New in v2026.6.1
OpenIAM version 2026.6.1 delivers a set of enhancements focused on platform architecture, access certification reliability, connector stability, and overall usability.
This release introduces a new certification-manager microservice that extracts access certification compute out of the ESB into its own independently scalable service with a dedicated database, query injection protection for PowerShell connectors, and filtering of terminated users in access certification campaigns. In addition, it resolves a wide range of stability and UI issues across password management, access reviews, connectors, provisioning, and the Webconsole.
New features
Platform architecture
OE-4130 – Certification Manager extracted into its own microservice
Access certification — campaign configurations, access review items, and all campaign compute (initialization, scope filtering, report generation, review completion, revocation handling, and reviewer notifications) — has been pulled out of openiam-esb and into a new standalone microservice, certification-manager, with its own dedicated certification database.
Why this matters:
- Large certification campaigns can be scaled and tuned independently of the ESB.
- Reduced ESB memory pressure during active campaign windows.
- Failure isolation — certification jobs can no longer impact ESB API traffic.
- The Activiti review workflow remains in the
workflowservice; its certification steps delegate compute tocertification-managerover RabbitMQ.
What's introduced:
- A new deployable:
certification-manager. Shipped as a new Helm chart (helmcharts/certification-manager/). - A new database,
certification, which now ownsCERTIFICATION*andACCESS_REVIEW_ITEM*tables, plus newCERTIFICATION_REVIEWERandCERTIFICATION_REVIEWER_ESCALATIONtables. These are no longer maintained in theopeniamDB. - An automatic, one-shot migration that copies existing certification data from the legacy
openiamdatabase into the newcertificationDB on first start (triggered by settingorg.openiam.certification.migrate-from-openiam=true). Primary keys are preserved so in-flight Activiti workflows are not affected. Subsequent starts are no-ops.
Note for customers with custom Groovy scripts: The base class CustomCertificationHelper has moved packages. Update imports in any customized Groovy scripts:
org.openiam.batch.manager.initializer.AccessCertificationHelper→org.openiam.certification.initializer.CertificationHelper
Out-of-the-box scripts in conf/iamscripts/bpm/certification/ have already been updated.
See the full upgrade and configuration steps in RPM and Kubernetes.
Access reviews and certification
OE-3964 – Terminated users filtering in access certification campaigns
Terminated users are now excluded from access certification campaigns by default. Previously, all users — including those with a terminated status — appeared in campaign user lists, creating unnecessary noise.
Updated behavior:
- Only users with active access requiring certification are included in campaigns.
- Terminated users with active entitlements can be included for security-focused review when configured.
- Campaign configuration supports selecting: active users only, terminated users only, or both.
See User based review and Entitlement based certification for campaign configuration details.
Connectors and security
OE-4171 – Query injection protection for PowerShell connectors
Implemented query injection protection for PowerShell connectors using the PowerShell language parser.
Key capabilities include:
- Detection of harmful operations at the language and execution-tree level.
- Protection against file write operations, external POST calls, and dangerous cmdlets such as
Remove-Item,Invoke-Expression, and similar execution primitives. - Connector-level enforcement that prevents misuse regardless of the script source.
See Installing PowerShell connectors and Using PowerShell connectors.
Enhancements and tasks
Platform and infrastructure
OE-3884 – rpm-utils: switched to Amazon Corretto JVM
Updated rpm-utils to use Amazon Corretto 21 instead of the deprecated OpenJDK, aligning the RPM installation with the JVM used in Docker deployments.
This improvement enables:
- Consistent JVM across RPM and Docker installations.
- Support for migrating customers from one JVM to another while preserving certificates imported into
cacerts.
OE-3887 – Improved RPM init and upgrade scripts
The RPM init and upgrade scripts are now more flexible to reduce the need for customization in non-standard environments, including VMs hardened by STIG where mounted volumes have insufficient space or /tmp has the NOEXEC flag set.
UI and user experience
OE-3945 – Role manager: resource filter restored when adding resource to role
Fixed a usability issue in Webconsole → Access Control → Roles → Role Entitlements where the resource name filter did not narrow results when using "Add Resource to Role."
OE-4192 – Improved display of completed UAR campaigns
Due dates on completed campaigns now render in a muted style so they read as historical rather than upcoming. Composite campaigns are also excluded from the emergency filter so it accurately reflects only active emergency reviews.
Bug fixes
Access reviews and certification
OE-3968 – UAR reports download failure
Resolved an error that prevented users from downloading UAR reports from the UAR Reports section.
OE-4191 – Completed campaigns disappear from reviewer dashboard
Fixed an issue where campaigns were no longer visible to reviewers after transitioning to COMPLETED status when filtering by reviewer.
The reviewer filter previously resolved reviewers from AccessReviewItem.currentReviewer, a field that is cleared on campaign completion. The filter now queries CampaignStep.reviewers (the CAMPAIGN_REVIEWERS table), which persists all step reviewers — including escalated and delegated ones — for the full campaign lifecycle.
See Campaign dashboard.
Authentication and password management
OE-4056 – Password reset via security questions fails within grace period
Resolved a 500 error returned by /idp/rest/api/password/public/auth-questions when a user's password was expired but still within the grace period. The RESULT_SUCCESS_PASSWORD_EXP error code was not handled in AbstractPasswordController.doQuiteLogin(), causing it to fall through to the default 500 branch.
OE-4144 – SelfService: Change Password Extended fails after question-based authentication
Fixed an issue in SelfService Center → Change Password Extended where the password change failed with a generic error after successful security question verification.
OE-4145 – SelfService: password recovery methods fail with generic error
Fixed an issue where TOTP, voice, and email authentication methods in the Change Password Extended flow all returned a generic error instead of proceeding with the password reset workflow.
OE-4215 – Force password change prompt fires on every login
Resolved an issue where the "Force password change on first login" prompt appeared on every login rather than only the first, trapping users in an infinite password-change loop.
OE-4250 – "Password Never Expires" no longer conflicts with expiry fields
Fixed a contradiction where enabling "Password Never Expires" did not suppress Password Expiration Days and Grace Period, causing RESULT_PASSWORD_EXPIRED errors even when the policy intended no expiry.
See Password policy for configuration details.
Connectors and provisioning
OE-3889 – Linux connector: NullPointerException in RabbitMQ message processing
Resolved a NullPointerException in TestConnectorConnectionListener.processingRequest() that caused the Linux connector to fail during provisioning request processing via the Spring AMQP RabbitMQ listener.
OE-3911 – rpm-utils: rproxy configuration updated for mobile app support
Applied the mobile app rproxy socket push auth fix to rpm-utils, so that RPM installations include the correct rproxy configuration for mobile app functionality.
OE-4128 – Orphan Management: orphan users not visible on the Orphan Management page
Resolved a 404 error on the orphan search endpoint (/rest/api/orphans/orphan-search) that caused orphan users to not appear in the Orphan Management page. See Orphan management.
OE-4140 – Workday connector: employee sync fails due to RabbitMQ message size limit
Fixed an issue where the Workday connector serialized the entire employee dataset into a single RabbitMQ message, exceeding the 128 MB broker limit and silently failing after ~1.8 hours of data fetching.
The fix implements batching in SearchUserCommandExecutor.collectWorkerData() so the employee list is split into smaller chunks sent as multiple MQ messages, each staying within the size limit. See Workday connector.
OE-4185 – Role: old managed system not removed after changing to a new one
Fixed an issue where changing the managed system assigned to a role left the previous managed system visible alongside the new one in Role Entitlements.
OE-4194 – Connector: screen goes blank when adding a policy map template
Resolved a blank screen error that occurred in Provisioning → Connector → Policy Map Template when clicking Add.
OE-4202 – Connector: duplicate custom fields allowed in connector configuration
Fixed an issue that allowed the same custom field to be added multiple times to a connector configuration.
UI and user experience
OE-4117 – Classic user entitlement view: start/end date save fails for Organization
Resolved an invalid date format error that prevented saving start and end dates when adding or editing an organization entitlement in the classic user entitlement view.
OE-4168 – Webconsole: Managed System Viewer fields missing after clicking Edit
Fixed an issue where fields in the Managed System Viewer were not displayed or not retained after clicking the Edit (pencil) icon on a user's managed system record.
OE-4169 – Webconsole 500 error on Connector List page after fresh RPM install
Resolved a ClassNotFoundException for head_common_tag that caused a 500 error on any Webconsole page using the <t:head_common> tag on fresh RPM installations, due to a JSP classloader issue with Spring Boot's embedded Tomcat.
OE-4182 – Access control: adding parent role causes blank screen and console error
Fixed a React rendering error that caused the Webconsole to display a blank screen when attempting to add a parent role under Access Control → Roles → Organization.
OE-4183 – Access control: parent group not saved in group entitlements
Resolved an issue where adding a parent group in Group Entitlements failed to save.
OE-4184 – Business Rule Action Group: group and role search not filtering correctly
Fixed search and filtering behavior in Business Rule Action Groups where entering a search term did not correctly narrow the list of AD groups or roles returned.
OE-4195 – Droppable item list: UI elements break when dragged
Fixed visual breakage in drag-and-drop lists in System Configuration (system tab) and Page Template, where dragging an item caused duplicate entries or misalignment of the entire template.
OE-4201 – Page template: metadata type lists all types regardless of grouping
Fixed an issue where selecting a metadata grouping did not filter the metadata type dropdown — all types were displayed regardless of the selected group.
OE-4205 – Mail and phone validation errors when saving new user
Resolved false validation errors for area code, country code, phone number, and email fields when creating a new user via a template that includes phone and email fields, even when all values were correctly filled in.
Platform and infrastructure
OE-4252 – Backported 4.2.1.x client fixes
Applied several fixes previously delivered as hotfixes for 4.2.1.x customers:
- Fixed provisioning principal status for non-OpenIAM managed systems when there is nothing to send.
- Fixed an rproxy log error caused by an incorrect date format received from ESB for the token.
- Fixed user search when combining phone, email, address, and attributes in a single
searchBean. - Fixed a possible record creation issue in
BATCH_SCHEDULE. - Fixed
findAllByIdfor login by splitting into parts to stay within SQLINclause limits. - Fixed recursion in the batch scheduler.
- Added attribute, phone, email, and address details to audit logs in OpenSearch.
Minor updates
- New
certification-managermicroservice for independent certification scaling and ESB isolation. - Connector security and stability improvements, including PowerShell query injection protection and Workday employee sync batching.
- Access certification reliability fixes across campaign visibility, reviewer tracking, and terminated user handling.
- Password management, Webconsole UI, and provisioning stability fixes, including backported 4.2.1.x hotfixes.
- SelfService v2 redesign extended to cover Pending Approvals, Access Profile, Password History, My Devices, and Consent History screens.
- Webconsole Orphan Management and Connectors pages rebuilt on the modern UI stack.