Horizon 2.6.0 release notes

Here are the release notes for EverTrust Horizon v2.6.0, released on 2024-08-22.

For the installation and upgrade procedure, please refer to the Installation and Upgrade guide.

Horizon now requires Java version 17.

1. New Features

  • [HRZ-1664] - Added support for basic authentication on HTTP Proxies

  • [HRZ-1946] - Added datasources: external data can now enrich enrollment metadata

  • [HRZ-1970] - Added auto validation on SCEP, EST and WebRA: certificates matching a set of rules can now be enrolled without any further validation by an operator

  • [HRZ-1956] - Added SCIM v2 compliance: Horizon accounts can now be automatically synchronized with SCIM Providers (Entra, Okta, …​)

  • [HRZ-1995] - Added automatic healthcheck for Stream, Acme, ADCS, DigiCert, EJBCA, GlobalSignMSSL, NameShield and Opentrust PKI connectors

  • [HRZ-2051] - Added the Nameshield PKI Connector

  • [HRZ-1910] - Teams can now be used in HPQL

2. Enhancements

  • [HRZ-2101] - Crypto decoder now displays unknown extensions

  • [HRZ-1966] - Crypto decoder now supports OpenSSH certificates, Timestamping Tokens and OCSP Tokens

  • [HRZ-2059] - Added the possibility to selectively enable features depending on the hostname. Learn more

  • [HRZ-2068] - EST/SCEP: Computation rule execution now takes place on challenge request submission

  • [HRZ-1995] - Improved configuration workflow for the Stream connector

  • [HRZ-2063] - Added CSV capabilities for Events and Discovery Events on search and report interfaces

  • [HRZ-1881] - Notifications now also support computation rule manipulation inside dynamic attributes

  • [HRZ-2108] - Added the possibility to search if a certificate is escrowed or not

  • [HRZ-2114] - Added support of additional endpoints on Sectigo SCM PKI connector

  • [HRZ-2115] - MetaPKI connector now supports Unique Identifier DN Element

  • [HRZ-2078] - WCCE: AD Caller identity’s distinguished name dictionary is now available

3. Bug Fixes

  • [HRZ-2106] - Fixed incorrect configuration key for request grace period and default duration

  • [HRZ-2100] - Fixed a bug that prevented HQL requests to be saved when modified

  • [HRZ-1546] - Fixed a bug that allowed WebRA requests to be approved concurrently

  • [HRZ-2025] - Fixed a bug that made long running scheduled tasks appear as failed

  • [HRZ-1853] - Mongo Driver: Fixed a bug that made database results incomplete in non primary mode. This will improve performance when connected to a mongo cluster once the connection string has been modified

4. Known Defects

  • A migration issue affects requests:

    • Pending requests for renewal cannot be validated

    • Approved requests are missing some information and PKCS#12 cannot be downloaded

      This issue has been fixed in version 2.6.3

  • Authenticated proxies are not available for Intune, SOAP and LDAP Connections.

5. API modifications

  • [HRZ-1881] - In REST notifications (/api/v1/triggers), body and bodyType parameters were renamed to payload and payloadType

  • [HRZ-1970] - Added the authorizationMode mandatory property on WebRA profiles (/api/v1/certificate/profiles)

  • [HRZ-1956] - enabled field is now mandatory on principals

The Akka framework has been replaced by Pekko. It can lead to configuration changes if you manually manage the Horizon configuration.
Dynamic values in notifications behavior was modified. When a dynamic value is not found, it will stay as a dynamic key in the final notification instead of being replaced. Use the {{OrElse(<key>, "")}} notation to have an empty string when no value is found.