GAS 4.01 upgrade guide

These topics describe product changes you must be aware of when upgrading to version 4.01.

Important:

This incremental upgrade guide covers only topics related to the Genero Application Server (GAS) version specified in the page title. Check prior upgrade guides if you migrate from an earlier version, and complete the migration tasks for all versions between your existing version and the target version, in order. Make sure to also read about the new features for this version.

Corresponding new features page: GAS 4.01 new features.

Previous upgrade guide: GAS 4.00 upgrade guide

Session idle time

The gasadmin session --idle-time option is introduced to provide information on a session's idle state. It gives you the number of seconds since last user activity on applications running in a session. Based on this, you can, for example, decide if a session can be stopped. For more information on using this feature, see Example: Idle session.

Gasadmin commands --dispatcher option no longer available

The --dispatcher option is no longer provided with these commands:
  • gasadmin reset-log
  • gasadmin session

Where before you may have needed to use the -d option to specify the dispatcher, for example to close a session:

gasadmin session --close-session d98290172c8f7c0d861db329f1ce6597 -f as1.xcf 
          -d isapidispatch
You must now omit the -d option:
gasadmin session --close-session d98290172c8f7c0d861db329f1ce6597 -f as1.xcf
The command is run on the admin port (TCP_ADMIN_PORT) used by the dispatcher for this purpose. With the option -f you can specify the configuration file where the port is set; otherwise, the default GAS configuration file is used. In the example the as1.xcf contains the admin port used by the dispatcher, so the gasadmin uses the port to connect to the dispatcher to close the session.
The gasadmin session --whoami option is introduced to provide information on the dispatcher.
gasadmin session --whoami -f as1.xcf
This command will return the kind of dispatcher you are communicating with: httpdispatch, fastcgidispatch, or isapidispatch.

See gasadmin tool.

Support for RFC 8693 in the Genero Identity Provider (GIP) creation of OAuth ID and access tokens with scopes

Starting at GAS 4.01.02 and FGLGWS 4.01.02, the GIP follows the standard RFC 8693 as the default method when creating OAuth ID and access tokens with the scope parameter.

Prior to FGLGWS 4.01.02, GIP created a JSON Web Token (JWT) with a "scopes" element defined as a JSON array for the list of scopes. Now, according to the RFC 8693 standard, the JWT has a "scope" element defined as a string with the scopes in a space-separated list.

No action needs to be taken on your part, but if you have previously used the GIP to authenticate users launching applications and you want to use the new scope member, ensure that the OpenID Connect service provided as part of the GWS package uses FGLGWS 4.01.02 or higher.

To change the default mode to the old method for exchanging scopes, set the IDP specification entry in fglprofile to oidc.token.scopes=false.

For more information about GIP, see the Genero Identity Provider (GIP) pages in Single Sign-On User Guide.

Changes to how messages are sent to connected users

Starting with GAS version 4.01.02, the gasadmin session --broadcast-message is desupported. This command now displays a message to use the gasadmin send-message command instead, and it exits with a status code of 1.

The gasadmin send-message command provides enhanced functionality that allows an administrator of the GAS to send messages to connected users on the specified applications and sessions, or to connected user on all sessions running in the GAS.

For more information see Send administrative messages to user agents.

Changes to how sessions are closed

Starting with GAS version 4.01.02, the gasadmin session --close-session and gasadmin session --close-all-sessions commands are desupported.

They are replaced by the gasadmin close-session and gasadmin close-all-sessions commands. These commands provide functionality that allow an administrator of the GAS to close specified applications and sessions, or to close all sessions running in the GAS gracefully. The commands also have options to send a message or an end URL to the user agents on closing the sessions.

For more information see gasadmin.

New option oidc.accesstoken.decode for decoding access tokens with roles and scopes

From FGLGWS 4.01.04 and GAS 4.01.04 onwards, the FGLGWS OpenID Connect service configuration provides a new oidc.accesstoken.decode option in file $FGLDIR/web_utilities/services/openid-connect/res/configuration; to be used when configuring Single sign-on, in order to decode roles and scopes sent by identity providers in the access token.

To ensure that all roles and scopes are retrieved, you need to configure for the decoding of the access token by setting the option oidc.accesstoken.decode=true (default is false):

For more information, see the Retrieve roles and scopes page in the Single Sign-On User Guide.

Changes in earlier versions

Make sure to check the upgrade notes of earlier versions, to not miss changes introduced in maintenance releases. For more details, see GAS 4.00 upgrade guide.

Notable changes introduced in maintenance releases:

  • The change to gasadmin session --list command to display fglrun processes started in the current session, and the change to the gasadmin --version command to include the date and time the GAS package was built. These changes are also available since GAS 4.01.01.
  • The support for HTTP/2 when you configure your web server to use the HTTP/2 protocol, also available since GAS 4.01.00.
  • The deprecation of SPDY which is replaced by the HTTP/2 protocol.
  • How the USER_AGENT timeout value is halved when sent to the Genero Browser Client, also available since GAS 4.01.00.
  • The new entry oidc.app.start.mode for setting the OpenID Connect service application starting mode, also available in GAS 4.01.00 and FGLGWS 4.01.00.
    Important:

    With GAS 4.01.00 and FGLGWS 4.01.00, the default starting mode changes from "cookie" to "gnonce".