Bug Fixes

This section describes the bug fixes in this release.

Automation

  • Support global variables in application/x-www-form-urlencoded REST payloads

    Added support to use global variables in REST hook payloads when content type is application/x-www-form-urlencoded.Enables dynamic value substitution for external API calls in SaaS workflows without custom workarounds.Unblocks REST communication scenarios that require runtime payload values for customer integrations.

ADC

  • Resolved an issue where the service port swdtp-sv (10009) was not recognized during port validation. The service port mapping in the SDK has been updated to include this port, ensuring successful validation and improved compatibility with VIP port configurations.
  • Resolved an issue where the Application View widget displayed HTML characters instead of proper object details when objects were removed or modified on F5 GTM devices. Improved validation during configuration fetch operations to detect stale or invalid object references, ensuring accurate UI rendering of application objects.
  • Resolved an issue where the OOB "Fetch_F5 BIG-IP CVEs" workflow was failing repeatedly after scheduled execution.
  • Fixed an issue where the adc-object-hierarchy API was returning incorrect record type responses when fetching WIP hierarchy data.
  • Resolved an issue where object actions on AVI v22 devices failed during execution.
  • Resolved an issue where actions on AVI GSLB Pool members with Virtual Service mappings failed during execution.

CLM

  • Improved error handling for External Vault integrations during credential retrieval and certificate sync operations. This prevents device communication from proceeding when vault credential fetch fails. Additionally, enhanced failure handling to correctly update sync status for Server-category devices.
  • Resolved an issue in the Microsoft SQL certificate management integration where certificate regeneration and push operations created duplicate application connectors during subsequent discovery cycles.
  • Resolved the issue where duplicate connectors were being created for MSSQL push connectors after discovery.
  • Resolved the issue where temporary upload directory creation failed for Apache push/bind and Tomcat bind use cases when devices were configured with a service account user and access elevation set to None.
  • Resolved an issue in On-Prem environments where Apache Linux push operations failed during file upload when access elevation or service accounts were enabled.
  • Fixed certificate push failures caused by folder paths containing the reserved keyword "system" with proper error reporting.Improved error propagation for enrollment failures such as policy module denials so full diagnostic context reaches the user.Reduces troubleshooting effort by surfacing complete error causes instead of truncated or missing messages.
  • Added Private CA issuer certificates will now be correctly included in revocation checks, ensuring they are validated as expected.
  • Certificate public key information is now available in the Hooks Query Builder under the Certificate category.
  • A new Precertificate Deletion Job is now available to remove precertificate content on demand. Once deleted, users can retrieve the valid certificate by re-running upload, CA, device, or other discovery processes.
  • Certificate sync alert jobs will now consider the configured vendor and send notification emails only to the relevant vendor, based on the settings defined in the configuration.
  • The error messages during CSR generation have been improved. The system will now display clear and accurate error messages for both server and client certificate categories.
  • Windows servers are now correctly identified during the device discovery process in the certificate network discovery use case.
  • An issue with Windows post-push script execution has been resolved. Previously, SAN (Subject Alternative Name) values were not properly sanitized, leading to invalid payloads and request failures. The SAN values are now sanitized, preventing bad request payload issues.
  • An issue was identified where re-creating a scheduled discovery with the same name prevented the new discovery from being triggered due to a unique constraint conflict with previous discovery instances; this has now been resolved by appending a timestamp to the discovery name to ensure uniqueness and allow the scheduler to function correctly.
  • An issue was identified where certificates with a large number of pending workflows in application connector actions caused page slowness. This has been resolved by updating the latest workflow status during the workflow state change itself, instead of relying on UI-based loading, thereby improving page performance.
  • Certificates uploaded through Discovery will now also include and store trust store certificates present within file bundles.
  • The latest OV, DV, and EV OIDs have been updated in AppViewX, and certificates will now be accurately categorized based on their respective types.
  • Resolved an issue where certificate push operations to F5XC were shown as successful even when bind actions failed due to non-admin permissions.Updated task outcome handling to reflect actual execution status on the target device rather than UI-only completion.Improves operational accuracy by preventing misleading success states during permission-constrained CLM operations.
  • Resolved an issue where Linux and Windows device configuration fetch jobs remained stuck in In Progress during scheduled runs.Addressed validation handling errors that caused async requests to fail without proper terminal state transition.Improves reliability of midnight config fetch workflows and ensures failed jobs are surfaced with correct status.
  • Resolved an issue where certificate push operations to F5XC were shown as successful even when bind actions failed due to non-admin permissions.Updated task outcome handling to reflect actual execution status on the target device rather than UI-only completion.Improves operational accuracy by preventing misleading success states during permission-constrained CLM operations.
  • Resolved an issue where on-device PowerShell post-execution failed with “filename or extension is too long” during certificate push workflows.Improved script invocation handling for long command payload scenarios in Windows Gateway execution paths.Enhances stability of SQL Server post-push automation and reduces failures in PowerShell-based certificate operations.
  • Certificate Group ACL-Based Agent Settings Management

    Auto-enrollment agent settings (ACME, EST, SCEP, CMP, MS Intune) are now displayed based on certificate group ACLs, allowing users to view only permitted configurations. If a user group is deleted, associated settings are automatically moved to the default certificate group to ensure continued visibility and access.

  • EST Enrollment Performance and IoT Registration Fixes

    Resolved intermittent EST delays and timeouts during IoT device registration in Cloud Connector environments. Added Azure IoT Hub Shared Access Policy support and improved stability across machine, user, and other certificate enrollment and re-enrollment workflows.

  • ACME Account Creation Fix in SaaS

    Resolved SaaS ACME account creation failures caused by unsupported application/problem+json responses. Enhanced Cloud Connector to handle and propagate these error responses, improving compatibility and reliability of ACME workflows.

  • Resolved an issue where wildcard certificate requests with SAN failed during DNS verification due to “Check TXT record” step failures. The DNS Automation flow has been updated to validate all values in the verificationFQDNList, ensuring successful TXT record verification and preventing enrollment failures.

CLOUDKUBE

  • Resolved a bug in the Kube+ integration where certificate enrollment via the Secure Apps failed with an "InvalidName" error when the certificate name contained a period (.), for example, xx.test.tiaa-cref.org, even though the documentation explicitly permits both hyphens (-) and periods (.) in certificate names. The enrollment worked correctly when triggered directly through the Orchestrator, but the UI-level validation was incorrectly rejecting valid names.
  • Fixed a bug in which the cert-orchestrator across all clusters would go down, and clusters would be removed from inventory after a Spring platform upgrade, even though database entries remained intact. The root cause was a read-consistency issue in the tag management system: read operations immediately following a write (insert/update/delete) were not consistently using the MongoDB PRIMARY read preference, causing them to be routed to secondary replicas that may not have received the latest write due to replication lag, resulting in stale RBAC tag data and a violation of read-after-write consistency. The fix stabilizes the Kube RBAC tag update logic and optimizes the reconciliation trigger to ensure that tag create, update, and reconcile operations always read from the primary, preventing clusters from appearing as down due to stale metadata.

Platform

  • SMTP Configuration Loop in MFA Flow

    Resolved an issue where default SMTP settings (localhost) in the internal tenant caused a notification loop during MFA, leading to repeated failures and increased microservice load.

  • Resolved an issue where uacme account creation failed in SaaS when failure responses returned application/json instead of application/problem+json.Updated response handling logic to correctly process account-creation failure payload variations.Improves reliability of ACME account onboarding flows in SaaS environments.
  • Resolved an issue causing intermittent ~2 minute delays in Cloud Connector external REST calls used in IoT registration workflows.Addressed latency behavior that was triggering EST request timeouts in customer environments.Improves response consistency and removes a key production blocker for IoT onboarding workflows.
  • Resolved an issue where Intune configurations disappeared from UI when the linked certificate group was deleted while records still existed in the database. Fixed dependency-state handling to keep UI and backend state consistent when referenced certificate groups are missing.Prevents hidden stale configurations and supports correct lifecycle behavior for Intune setup management.

PKI

  • Resolved an issue where deleting expired CAs from PKI+ inventory failed with backend resource-not-found errors during disable/delete actions.Fixed inventory synchronization behavior that caused previously deleted CAs to reappear after scheduled refresh cycles.Improves reliability of CA lifecycle cleanup and ensures permanent removal of expired CAs from inventory.

Code Signing

  • Session Pool Handling for Improved Performance, Stability, and Reliability in Large-Scale Signing Operations

    Resolved an issue in dedicated Code Signing (Sign+) Cloud Connectors where signing operations could intermittently hang due to stale or disconnected TCP sessions between AppViewX and the HSM, typically caused by firewalls or intermediate devices terminating idle connections.

  • API Reference option has been enabled for environments where only the Code Signing license is active