GAS 3.20 upgrade guide
These topics describe product changes you must be aware of when upgrading to version 3.20.
Corresponding new features page: GAS 3.20 new features.
Previous upgrade guide: GAS 3.10 upgrade guide
TCP_ADMIN_PORT provides a port for GAS administration tasks
TCP_ADMIN_PORT is a new element in the GAS configuration file. If your GAS version is 3.20.07 or later, you need to be aware of this new element. It provides a port for GAS administration tasks. If you are using an as.xcf without this element, there is no need to add it. The default TCP admin port is set internally to 6999. If you need to set the port, you may need to add the element to the as.xcf.
It is necessary to set this port, for example, if you have several GAS running on the same machine. Then you need to ensure that you set a unique port for each GAS. Also ensure you select a different port to that used for application access. For more information on configuring multiple dispatchers for TCP admin port, see Configure multiple dispatchers.
GBC in application path
The means to provide a Genero Browser Client (GBC) in the application path is introduced. See Provide GBC in application path.
With 3.20, you can package a GBC in the gbc directory of the application
path. This is the path specified by the PATH element in the application xcf file. The GAS first looks for the
GBC in APPDIR/gbc. If this directory exists and it contains
a GBC installation, this GBC is used. If the gbc directory is not set, the GAS
then uses the standard GBC_LOOKUP_PATH
lookup mechanism.
What does this mean for your upgrade to 3.20? It allows you to provide a GBC to use in the application path's gbc directory independent of the GAS configuration.
Deployment portal has been replaced with DeploymentApp
The legacy deployment portal service has been replaced with the Genero Deployment App (DeploymentApp). If you used the deployment portal to deploy and manage your applications and GBC clients, you will need to move to using this application. For information on how to access and use it, see Deploying and securing applications and Web services.
Changes to the deployment service under GIP
The deployment service is now protected by Genero Identity Provider (GIP). To access it requires a valid access token with the scope "deployment". The service URL has changed too. If you previously used the deployment service on the GAS at base URL /ws/r/services/DeploymentService to manage your Genero applications, you will need to use this new URL, /ws/r/admin/GeneroDeploymentService instead. For more information on how to access and use it, see Deploying and securing applications and Web services.
Changes to ImportOAuth tool for getopt support
The ImportOAuth tool command supports getopt parsing of its
command-line arguments. The use of the tool has therefore changed for GAS 3.20.06. Command options
are specified with double dash (--
) instead of single dash (-
),
and the URL of the IdP is no longer placed after the import
option but instead must
be placed at the end after the profile
endpoint.
fglrun ImportOAuth -import IdP_URL
-authz IdP_oauth_authorize_endpoint
-token IdP_oauth_access_token_endpoint
-logout IdP_logout_endpoint
-profile IdP_user_profile_endpoint
fglrun ImportOAuth --import
--authz IdP_oauth_authorize_endpoint
--token IdP_oauth_access_token_endpoint
--logout IdP_logout_endpoint
--profile IdP_user_profile_endpoint
IdP_URL
fglrun ImportOAuth -h
For further details about the
ImportOAuth command, see The ImportOAuth program.ImportOAuth keys option
Starting with GAS version 3.20.14, the ImportOAuth command includes the
--keys
option.
If you are using ImportOAuth to register tokens and endpoints for OAuth
authentication from an identity provider such as Instagram or Facebook, it is recommended to specify
the option --keys to fetch the endpoint for the public key to validate ID tokens. It is recommended
to include the --keys
option to avoid access errors to Genero applications.
For more information on the OpenID Connect service tool ImportOAuth, see The ImportOAuth program.
Changes to ImportIdP tool for getopt support
The ImportIdP tool command supports getopt parsing of its command-line
arguments. The use of the tool has therefore changed. The command option is specified with double
dash (--
) instead of single dash (-
).
fglrun ImportIdP -import SAML_IdP_url
fglrun ImportIdP --import SAML_IdP_url
fglrun ImportIdP -h
For further details about the
ImportIdP command, see The ImportIdP program.File names with locale-specific characters supported in file transfer
If you have
configured mod_proxy_fcgi
in your Apache server, ensure application URLs are not
escaped by setting proxy-fcgi-pathinfo=unescape
. For more details, see Apache 2.4: mod_proxy_fcgi.
Enhancement for GIP command line tools
fglrun $FGLDIR/web_utilities/services/gip/bin/gettoken/GetToken.42r client_credentials --help
You
can now run it directly as:GetToken client_credentials --help
GetToken is located
in $FGLDIR/web_utilities/services/gip/bin/gettoken.
DeployGar and DeployGbc are located in the
$FGLDIR/web_utilities/services/gip/bin/deploy directory. You need to include
these paths in your PATH environment variable to run the commands from any directory. OpenID Connect service Oauth exchange format definition
Starting with GAS version 3.20.14 and FGLGWS 3.20.14, you can configure the OpenID Connect service provided in the GWS to perform the exchange of OAuth authentication in url-encoded (default) format or JSON.
oidc.oauth.request.format
in the configuration file
located in $FGLDIR/web_utilities/services/openid-connect/res/configuration to
ensure the service exchanges tokens in the format required by the identity provider.For more information see Set exchange format for OAuth.
OpenID Connect service application starting mode
Starting with GAS 3.20.14 and FGLGWS 3.20.14, you can configure the mode OpenID Connect service will use to verify the identity of a client before starting an application. The OpenID Connect service is provided as part of the GWS package.
To change the default mode, set the entry oidc.app.start.mode
in the OpenID Connect service
configuration file to use either a cookie or "gnonce" (genero number once). The configuration file is located at
$FGLDIR/web_utilities/services/openid-connect/res/configuration.
For more information on configuring the application starting mode, see Configure application starting mode.
SPDY deprecated
This protocol is now deprecated. The HTTP/2 protocol, which is derived from the SPDY protocol, replaces it. If you have used SPDY prior to this, it is recommended to configure your Web server to use the HTTP/2 protocol instead. For more information on working with HTTP/2, see Apache: Configure for HTTP/2 or IIS: Configure for HTTP/2.
HTTP/2 upgrade
Starting with GAS version 3.20.18, we recommend you configure your Web server to use the HTTP/2 protocol. Most major browsers now support HTTP/2. When configuring your Web server, allow the client browser to define the preferred protocol; this will allow the GAS to work with services that may not need the HTTP/2 protocol. For more information on working with HTTP/2, see Apache: Configure for HTTP/2 or IIS: Configure for HTTP/2.
Changes in earlier versions
Make sure to check the upgrade notes of earlier versions, to not miss changes introduced in maintenance releases. For more details, see GAS 3.10 upgrade guide.
Notable changes introduced in maintenance releases:
- The change in the default value for
REQUEST_RESULT
from 60 seconds to 45 seconds. - The change in the SESSION_COOKIE definition to include the
SameSite
attribute. - The recommendation to set the attribute SameSite to "strict" in Web services using HTTP cookies, also available since GAS 3.20.13.
- How the
USER_AGENT
timeout value is halved when sent to the Genero Browser Client, also available since GAS 3.20.09. - The removal of the
Alias
directive in Apache 2.4 Web server and other changes introduced in the configuration.