keycloak-scim/upgrading/topics/keycloak/changes-21_0_0.adoc
Alexander Schwartz 43a02cb821 Algorithms are not links to click but properties to be set.
As external link validation fails due to a redirect to HTTPS, keep them as text.

Follow-up to #1738
2023-01-26 12:57:04 +01:00

36 lines
1.7 KiB
Text

= Keycloak uses Micrometer for metrics
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format.
In this release the implementation to provide this data switched from SmallRye to Micrometer, which is the https://quarkus.io/guides/micrometer[recommended metrics library for Quarkus].
Due to this change, metrics have been renamed.
The following table shows some examples.
Before upgrading it is recommended to review all metrics returned from the endpoint before and after the change, and update their usage in dashboards and alerts.
.Examples of changed metrics names
|===
|Old metric name |New metric name
|`base_gc_total`
|`jvm_gc_pause_seconds_count`
|`base_gc_time_total_seconds`
|`jvm_gc_pause_seconds_sum`
|`base_thread_count`
|`jvm_threads_live_threads`
|`vendor_agroal_*`
|`agroal_*`
|===
= Deprecated RSA_SHA1 and DSA_SHA1 algorithms for SAML
Algorithms `RSA_SHA1` and `DSA_SHA1`, which can be configured as `Signature algorithms` on SAML adapters, clients and identity providers are deprecated. We recommend to use safer
alternatives based on `SHA256` or `SHA512`. Also, verifying signatures on signed SAML documents or assertions with these
algorithms do not work on Java 17 or higher. If you use this algorithm and the other party consuming your SAML documents is running on Java 17 or higher, verifying signatures will not work.
The possible workaround is to remove algorithms such as `++http://www.w3.org/2000/09/xmldsig#rsa-sha1++` or `++http://www.w3.org/2000/09/xmldsig#dsa-sha1++` from the list
of "disallowed algorithms" configured on property `jdk.xml.dsig.secureValidationPolicy` in the file `$JAVA_HOME/conf/security/java.security`.