Administration changelog

Data used for login with OIDC providers is stored encrypted in a cookie on the client. This prevents overload from a very large number of login requests.

For BPC module developers

If you have developed your own UserFlowIdentityProvider implementation, you need to adapt it. The function URI createAuthenticationRequestURI(String requestUrl) has been replaced with UserFlowLoginContext createAuthenticationRequestContext(String requestUrl) and now, in addition to the redirect URL for the OIDC login, also returns a cookie containing the login state. This cookie is set by the frontend during the login attempt.

For BPC administrators

Install the new modules bpc-be-core.jar and bpc-fe-core.war. A restart of the BPC/Karaf is necessary. If the BPC is still not available afterwards, please delete the directory karaf/data and restart Karaf again. (You may want to back up your log files beforehand.)

In process monitoring, the settings inubit_referenceEndpoint, inubit_proxyId, inutbit_baseUrl for downloading via an HTTP proxy have been consolidated and renamed to httpProxy_referenceEndpoint to clarify the possibility of downloading via a generic HTTP proxy connection. The setting inubit_dbTablePrefix has been removed, as it was only used for legacy scenarios.

Timeseries Management administrators who do not belong to the "bpcadmin" role and previously only had the "webtsm_admin" permission now need the "webtsm_edit" permission instead. A Timeseries Management administrator could also be assigned the "WEBTSM_ADMIN" role instead of the specific permission. This would also be more future-proof, for example, if in subsequent versions more fine-grained permissions are defined for the endpoints instead of the "webtsm_edit" permission.

The Data Management module no longer has its own backend component (bpc-be-vam.jar). It must be removed during the update. To use the module, it is sufficient to use bpc-fe-vam.war.

The Data Management module has been included in the regular release cycle.

The setting baseUrl is omitted, as the value (cxf) is a static part of the API URL and does not change.

Do not confuse this with bpcBaseUrl. This setting remains unchanged.

The format for index imports has been changed to a ZIP-based format. This is the same format that our opensearch-tool also uses to import and export indices. In the administration interface under Core Services → Indices, such index export files can be downloaded.

Note: If you use the index import functionality for an installation with a preconfigured BPC, the export file must be recreated.

See also Installation with preconfigured BPC.

The File-Storage Log Service integration has been adapted for the Process Monitor so that it can offer these files for download and viewing: For fields of type file-storage, the Log Service now creates two additional fields with the suffix _filename and _contentType when logging in OpenSearch and relational databases.

Files from the File Storage can now also be accessed in the Process Monitor.

The format for index imports has been changed to a ZIP-based format. This is the same format that our opensearch-tool also uses to import and export indices. In the administration interface under Core Services → Indices, such index export files can be downloaded.

Note: If you use the index import functionality for an installation with a preconfigured BPC, the export file must be recreated.

See also Installation with preconfigured BPC.

The configuration of file attachments and downloads in the BPC Monitor has been restructured:

Further information can be found here: Configuration of the monitor columns and File attachments.

Attention: Monitor instances had provided the setting column_mimetype to specify the column name that refers to the content type of the files. However, in the backend, the column name contentType was used inconsistently. Therefore, during the migration of the instances, the column_mimetype setting was ignored. If this was used, please check the corresponding monitor instance and adjust it if necessary.

Data used for login with OIDC providers is stored encrypted in a cookie on the client. This prevents overload from a very large number of login requests.

For BPC module developers

If you have developed your own UserFlowIdentityProvider implementation, you need to adapt it. The function URI createAuthenticationRequestURI(String requestUrl) has been replaced with UserFlowLoginContext createAuthenticationRequestContext(String requestUrl) and now, in addition to the redirect URL for the OIDC login, also returns a cookie containing the login state. This cookie is set by the frontend during the login attempt.

For BPC administrators

Install the new modules bpc-be-core.jar and bpc-fe-core.war. A restart of the BPC/Karaf is necessary. If the BPC is still not available afterwards, please delete the directory karaf/data and restart Karaf again. (You may want to back up your log files beforehand.)

In process monitoring, the settings inubit_referenceEndpoint, inubit_proxyId, inutbit_baseUrl for downloading via an HTTP proxy have been consolidated and renamed to httpProxy_referenceEndpoint to clarify the possibility of downloading via a generic HTTP proxy connection. The setting inubit_dbTablePrefix has been removed, as it was only used for legacy scenarios.

Timeseries Management administrators who do not belong to the "bpcadmin" role and previously only had the "webtsm_admin" permission now need the "webtsm_edit" permission instead. A Timeseries Management administrator could also be assigned the "WEBTSM_ADMIN" role instead of the specific permission. This would also be more future-proof, for example, if in subsequent versions more fine-grained permissions are defined for the endpoints instead of the "webtsm_edit" permission.

The setting baseUrl is omitted, as the value (cxf) is a static part of the API URL and does not change.

Do not confuse this with bpcBaseUrl. This setting remains unchanged.

The Data Management module no longer has its own backend component (bpc-be-vam.jar). It must be removed during the update. To use the module, it is sufficient to use bpc-fe-vam.war.

The Data Management module has been included in the regular release cycle.

Check and, if necessary, adjust the HTTP proxy configurations. Up to now, a '/' was always appended to the configured connection URL. This is no longer the case. If your HTTP proxy target requires this and the URL is currently configured without a '/' at the end, please adjust it accordingly.

BPC now supports PKCE (Proof Key for Code Exchange) for OpenID Connect and Keycloak Identity Provider to enable a hardened login flow. To activate this, you need to set the PKCE method in the Identity Provider backend connection and, if necessary, configure this in your Keycloak client.

When reindexing, the old index is deleted instead of being closed as before. The user is offered the option to create a backup before reindexing.

The driver provided via pax-jdbc-mssql is no longer delivered.

Please ensure that the MSSQL driver used has at least one of the following versions: 10.2.4, 11.2.4, 12.2.1, 12.6.5, 12.8.2, 12.10.2, 13.2.1

If an older driver is being used, it should be replaced. Remove the old driver by deleting it from the deploy directory or by uninstalling pax-jdbc-mssql or the driver itself. Then install a current driver (without the pax-jdbc-mssql feature). See also: Databases

Check and, if necessary, adjust the HTTP proxy configurations. Up to now, a '/' was always appended to the configured connection URL. This is no longer the case. If your HTTP proxy target requires this and the URL is currently configured without a '/' at the end, please adjust it accordingly.

If an error occurs during the migration of an index, the newly created index for the migration will be removed again in order to avoid subsequent errors or to revert to a stable state.

By default, the accessibility of Karaf via SSH connections is now restricted to the host localhost. To enable accessibility via external connections, use the central configuration file. See Karaf SSH Access.

Connections to OpenSearch are now configured exclusively via de.virtimo.bpc.core.opensearch.hosts. When updating from an older version, you must add the entry de.virtimo.bpc.core.opensearch.hosts to the configuration file karaf/etc/de.virtimo.bpc.core.cfg. Additionally, it is recommended to supplement the central configuration file with the lines

or

(as shown here with the example https://localhost:9200). You can use the files from the download file server as a reference.

The use of Java 21 is now necessary.

These metrics have been renamed:

INUBIT is no longer supported as an Identity Provider.

For the Identity Provider (Backend Connections), a large part was previously configured via a JSON setting. This has been split into individual settings. Existing configurations are migrated automatically. If older deployment exports of Identity Provider components are used, it is best to recreate them.

See also: Create, configure and use an identity provider, Database as identity provider, Keycloak as an identity provider, Keycloak and dynamic redirect URIs, Deployment constraints

The endpoint /cxf/bpc-core/status/server/{serverUUID} of the status API, which queried the status of a remote BPC, has been removed.

The query string parameters gridId, gridExtId, multiRecords, buttonId and the form parameter tablePrefix have been removed from the process action requests. To send additional context or configuration information, "process action metadata" can be configured in the monitor settings.

In process starters, the XML that was sent has been replaced by JSON. As a result, portletArchiveName, operation, mandant, gridID, key, bpcModule, bpcModuleInstanceId and custom have been removed. key has been uniformly renamed to id. Additional context or configuration information can be reliably sent via the "metadata" configuration in the process starter configuration in the monitor settings. The process parameters are bundled under config.parameters in the request payload. File uploads contain filename, type and data. Grids contain a list of their records.

In Change State, tablePrefix, mandant and changeStatusBox_<column name> have been removed. command has been uniformly renamed to type and receives the value "statusChange". columnsstring has been renamed to column. newStatusCombo_<column name> has been renamed to newStatus. commentfield has been renamed to comment. childStatus is no longer set to "Info" by default in the Change State configuration and, if configured, is migrated to metadata. Additional information can be passed in the "metadata" object in the Change State configuration.

See also Migration from BPC 4.* to BPC 5.0 Configuration of process actions Process Starter

The unused settings inubit_aperakEndPoint, inubit_dbGridId and inubit_pmMandant have been removed. The settings inubit_actionEndpoint, inubit_changeStateEndpoint and inubit_VpsEndpoint have been replaced by actionEndpointProcessor, changeStateEndpointProcessor and vpsEndpointProcessor.

HTTP proxy backend connections and flow connections now always filter the session cookie so that a recipient cannot make calls in the BPC in the context of the user. The setting filterSessionCookie is therefore no longer required. Instead, with the new setting sendSessionId, it is possible to send the user’s session ID, which can be verified at the endpoint GET /cxf/bpc-core/authentication/session/{sessionid}. When the injectUserSessionJWT setting is enabled, a self-created JWT is no longer sent, but rather the signed ID token from the OpenID Connect provider is sent. You can find more details in Backend Connections - HTTP-Proxy.

Http calls via an Http-Proxy or Flow connection filter out the BPC Api-Key header (X-APIKey). Attention: This could affect existing BPC configurations, for example if an INUBIT process is triggered that in turn makes calls to the BPC API using the provided API key. (In this case, it would be better to store a fixed BPC API key in the INUBIT process.)

Users of the Log Service API must replace all occurrences of childs with children in their POST data. During a transition period, childs can still be used for incoming data. This backward compatibility will be removed in a future release. It should also be noted that the responses from the Log Service endpoints now contain children instead of childs.

The OpenSearch configuration directory can be configured via OPENSEARCH_PATH_CONF. This allows you to outsource the configuration directory from the OpenSearch directory. As a result, you will no longer overwrite it during an OpenSearch update. See also Outsourcing OpenSearch Configuration.

In the bundle installation file, BPC is now delivered with a configuration directory outsourced to INSTALLATION_DIRECTORY/opensearch_config.

It is recommended to set OPENSEARCH_PATH_CONF in the bpc.env.

A new action type "bulkAction" has been added to enable actions to be performed for all records. See Bulk Actions

If IGUASU is correctly connected via the Flow module, available processors can easily be selected through the configuration interface of the monitor actions.

A configuration interface for identity providers is now available.

With this update, it is necessary to update the Karaf.

The BPC provides OpenApi-compliant specification files for our APIs. These can be found under Downloads and can alternatively also be accessed dynamically via the BPC, provided this option is enabled. You can find more information in the section BPC-API.

You can use the Log Service API to be redirected directly to the Log Service configuration or to connected monitors. There are two new LogService endpoints that redirect the user to the corresponding BPC pages when called:

See also API documentation: Log Service API

It is now possible to specify references to external resources when writing audit information. For example, it is possible to refer to the IGUASU instance that created the entry.

Replication now also supports, as an alternative to existing database tables/views, the direct entry of an SQL query.

See also sourceCommonTableExpressionQuery in Replication

BPC API requests that take place via a web browser now redirect to Keycloak (or another OIDC UserFlowIdentityProvider) if authentication is missing. After logging in, a redirect to the original API endpoint takes place.

See System monitoring (metrics for Prometheus)

If the available disk space falls below defined thresholds, shards are redistributed to other nodes. It can also happen that indices are set to read-only to prevent the disk from filling up.

The value of cluster.routing.allocation.disk.threshold_enabled is now true. This corresponds to the OpenSearch default value.

The OpenSearch configuration directory can be configured via OPENSEARCH_PATH_CONF. This allows you to outsource the configuration directory from the OpenSearch directory. As a result, you will no longer overwrite it during an OpenSearch update. See also Outsourcing OpenSearch Configuration.

In the bundle installation file, BPC is now delivered with a configuration directory outsourced to INSTALLATION_DIRECTORY/opensearch_config.

It is recommended to set OPENSEARCH_PATH_CONF in the bpc.env.

Connections to OpenSearch are now configured exclusively via de.virtimo.bpc.core.opensearch.hosts. When updating from an older version, you must add the entry de.virtimo.bpc.core.opensearch.hosts to the configuration file karaf/etc/de.virtimo.bpc.core.cfg. Additionally, it is recommended to supplement the central configuration file with the lines

or

(as shown here with the example https://localhost:9200). You can use the files from the download file server as a reference.

These metrics have been renamed:

For the Identity Provider (Backend Connections), a large part was previously configured via a JSON setting. This has been split into individual settings. Existing configurations are migrated automatically. If older deployment exports of Identity Provider components are used, it is best to recreate them.

See also: Create, configure and use an identity provider, Database as identity provider, Keycloak as an identity provider, Keycloak and dynamic redirect URIs, Deployment constraints

The endpoint /cxf/bpc-core/status/server/{serverUUID} of the status API, which queried the status of a remote BPC, has been removed.

The plugin can now configure a process that is displayed immediately upon triggering. Additionally, the text and icon can now be freely configured. See also Process Starter Plugin

The option for grouping settings is now initially enabled. It is recommended to use this view, as the settings are displayed together in a common context.

The query string parameters gridId, gridExtId, multiRecords, buttonId and the form parameter tablePrefix have been removed from the process action requests. To send additional context or configuration information, "process action metadata" can be configured in the monitor settings.

In process starters, the XML that was sent has been replaced by JSON. As a result, portletArchiveName, operation, mandant, gridID, key, bpcModule, bpcModuleInstanceId and custom have been removed. key has been uniformly renamed to id. Additional context or configuration information can be reliably sent via the "metadata" configuration in the process starter configuration in the monitor settings. The process parameters are bundled under config.parameters in the request payload. File uploads contain filename, type and data. Grids contain a list of their records.

In Change State, tablePrefix, mandant and changeStatusBox_<column name> have been removed. command has been uniformly renamed to type and receives the value "statusChange". columnsstring has been renamed to column. newStatusCombo_<column name> has been renamed to newStatus. commentfield has been renamed to comment. childStatus is no longer set to "Info" by default in the Change State configuration and, if configured, is migrated to metadata. Additional information can be passed in the "metadata" object in the Change State configuration.

See also Migration from BPC 4.* to BPC 5.0 Configuration of process actions Process Starter

The unused settings inubit_aperakEndPoint, inubit_dbGridId and inubit_pmMandant have been removed. The settings inubit_actionEndpoint, inubit_changeStateEndpoint and inubit_VpsEndpoint have been replaced by actionEndpointProcessor, changeStateEndpointProcessor and vpsEndpointProcessor.

For boolean values in the settings tables, a combo box is no longer displayed; instead, only the checkbox with the truth value is shown. The value can be changed by clicking, pressing the space bar, or pressing Enter.

Users of the Log Service API must replace all occurrences of childs with children in their POST data. During a transition period, childs can still be used for incoming data. This backward compatibility will be removed in a future release. It should also be noted that the responses from the Log Service endpoints now contain children instead of childs.

By default, the accessibility of Karaf via SSH connections is now restricted to the host localhost. To enable accessibility via external connections, use the central configuration file. See Karaf SSH Access.

The logging configuration has been changed so that session tokens are masked. For new installations of Karaf, this happens automatically. For existing installations, please adjust the configuration file [KARAF]/etc/org.ops4j.pax.logging.cfg. Replace the old line

with the following lines

Since with Keycloak and OIDC the session tokens are UUIDs that are also used elsewhere, we log the first and last four characters here.

HTTP proxy backend connections and flow connections now always filter the session cookie so that a recipient cannot make calls in the BPC in the context of the user. The setting filterSessionCookie is therefore no longer required. Instead, with the new setting sendSessionId, it is possible to send the user’s session ID, which can be verified at the endpoint GET /cxf/bpc-core/authentication/session/{sessionid}. When the injectUserSessionJWT setting is enabled, a self-created JWT is no longer sent, but rather the signed ID token from the OpenID Connect provider is sent. You can find more details in Backend Connections - HTTP-Proxy.

Http calls via an Http-Proxy or Flow connection filter out the BPC Api-Key header (X-APIKey). Attention: This could affect existing BPC configurations, for example if an INUBIT process is triggered that in turn makes calls to the BPC API using the provided API key. (In this case, it would be better to store a fixed BPC API key in the INUBIT process.)

For new backend connections of the type HTTP-Proxy and Flow, the option Filter BPC Session is enabled by default.

The use of Java 21 is now necessary.

If BPC was initially installed with an OpenSearch version instead of an Elasticsearch version, then the [bpc]/opensearch_data directory can be adopted directly.

If not, indices must first be migrated.

See also Migration from BPC 4.* to BPC 5.0

With this update, the Karaf version is upgraded to 4.4.8. It is necessary to update the modules bpc-be-core, bpc-be-analysis, bpc-be-forms, and bpc-be-monitor.

For BPC module developers

With the updated Karaf, we are delivering CXF 3.6.8 instead of 3.6.7, which provides Jackson in version 2.19.2.

Please update the CXF version (3.6.8) and Jackson version (2.19.2) in your pom.xml. Check whether you have an Import-Package statement for this version. This must be added or adjusted if you use Jackson features such as the ObjectMapper class.

INUBIT is no longer supported as an Identity Provider.