GAS 4.01 upgrade guide
These topics describe product changes you must be aware of when upgrading to version 4.01.
This incremental upgrade guide covers only topics related to the Genero Application Server (GAS) version specified in the page title. Check prior upgrade guides if you migrate from an earlier version, and complete the migration tasks for all versions between your existing version and the target version, in order. Make sure to also read about the new features for this version.
Corresponding new features page: GAS 4.01 new features.
Previous upgrade guide: GAS 4.00 upgrade guide
Session idle time
The gasadmin session --idle-time option is introduced to provide information on a session's idle state. It gives you the number of seconds since last user activity on applications running in a session. Based on this, you can, for example, decide if a session can be stopped. For more information on using this feature, see Example: Idle session.
Gasadmin commands --dispatcher option no longer available
--dispatcher option is no longer provided with these commands:- gasadmin reset-log
- gasadmin session
Where before you may have needed to use the -d option to specify the dispatcher,
for example to close a session:
gasadmin session --close-session d98290172c8f7c0d861db329f1ce6597 -f as1.xcf
-d isapidispatch-d
option:gasadmin session --close-session d98290172c8f7c0d861db329f1ce6597 -f as1.xcf
TCP_ADMIN_PORT) used by the dispatcher for this
purpose. With the option -f you can specify the configuration file where the port
is set; otherwise, the default GAS configuration file is used. In
the example the as1.xcf contains the admin port used by the dispatcher,
so the gasadmin uses the port to connect to the dispatcher to close the
session.gasadmin session --whoami -f as1.xcfSee gasadmin tool.
Support for RFC 8693 in the Genero Identity Provider (GIP) creation of OAuth ID and access tokens with scopes
Starting at GAS 4.01.02 and FGLGWS 4.01.02, the GIP follows the standard RFC 8693 as the default method when creating OAuth ID and access tokens with the scope parameter.
Prior to FGLGWS 4.01.02, GIP created a JSON Web Token (JWT) with a "scopes" element defined as a JSON array for the list of scopes. Now, according to the RFC 8693 standard, the JWT has a "scope" element defined as a string with the scopes in a space-separated list.
No action needs to be taken on your part, but if you have previously used the GIP to authenticate users launching applications and you want to use the new scope member, ensure that the OpenID Connect service provided as part of the GWS package uses FGLGWS 4.01.02 or higher.
To change the default mode to the old method for
exchanging scopes, set the IDP specification entry in fglprofile to
oidc.token.scopes=false.
For more information about GIP, see the Genero Identity Provider (GIP) pages in Single Sign-On User Guide.
Changes to how messages are sent to connected users
Starting with GAS version 4.01.02, the gasadmin session --broadcast-message is
desupported. This command now displays a message to use the gasadmin
send-message command instead, and it exits with a status code of 1.
The gasadmin send-message command provides enhanced functionality that allows an administrator of the GAS to send messages to connected users on the specified applications and sessions, or to connected user on all sessions running in the GAS.
For more information see Send administrative messages to user agents.
Changes to how sessions are closed
Starting with GAS version 4.01.02, the gasadmin session --close-session and gasadmin session --close-all-sessions commands are desupported.
They are replaced by the gasadmin close-session and gasadmin close-all-sessions commands. These commands provide functionality that allow an administrator of the GAS to close specified applications and sessions, or to close all sessions running in the GAS gracefully. The commands also have options to send a message or an end URL to the user agents on closing the sessions.
For more information see gasadmin.
New option oidc.accesstoken.decode for decoding access tokens with roles and
scopes
From FGLGWS 4.01.04 and GAS 4.01.04 onwards, the FGLGWS OpenID Connect service configuration
provides a new oidc.accesstoken.decode option in file
$FGLDIR/web_utilities/services/openid-connect/res/configuration; to be used
when configuring Single sign-on, in order to decode roles and scopes sent by identity providers in
the access token.
To ensure that all roles and scopes are retrieved, you need to configure for the decoding of the
access token by setting the option oidc.accesstoken.decode=true (default is
false):
For more information, see the Retrieve roles and scopes page in the Single Sign-On User Guide.
Changes in earlier versions
Make sure to check the upgrade notes of earlier versions, to not miss changes introduced in maintenance releases. For more details, see GAS 4.00 upgrade guide.
Notable changes introduced in maintenance releases:
- The change to gasadmin session --list command to display fglrun processes
started in the current session, and the change to the
gasadmin --versioncommand to include the date and time the GAS package was built. These changes are also available since GAS 4.01.01. - The support for HTTP/2 when you configure your web server to use the HTTP/2 protocol, also available since GAS 4.01.00.
- The deprecation of SPDY which is replaced by the HTTP/2 protocol.
- How the
USER_AGENTtimeout value is halved when sent to the Genero Browser Client, also available since GAS 4.01.00. - The new entry
oidc.app.start.modefor setting the OpenID Connect service application starting mode, also available in GAS 4.01.00 and FGLGWS 4.01.00.Important:With GAS 4.01.00 and FGLGWS 4.01.00, the default starting mode changes from "cookie" to "gnonce".