Security

Version	Type	Description	ID
21.1.0	CORR	Security permissions granted to system administrators and Trapeze6 Client Shell users for some operations have been configured to be always set to Deny for Anonymous users. The security permissions granted system administrators are: Core/Admin/ Core/Context/Write Core/Security/Edit Users and Groups Core/Security/Set Permissions Core/TableEdit Core/SqlDirect/ The security permissions granted Trapeze6 Client Shell users are: Core/File/Browse Core/File/Write	DEVCORE3-5430
21.3.1.0	CORR	An issue where an error message appeared when saving attribute changes on built-in identity type users has been fixed.	DEVCORE3-5486
21.3.1.0	CORR	The issue of FX Security setting the connection to Read-Only for non-FX Security related functions has been fixed.	FX-11586
21.3.1.0	CORR	The issue of users being unable to continue to log on unless they change their password immediately after a warning appears stating that their password will expire in X days has been fixed.	DEVCORE3-5469 This task is related to DEVCORE-4301.
21.16.0.0	ENH	The following enhancements have been added to prevent the accidental editing of data of a sign-up period currently used in Production: The system automatically checks in the early morning if the current date falls within the date range of the sign-up period marked in Production. If so, it automatically selects the Frozen checkbox shown in the Edit dialog box of the Sign-up Period screen. A new security key, Trapeze4/Fixed Ancillary Data/Sign-Up Periods - Freeze has been added. If users are granted permission for this key, they are able to select or clear the Frozen option on sign-up periods.	FX-12677
21.17.0.0		Updates have been made to Trapeze6 security defaults: Default password complexity rules have been updated in Properties: Core/Security/Policy/Minimum Password Length: Minimum length in characters of a valid password. A value of 0 allows empty passwords. Default value is 8. Core/Security/Policy/Password Required Character Types: Specifies character types that must be included in all passwords. This property depends on other password policy context properties. Options are: Upper case alpha character, Lower case alpha character, Symbol character, and Number character. By default, all four character types must be used. Core/Security/Policy/Password Hashing/Algorithm: Select the way passwords are hashed and stored in the CoreIdentity table: TCF1 (64-bit hash). Original algorithm used for backward compatibility when older client and server applications that do not support newer algorithms are connected to the same database. PBKDF2 (192-bit hash). Industry-standard password hashing function, used to produce a 192-bit hash incorporating a 192-bit cryptographically random salt. (Default.) Core/Security/Policy/Password Storage/Algorithm: Applies to stored passwords in context properties and Service Shell profile files. Select one of the following values: AES256 (Private key) - Select for stronger encryption using a randomly generated private key. (Keyfile.bin in the Config folder) This will require manual copying of the Keyfile.bin to other application installation folders if there is more than one installation sharing the same database. Otherwise, the other applications won't be able to decrypt the stored passwords. If this file is lost then the stored passwords will not be retrievable and will have to be re-entered using a new Keyfile.bin. AES256 (System key) - Select for stronger encryption using the system key built into the application framework. (Default) TCF1 - Select this for backward compatibility for older versions that do not have this option. Note: If Core/Security/Policy/Enforce Password Policy on Next is selected, users may need to reset their passwords to meet new default requirements the next time they sign in. Descriptions for the following Service Shell switches have also been updated: Core/Security/Authenticate: Turn OFF to disable username/password authentication and permission checks. DEPRECATED! This switch may be removed in a future version. Core/Security/Check Permissions: Turn OFF to disable permission checking (even if Authentication is still ON.) DEPRECATED! This switch may be removed in a future version.	DEVCORE3-5470

21.1.0

CORR

Security permissions granted to system administrators and Trapeze6 Client Shell users for some operations have been configured to be always set to Deny for Anonymous users.

The security permissions granted system administrators are:

Core/Admin/
Core/Context/Write
Core/Security/Edit Users and Groups
Core/Security/Set Permissions
Core/TableEdit
Core/SqlDirect/

The security permissions granted Trapeze6 Client Shell users are:

Core/File/Browse
Core/File/Write

DEVCORE3-5430

21.3.1.0

CORR

An issue where an error message appeared when saving attribute changes on built-in identity type users has been fixed.

DEVCORE3-5486

21.3.1.0

CORR

The issue of FX Security setting the connection to Read-Only for non-FX Security related functions has been fixed.

FX-11586

21.3.1.0

CORR

The issue of users being unable to continue to log on unless they change their password immediately after a warning appears stating that their password will expire in X days has been fixed.

DEVCORE3-5469

This task is related to DEVCORE-4301.

21.16.0.0

ENH

The following enhancements have been added to prevent the accidental editing of data of a sign-up period currently used in Production:

The system automatically checks in the early morning if the current date falls within the date range of the sign-up period marked in Production. If so, it automatically selects the Frozen checkbox shown in the Edit dialog box of the Sign-up Period screen.
A new security key, Trapeze4/Fixed Ancillary Data/Sign-Up Periods - Freeze has been added. If users are granted permission for this key, they are able to select or clear the Frozen option on sign-up periods.

FX-12677

21.17.0.0

Updates have been made to Trapeze6 security defaults:

Default password complexity rules have been updated in Properties:
- Core/Security/Policy/Minimum Password Length: Minimum length in characters of a valid password. A value of 0 allows empty passwords. Default value is 8.
- Core/Security/Policy/Password Required Character Types: Specifies character types that must be included in all passwords. This property depends on other password policy context properties. Options are: Upper case alpha character, Lower case alpha character, Symbol character, and Number character. By default, all four character types must be used.
- Core/Security/Policy/Password Hashing/Algorithm: Select the way passwords are hashed and stored in the CoreIdentity table:
  1. TCF1 (64-bit hash). Original algorithm used for backward compatibility when older client and server applications that do not support newer algorithms are connected to the same database.
  2. PBKDF2 (192-bit hash). Industry-standard password hashing function, used to produce a 192-bit hash incorporating a 192-bit cryptographically random salt. (Default.)
- Core/Security/Policy/Password Storage/Algorithm: Applies to stored passwords in context properties and Service Shell profile files. Select one of the following values:
  1. AES256 (Private key) - Select for stronger encryption using a randomly generated private key. (Keyfile.bin in the Config folder)
    This will require manual copying of the Keyfile.bin to other application installation folders if there is more than one installation sharing the same database. Otherwise, the other applications won't be able to decrypt the stored passwords. If this file is lost then the stored passwords will not be retrievable and will have to be re-entered using a new Keyfile.bin.
  2. AES256 (System key) - Select for stronger encryption using the system key built into the application framework. (Default)
  3. TCF1 - Select this for backward compatibility for older versions that do not have this option.

Note:

If Core/Security/Policy/Enforce Password Policy on Next is selected, users may need to reset their passwords to meet new default requirements the next time they sign in.

Descriptions for the following Service Shell switches have also been updated:
1. Core/Security/Authenticate: Turn OFF to disable username/password authentication and permission checks. DEPRECATED! This switch may be removed in a future version.
2. Core/Security/Check Permissions: Turn OFF to disable permission checking (even if Authentication is still ON.) DEPRECATED! This switch may be removed in a future version.

DEVCORE3-5470