Administration changelog

Check and, if necessary, adjust the HTTP proxy configurations. Up to now, a '/' was always appended to the configured connection URL. This is no longer the case. If your HTTP proxy target requires this and the URL is currently configured without a '/' at the end, please adjust it accordingly.

BPC now supports PKCE (Proof Key for Code Exchange) for OpenID Connect and Keycloak Identity Provider to enable a hardened login flow. To activate this, you need to set the PKCE method in the Identity Provider backend connection and, if necessary, configure this in your Keycloak client.

When reindexing, the old index is deleted instead of being closed as before. The user is offered the option to create a backup before reindexing.

The driver provided via pax-jdbc-mssql is no longer delivered.

Please ensure that the MSSQL driver used has at least one of the following versions: 10.2.4, 11.2.4, 12.2.1, 12.6.5, 12.8.2, 12.10.2, 13.2.1

If an older driver is being used, it should be replaced. Remove the old driver by deleting it from the deploy directory or by uninstalling pax-jdbc-mssql or the driver itself. Then install a current driver (without the pax-jdbc-mssql feature). See also: Databases

Check and, if necessary, adjust the HTTP proxy configurations. Up to now, a '/' was always appended to the configured connection URL. This is no longer the case. If your HTTP proxy target requires this and the URL is currently configured without a '/' at the end, please adjust it accordingly.

If an error occurs during the migration of an index, the newly created index for the migration will be removed again in order to avoid subsequent errors or to revert to a stable state.

By default, the accessibility of Karaf via SSH connections is now restricted to the host localhost. To enable accessibility via external connections, use the central configuration file. See Karaf SSH Access.

Connections to OpenSearch are now configured exclusively via de.virtimo.bpc.core.opensearch.hosts. When updating from an older version, you must add the entry de.virtimo.bpc.core.opensearch.hosts to the configuration file karaf/etc/de.virtimo.bpc.core.cfg. Additionally, it is recommended to supplement the central configuration file with the lines

or

(as shown here with the example https://localhost:9200) [https://localhost:9200)]. You can use the files from the download file server as a reference.

The use of Java 21 is now necessary.

These metrics have been renamed:

INUBIT is no longer supported as an Identity Provider.

For the Identity Provider (Backend Connections), a large part was previously configured via a JSON setting. This has been split into individual settings. Existing configurations are migrated automatically. If older deployment exports of Identity Provider components are used, it is best to recreate them.

See also: Create, configure and use an identity provider, Database as identity provider, Keycloak as an identity provider, Keycloak and dynamic redirect URIs, Deployment constraints

The endpoint /cxf/bpc-core/status/server/{serverUUID} of the status API, which queried the status of a remote BPC, has been removed.

The query string parameters gridId, gridExtId, multiRecords, buttonId and the form parameter tablePrefix have been removed from the process action requests. To send additional context or configuration information, "process action metadata" can be configured in the monitor settings.

In process starters, the XML that was sent has been replaced by JSON. As a result, portletArchiveName, operation, mandant, gridID, key, bpcModule, bpcModuleInstanceId and custom have been removed. key has been uniformly renamed to id. Additional context or configuration information can be reliably sent via the "metadata" configuration in the process starter configuration in the monitor settings. The process parameters are bundled under config.parameters in the request payload. File uploads contain filename, type and data. Grids contain a list of their records.

In Change State, tablePrefix, mandant and changeStatusBox_<column name> have been removed. command has been uniformly renamed to type and receives the value "statusChange". columnsstring has been renamed to column. newStatusCombo_<column name> has been renamed to newStatus. commentfield has been renamed to comment. childStatus is no longer set to "Info" by default in the Change State configuration and, if configured, is migrated to metadata. Additional information can be passed in the "metadata" object in the Change State configuration.

See also Migration from BPC 4.* to BPC 5.0 Configuration of process actions Process Starter

The unused settings inubit_aperakEndPoint, inubit_dbGridId and inubit_pmMandant have been removed. The settings inubit_actionEndpoint, inubit_changeStateEndpoint and inubit_VpsEndpoint have been replaced by actionEndpointProcessor, changeStateEndpointProcessor and vpsEndpointProcessor.

HTTP proxy backend connections and flow connections now always filter the session cookie so that a recipient cannot make calls in the BPC in the context of the user. The setting filterSessionCookie is therefore no longer required. Instead, with the new setting sendSessionId, it is possible to send the user’s session ID, which can be verified at the endpoint GET /cxf/bpc-core/authentication/session/{sessionid}. When the injectUserSessionJWT setting is enabled, a self-created JWT is no longer sent, but rather the signed ID token from the OpenID Connect provider is sent. You can find more details in Backend Connections - HTTP-Proxy.

Http calls via an Http-Proxy or Flow connection filter out the BPC Api-Key header (X-APIKey). Attention: This could affect existing BPC configurations, for example if an INUBIT process is triggered that in turn makes calls to the BPC API using the provided API key. (In this case, it would be better to store a fixed BPC API key in the INUBIT process.)

Users of the Log Service API must replace all occurrences of childs with children in their POST data. During a transition period, childs can still be used for incoming data. This backward compatibility will be removed in a future release. It should also be noted that the responses from the Log Service endpoints now contain children instead of childs.

The OpenSearch configuration directory can be configured via OPENSEARCH_PATH_CONF. This allows you to outsource the configuration directory from the OpenSearch directory. As a result, you will no longer overwrite it during an OpenSearch update. See also Outsourcing OpenSearch Configuration.

In the bundle installation file, BPC is now delivered with a configuration directory outsourced to INSTALLATION_DIRECTORY/opensearch_config.

It is recommended to set OPENSEARCH_PATH_CONF in the bpc.env.

A new action type "bulkAction" has been added to enable actions to be performed for all records. See Bulk Actions

If IGUASU is correctly connected via the Flow module, available processors can easily be selected through the configuration interface of the monitor actions.

A configuration interface for identity providers is now available.

With this update, it is necessary to update the Karaf.

The BPC provides OpenApi-compliant specification files for our APIs. These can be found under Downloads and can alternatively also be accessed dynamically via the BPC, provided this option is enabled. You can find more information in the section BPC-API.

You can use the Log Service API to be redirected directly to the Log Service configuration or to connected monitors. There are two new LogService endpoints that redirect the user to the corresponding BPC pages when called:

See also API documentation: Log Service API

It is now possible to specify references to external resources when writing audit information. For example, it is possible to refer to the IGUASU instance that created the entry.

Replication now also supports, as an alternative to existing database tables/views, the direct entry of an SQL query.

See also sourceCommonTableExpressionQuery in Replication

BPC API requests that take place via a web browser now redirect to Keycloak (or another OIDC UserFlowIdentityProvider) if authentication is missing. After logging in, a redirect to the original API endpoint takes place.

See System monitoring (metrics for Prometheus)

If the available disk space falls below defined thresholds, shards are redistributed to other nodes. It can also happen that indices are set to read-only to prevent the disk from filling up.

The value of cluster.routing.allocation.disk.threshold_enabled is now true. This corresponds to the OpenSearch default value.

The OpenSearch configuration directory can be configured via OPENSEARCH_PATH_CONF. This allows you to outsource the configuration directory from the OpenSearch directory. As a result, you will no longer overwrite it during an OpenSearch update. See also Outsourcing OpenSearch Configuration.

In the bundle installation file, BPC is now delivered with a configuration directory outsourced to INSTALLATION_DIRECTORY/opensearch_config.

It is recommended to set OPENSEARCH_PATH_CONF in the bpc.env.

Connections to OpenSearch are now configured exclusively via de.virtimo.bpc.core.opensearch.hosts. When updating from an older version, you must add the entry de.virtimo.bpc.core.opensearch.hosts to the configuration file karaf/etc/de.virtimo.bpc.core.cfg. Additionally, it is recommended to supplement the central configuration file with the lines

or

(as shown here with the example https://localhost:9200) [https://localhost:9200)]. You can use the files from the download file server as a reference.

These metrics have been renamed:

For the Identity Provider (Backend Connections), a large part was previously configured via a JSON setting. This has been split into individual settings. Existing configurations are migrated automatically. If older deployment exports of Identity Provider components are used, it is best to recreate them.

See also: Create, configure and use an identity provider, Database as identity provider, Keycloak as an identity provider, Keycloak and dynamic redirect URIs, Deployment constraints

The endpoint /cxf/bpc-core/status/server/{serverUUID} of the status API, which queried the status of a remote BPC, has been removed.

The plugin can now configure a process that is displayed immediately upon triggering. Additionally, the text and icon can now be freely configured. See also Process Starter Plugin

The option for grouping settings is now initially enabled. It is recommended to use this view, as the settings are displayed together in a common context.

The query string parameters gridId, gridExtId, multiRecords, buttonId and the form parameter tablePrefix have been removed from the process action requests. To send additional context or configuration information, "process action metadata" can be configured in the monitor settings.

In process starters, the XML that was sent has been replaced by JSON. As a result, portletArchiveName, operation, mandant, gridID, key, bpcModule, bpcModuleInstanceId and custom have been removed. key has been uniformly renamed to id. Additional context or configuration information can be reliably sent via the "metadata" configuration in the process starter configuration in the monitor settings. The process parameters are bundled under config.parameters in the request payload. File uploads contain filename, type and data. Grids contain a list of their records.

In Change State, tablePrefix, mandant and changeStatusBox_<column name> have been removed. command has been uniformly renamed to type and receives the value "statusChange". columnsstring has been renamed to column. newStatusCombo_<column name> has been renamed to newStatus. commentfield has been renamed to comment. childStatus is no longer set to "Info" by default in the Change State configuration and, if configured, is migrated to metadata. Additional information can be passed in the "metadata" object in the Change State configuration.

See also Migration from BPC 4.* to BPC 5.0 Configuration of process actions Process Starter

The unused settings inubit_aperakEndPoint, inubit_dbGridId and inubit_pmMandant have been removed. The settings inubit_actionEndpoint, inubit_changeStateEndpoint and inubit_VpsEndpoint have been replaced by actionEndpointProcessor, changeStateEndpointProcessor and vpsEndpointProcessor.

For boolean values in the settings tables, a combo box is no longer displayed; instead, only the checkbox with the truth value is shown. The value can be changed by clicking, pressing the space bar, or pressing Enter.

Users of the Log Service API must replace all occurrences of childs with children in their POST data. During a transition period, childs can still be used for incoming data. This backward compatibility will be removed in a future release. It should also be noted that the responses from the Log Service endpoints now contain children instead of childs.

By default, the accessibility of Karaf via SSH connections is now restricted to the host localhost. To enable accessibility via external connections, use the central configuration file. See Karaf SSH Access.

The logging configuration has been changed so that session tokens are masked. For new installations of Karaf, this happens automatically. For existing installations, please adjust the configuration file [KARAF]/etc/org.ops4j.pax.logging.cfg. Replace the old line

with the following lines

Since with Keycloak and OIDC the session tokens are UUIDs that are also used elsewhere, we log the first and last four characters here.

HTTP proxy backend connections and flow connections now always filter the session cookie so that a recipient cannot make calls in the BPC in the context of the user. The setting filterSessionCookie is therefore no longer required. Instead, with the new setting sendSessionId, it is possible to send the user’s session ID, which can be verified at the endpoint GET /cxf/bpc-core/authentication/session/{sessionid}. When the injectUserSessionJWT setting is enabled, a self-created JWT is no longer sent, but rather the signed ID token from the OpenID Connect provider is sent. You can find more details in Backend Connections - HTTP-Proxy.

Http calls via an Http-Proxy or Flow connection filter out the BPC Api-Key header (X-APIKey). Attention: This could affect existing BPC configurations, for example if an INUBIT process is triggered that in turn makes calls to the BPC API using the provided API key. (In this case, it would be better to store a fixed BPC API key in the INUBIT process.)

For new backend connections of the type HTTP-Proxy and Flow, the option Filter BPC Session is enabled by default.

The use of Java 21 is now necessary.

If BPC was initially installed with an OpenSearch version instead of an Elasticsearch version, then the [bpc]/opensearch_data directory can be adopted directly.

If not, indices must first be migrated.

See also Migration from BPC 4.* to BPC 5.0

With this update, the Karaf version is upgraded to 4.4.8. It is necessary to update the modules bpc-be-core, bpc-be-analysis, bpc-be-forms, and bpc-be-monitor.

For BPC module developers

With the updated Karaf, we are delivering CXF 3.6.8 instead of 3.6.7, which provides Jackson in version 2.19.2.

Please update the CXF version (3.6.8) and Jackson version (2.19.2) in your pom.xml. Check whether you have an Import-Package statement for this version. This must be added or adjusted if you use Jackson features such as the ObjectMapper class.

INUBIT is no longer supported as an Identity Provider.