a removed DOM element.Angular header and sidebar flash during login page load
The Angular header and sidebar briefly flashed on the login page during initial load and every ~75 s session refresh because the
body[data-transaction="C_AUTHCHAIN_LOGIN"]CSS selector was not applied until Angular bootstrapped. Thedata-transactionattribute is now set inindex.htmlso the header starts hidden by default.Double headers intermittently shown on UI pages
A duplicate header bar was sometimes rendered when clicking through pages or performing a browser refresh.
Duplicate session-expiry error messages
When a session expired, both the Angular and React session-expiry handlers fired, producing two overlapping error messages. A single handler now owns the notification.
Login page idle session-expiry error
The login page displayed "The session is invalid. Please log in again." when left idle. This spurious error is now suppressed so the login page remains clean after idle periods.
Double headers sometimes shown in UI pages
Navigating between pages or performing a browser refresh intermittently caused duplicate page headers to appear. This rendering issue has been resolved.
Left side menu remains on login prompt after session timeout
When a session timed out, the left navigation menu persisted on the login prompt page. The menu is now correctly hidden on the login screen.
PAM
RefBuild.pam_team_management"Manage Resources" custom link not displayed on React PSF screensWhen
RefBuild.pam_team_managementwas installed, the "Manage Resources" custom link appeared on legacy (Angular/CGI) screens but was missing on React PSF screens. The link now renders on both.Fix the profile picture not displaying
The profile picture now displays correctly in the React UI.
Fix delayed language updates on the dashboard
The dashboard All Actions and Other Actions sections now update their translated text immediately when the display language changes.
Fix the side menu remaining visible on the login prompt after a session times out.
When a user's session expires, the new user interface now hides the left side menu along with the rest of the authenticated layout while the login prompt is shown.
Proxy servers
Fixed an unhandled exception in the proxy tunnel that could crash the web server process.
Bravura Security Fabric no longer crashes w3wp.exe when a WebSocket connection through
TunnelHost.dllis disposed unexpectedly; the tunnel now handles the exception gracefully.
Logging and metrics
IDPM
GetClientIP()now respects X-Forwarded-ForThe
GetClientIP()function inidpmactcgi.cpphas been aligned with the AJAX code path (ajax.cpp) to honour X-Forwarded-For andTRUSTED_REVERSE_PROXYconfiguration. Previously, audit logs for IDPM events (e.g.,pss_reset_success) recorded the ALB/proxy IP instead of the real client IP in reverse-proxy environments (Cloudflare → ALB → IIS → BSF).
Upgrade actions
Security
Cache-Control headers on API responses
Sensitive API responses now include
Cache-Control: no-store. HTTP clients or proxies that relied on caching authenticated API responses will no longer be served from cache. Static assets remain cacheable.
Core
Hangfire poll interval increased to 2 seconds
Asynchronous REST mutation jobs (Users, Settings, Credentials, TargetSystems, Policies, Platforms, Groups, Accounts, ManagedAccounts/Secrets, ApplicationSettings, PasswordPolicies) may now start up to 2 seconds after submission instead of near-instantly. Average added latency is ~1 s, well below the perceptible threshold for admin operations. No client-side changes are required.
User interface
OData pagination cap (
MaxTop=500)OData endpoints now enforce
MaxTop=500. The React frontend already sends$top=25and is unaffected. However, Angular legacy UI pages, customer integrations, and admin scripts that expect unbounded result sets from the REST API v2 may need to implement client-side pagination. This is a potentially breaking change for consumers that omit$topor set$topabove 500.
Connectors
Connector Pack upgrade procedure
Review the updated
Connector Packupgrade documentation for clarified guidance on whether to use the upgrade option or uninstall/reinstall.
Proxy servers
TunnelClientimmediate reconnect behavior changeThe
TunnelClientnow retries immediately on disconnect. The defaultTunnelRetryDelay(5 minutes) remains unchanged but now only applies after the first immediate retry fails. No configuration changes are required, but administrators who set very lowTunnelRetryDelayvalues to work around the previous behavior may wish to restore defaults.