Secured Authentication Tokens
Users can restrict the authentication tokens used by process steps so that only tokens with the minimum permissions needed to accomplish the step are created. Also, authentication tokens are now encrypted in storage, and existing tokens can be updated to the new encryption standard.
Increased Detail in Audit Logging
The audit log now specifies whether the user used an authentication token to log in and more detail about the security settings that were changed.
Additional Permissions Added
Specific permissions have been added to upgrade and delete agents, delete agent relays, and edit post processing scripts.
Optional Manual Task Notifications
Choose notification options for manual tasks including no notification. You can restrict approvals for manual task to the person who started the deployment.
Full z/OS Component Versions
Components using z/OS now have the option to use full or incremental versions.
Greater support for creating Terraform documents in the blueprint designer. The blueprint designer now combines different provider syntaxes into one, unified graphical representation.
Enhancements to the Terraform extensions (provider, provisioner) for IBM UrbanCode Deploy.
Plug-ins Atom Feed
Stay up-to-date on all new plug-in releases by following the UrbanCode Plug-ins Atom feed. Subscribe using your favorite RSS/Atom feed reader.
Enhancements in this Release
|105917||Provide different types of audit entries for different types of authentication requests|
|106531||Provides unique auditLog entries to be able to determine specific setting changed in all cases within #security/roles|
|91193||Require permissions/access to upgrade and delete agents and agent relays|
|97944||need more granular control of edit & execution perms for Post Processing Scripts|
Fixes in this release
|PI89546||ERRORS WHEN EDITING RESOURCE TREE CONTAINING (,), AND / CHARACTERS|
|PI89496||CAN’T EDIT COMPONENT TEMPLATE WITHOUT MANAGE TEAMS PERMISSION|
|PI88865||COMPONENT PROCESS NEVER STARTS AFTER APPROVALS|
|PI88439||Server does not start after upgrade: ‘String contains ASCII control characters’|
|PI85953||COMPLETED PROCESSES ARE SHOWING AS RUNNING IN UI|
|PI84661||AGENTS CAN BE ASSIGNED TO RESOURCES THAT THE USER DOESN’T HAVE PERMISSION TO VIEW OR EDIT IN THE APPLICATION CREATION WIZARD|
|PI82670||OUTPUT LOG CAN’T BE VIEWED FROM THE UCD UI|
|PI80996||LAST VERSION IN APPLICATION’S COMPONENT TAB SHOWS ARCHIVED
|PI67556||SOME SOURCE CONFIG PLUGINS DO NOT SUPPORT “PRESERVE EXECUTE
|PI65004||UNABLE TO USE BATCH EDIT ON ENTRIES WITH MULTIPLE LINES|
|PI57072||UNABLE TO CHANGE DATE RANGE AFTER A REPORTS INITIAL DATE SELECTION|
|PI92399||DISABLE HEAT ENGINE CONVERGENCE MODE IN OPENSTACK NEWTON OR HIGHER TO USE BLUEPRINT DESIGNER|
|PI92351||WHEN IMPORTING A COMPONENT THAT INHERITS COMPONENT TEMPLATE PROPERTIES, COMPONENT PROPERTIES DO NOT GET IMPORTED.|
|PI84409||IMPORTING COMPONENTS WITHOUT COMPONENT/COMPONENT TEMPLATE PROPERTIES CAUSES ERROR IN LOGS.|
|PI85894||YOU CAN MAP AGENTS DURING THE APPLICATION WIZARD DESPITE NOT HAVING AGENT: CREATE RESOURCE PERMISSION|
|PI87384||Component template can’t be imported if it contains new processes|
|PI88211||UNABLE TO LOAD “WORK ITEMS” TAB|
|PI88507||SNAPSHOT CANNOT BE LOCKED IF RESOURCE CONTAINS “/ ” IN THE NAME|
|PI93742||POST PROCESSING SCRIPT MAY EXECUTE BEFORE THE OUTPUT LOG HAS BEEN FULLY WRITTEN|
|Security Bulletin||Multiple Vulnerabilities in Apache Tomcat affects IBM UrbanCode Deploy (CVE-2017-7674, CVE-2017-7675)|
|Security Bulletin||Authenticated Users Can Gain Privilege in IBM UrbanCode Deploy (CVE-2017-1493)|
Severe Defect in Unfixed 126.96.36.199
188.8.131.52 contains APAR PI93742, which can cause plugin steps to fail even if they have actually succeed. To avoid APAR PI93742, upgrade 184.108.40.206 to 220.127.116.11.ifix01, and then upgrade all agents.
Starting in 18.104.22.168
Starting the server for the first time may take longer than usual. For very large installations, allow an extra hour for the first server startup. Subsequent startups will take the regular amount of time.
Users now do not receive notifications based on their membership in a role on the System Team. Users will have to be added to the correct role on a different team as well to receive notifications.
The server now deletes all contents of the var/temp directory on server startup.
Starting in 22.214.171.124
Process requests from deleted environments will now be deleted. To keep process requests from deleted environments, add this property to the installed.properties file: com.urbancode.ds.cleanup.HistoryCleanup.disableDeletedEnvironmentCleanup=true
Starting in 126.96.36.199
The UCD_SESSION_KEY header has been renamed to UCD_CSRF_TOKEN. The previous name is also accepted until 6.3 when it will be removed from the product.
Users now require the “Execute” permission on agents in order to run processes against them. All existing user roles will receive this permission when upgrading from a version before 188.8.131.52. When upgrading, ensure that any user that needs to execute processes is on the same team as the agents required to run those processes.
Starting in 184.108.40.206
You must upgrade Agent Relays when upgrading from a version below 220.127.116.11. Also, the TLS protocol 3DES is no longer supported.
After upgrading from before 18.104.22.168, users will not be able to view or delete agent relays until they have been granted permission to those relays. Relays that existed before the upgrade are only added to the System Team by default. For users to view agent relays, a user with Manage Security permission should give the correct roles the new For relays that existed before the upgrade, a user with Manage Security permissions will have to add the agent relays to the correct teams and give the correct roles the Agent Relay view and edit permissions.
When upgrading an IBM UrbanCode Deploy agent, end-to-end JMS encryption will automatically be enabled on all agents. In order for agent communication to function properly with end-to-end encryption enabled, the IBM UrbanCode Deploy server and agent clocks need to be synchronized to within a few minutes. To disable this feature, add the line
agent.jms.disable_full_encryption=true” to the agent’s
conf/agent/installed.properties file before upgrading the agent.
Starting in 22.214.171.124
If you are upgrading from version 126.96.36.199 and earlier, servers and relays must be upgraded at the same time. Agents connected through relays may not connect successfully until both server and relay are upgraded. This is due to an incompatibility between versions of an library used by UCD.
Starting in 188.8.131.52, authentication tokens will be obfuscated in the UI and REST API after their initial creation. Scripts and users will only be able to retrieve the full authentication token immediately after creating it.
The silent install of the IBM UrbanCode Deploy server hangs when prompting for the value of the server installation directory (
install.server.dir). To workaround the problem, run the following instead of calling
echo "" > answerFile.txt echo "" >> answerFile.txt ./install-server.sh < answerFile.txt (or install-server.bat < answerFile.txt for Windows installations)
Starting in 184.108.40.206
The IBM UrbanCode Deploy server and agent relays now require a Java Runtime Environment (JRE) or Java Development Kit (JDK) version 8. If you are updating or changing the JRE to the latest version, see
Changing or updating the JRE of servers and Updating the JRE location for agent relays for instructions. For documentation on the IBM JRE, see IBM SDK, Java Technology Edition.
Starting in 220.127.116.11
To ensure that all secure property values are obscured, the values of all properties in the history for existing deployments are obscured. In the deployment history for deployments that you run after you upgrade, only secure properties are obscured in the logs.
New security features erase old component version import logs to hide secure information. If you want to keep the logs, in the installed.properties file, set the com.urbancode.ds.cleanup.sourceConfig.fullCleanupSkip property to true.
Plan & Prepare
For fixes contained in this release, and any known issues, review the release notes.
For supported platforms and requirements, see the reports that can be dynamically generated using the Software Product Compatibility Reports (SPCR) tool.
Note: Some supported plug-ins have system requirements that vary from the core product. Information on system requirements for individual plug-ins is available on the download page for that plug-in.
To get started quickly to try the software, IBM UrbanCode Deploy is shipped with an Apache Derby database. Apache Derby deployments are not supported for production environments. As you plan your production topology, review the installation guide.