Upgrading from Q4 2015 (20.2.26)

Before you upgrade to iMIS 2017 (20.2.64), be sure you thoroughly review the System requirements, New Features, and the following upgrade changes that have occurred since Q4 2015 (20.2.26).

iMIS 2017 (20.2.64) Upgrade Changes

Warning! It is important that you are on the latest Service Pack to ensure protection from known security vulnerabilities. See the iMIS 2017 Service Pack page for more details. Download the latest Service Pack from the ASI Support Portal.

The iMIS application must be installed using an internal network address

Due to security considerations, iMIS prefers application and client components be installed on the same internal network. Customers will have difficulty remotely accessing an iMIS client (Desktop or Advanced Accounting Console) from an external network; by default the iMIS Application and Client must be connected to the same internal (192.168.x.x, 172.16.x.x through 172.31.x.x, or 10.x.x.x) network. However, this range can be extended by adding the IntranetIps line below to the web.config file in the SystemParams configuration area as follows, where 203.0.113.0/24 is an example IP address block representing the address range of the network segment where your iMIS Desktop workstations or terminal server are installed:

<iMIS>
	<SystemParams>
	    <add key="IntranetIps" value="::1,127.0.0.1,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,203.0.113.0/24" />
	</SystemParams>
</iMIS>

Otherwise, customers attempting to remotely connect to an iMIS client on a network that is external to the network on which the iMIS application server is located will be unsuccessful.

Warning! If your organization stores credit card data via iMIS, PCI DSS v3.2.1 requirement 1.3.6 specifies that your iMIS SQL server be in an internal network zone, segregated from your DMZ and other untrusted networks. Even if you do not store credit cards, this is a best practice for protecting the privacy of your organization and constituents' personally identifiable information (PII) data. If your iMIS application server or iMIS Desktop/AAC workstations or terminal servers have difficulty accessing your SQL server, be sure to allow those SQL DB IP addresses access to the SQL servers ports 1433 and 1434 in your firewall configuration.

Password reset token configuration removed from Web.config

The configuration setting for the password reset token (<add key="Authentication.PasswordResetTokenExpireMinutes" value="20" />), which allowed users to define the number of minutes the reset password token is valid, will no longer be defined through the web.config file. Any changes to this setting in the web.config file will be ignored.

The web.config setting has been replaced with an Account management setting, Authentication.PasswordResetTokenExpireMinutes, which is accessible from the Staff site (Settings > Contacts > Account management). For more information, see PasswordResetTokenExpireMinutes.

Session timeout settings modified for PCI compliance

The following changes have been made to the Session timeout settings in accordance with Payment Card Industry Data Security Standard (PCI DSS) regulations:

  • The Enable session timeout system for system administrators (located at Settings > Contacts > Authentication > Session timeout) is now enabled by default to prevent misuse of idle user sessions. After the session timeout minutes are set, system administrators will receive a two minute warning that their session is about to time out. For more on this setting, see Session Timeout.
  • A pop-up message notifying users that their session is about to time out has been added. This pop-up works in conjunction with existing Session timeout settings. When a user's session is about to time out, they will be prompted to Sign Out or Stay Signed In.

  • Additionally, two Session timeout account notification messages have been added to the Account management section of the Staff site. The SessionTimeoutWarningMessage displays two minutes before a user's session times out, and the SessionTimeoutMessageSystemText lets the user know that the session has timed out. Both notification messages are customizable.

PCI-compliance security measures must be enabled for SysAdmins

PCI compliance requires that the following features be enabled and active for SysAdmins by the completion of installation or upgrade:

  • Password Expiration -- SysAdmin passwords must expire within at least 90 days or less.
  • Password Reuse -- SysAdmin cannot reuse any of their last four passwords or more.
  • Session Timeout -- The SysAdmin session must timeout after 15 minutes of inactivity or less.

PCI-compliance requirements allow these features to be made more restrictive, for example, you could set passwords to expire every 60 days, but these requirements cannot be turned off.

Note: If your organization does not process credit card transactions, the PCI requirements do not apply. Contact ASI Technical Support for assistance with disabling these features.

If you want to enhance your security further, these features can also be applied to non-administrators. In the Staff site, go to Settings > Contacts > Authentication. However, these values can be set as desired. There is no requirement for minimum values for non-administrators. For non-administrators, these features can be enabled or disabled as desired.

Connecting to the Advanced Accounting Console using HTTPS

For PCI compliance, https is enabled by default. After upgrading, you must make sure you update the Server URL in your Advanced Accounting Console. If you do not update the Server URL, you will not be able to use the Advanced Accounting Console. You must have a valid SSL certificate to use the Advanced Accounting Console when https is enabled.

Default servers are required to have an SSL binding

For PCI Compliance and overall security purposes, default websites are required to have an SSL binding. For more information about setting an SSL binding, see Setting up an iMIS site at the root of an IIS website.

Password lockout when requesting an authentication token from the REST API

When requesting an authentication token from the REST API, the system will correctly lock the associated account after five incorrect password attempts.

Password-related methods have been modified

The following methods have been modified:

  • The method SetUserPasswordWithLogin no longer sends a communication to users when their password has been changed by staff.
  • Communications sent using the methods SetUserPassword and SetUserPassword2 no longer contain the new password.

Changes to the EncryptString and DecryptString method calls

The EncryptString(string source) and DecryptString(string source) method calls (found in Asi.Security.Utility.Encryptor) are now using AES 256 (Advanced Encryption Standard) ​​ instead of triple DES (Data Encryption Standard). An overload was added for both: EncryptString(string source, bool useAES) and DecryptString(string source, bool useAES). If you are using these method calls in any custom code and you want to continue using the old DES encryption, you must call EncryptString(source, false) and DecryptString(source, false).

Key-encrypting key

iMIS keys use encryption for securing sensitive cardholder information. The encryption keys used to store this data are also encrypted using a string stored in a key-encrypting key file. The key-encrypting key file is created during upgrade, as is the random starting position within the key-encrypting key file.

Warning! It is recommended that you do not modify or remove the key-encrypting key file. It is possible to irreparably damage the ability to retrieve encrypted information, which will prevent you from being able to log in to iMIS. If you inadvertently change or delete the key-encrypting key, contact ASI Technical Support immediately.

Third-party gateway Xtenders

Warning! Any third-party payment gateway Xtenders that need to encrypt or decrypt passwords will not work after the introduction of the key-encrypting key. If you are using ActiveX extensions for Crypto, ASI recommends you do not upgrade your system at this time.

Security enhancement for password reset functionality

In order to provide enhanced security, the length of time for which password reset tokens are valid has been shortened. The email, which is sent to a customer in response to a request to reset their password, will be valid for 20 minutes from the time it is sent. If the customer does not create a new password within this time period, they will be required to submit a new request.

To adjust the expiration duration, go to Account management in the Staff site and configure the Authentication.PasswordResetTokenExpireMinutes setting.

Enhanced password security to meet PCI compliance

iMIS now provides enhanced password hashing to secure all user login passwords. This enhanced password security complies with PCI 3.2 guidelines.

Your users might be unable to sign in with a valid password in the following situations:

  • If you have already strengthened the hashing algorithm to one not supported by this upgrade, and your users have already reset their passwords in response.
  • If your users have passwords that do not meet current password requirements.

If your users are unable to sign in due to the enhanced password hashing, you must let your users know they will have to reset their passwords.

The ability to remove historical encryption data has migrated to iMIS Scheduler page

The ability to remove historical encryption data has been migrated from the DB Maintenance utility. iMIS SysAdmin users with Terminal access can log in to the iMIS Scheduler page and select to remove historical encryption data.

Update content item connections on existing donation pages

For existing donation pages, you must ensure you manually connect the Submit Order Button Link content item as an Object Consumer to the Payment Creator content item before you can begin receiving donations after upgrading. This action can be performed before you are upgraded, or after you have already upgraded.

Self-hosted customers can use the Content Browser utility to identify all affected content records.

Note: This change is to ensure that all clients remain in compliance with PCI 3.2 guidelines.

Include Contact ID in Join URL

Existing Join page links need to be updated to include the contact ID in the URL. This allows company administrators to join contacts without using On Behalf Of.

SQL Server 2012 requires Microsoft Report Viewer 2012 Runtime for subreport display

Upgraded systems using SQL Server 2012 require an installation of the Microsoft Report Viewer 2012 Runtime to properly display SSRS subreports. Failure to install this application will result in subreports not loading, accompanied by an error message. SeeMicrosoft Report Viewer 2012 Runtimefor more information.

.NET version update not compatible with older versions of iMIS

Installing .NET 4.6.2 is required for iMIS 2017 (20.2.64) and is supported for previous versions of iMIS beginning with iMIS Q4 2015 (version 20.2.26), but is not compatible with versions prior to iMIS Q4 2015. If you have multiple versions of iMIS installed on the same server and those versions are different, only those versions beginning with iMIS Q4 2015 can be installed on the same server as iMIS 2017. Versions of iMIS prior to iMIS Q4 2015 must be installed on a separate server without .NET 4.6.2 installed.

Discontinued support of Internet Explorer 8-10

Earlier this year, Microsoft announced the end of support for Internet Explorer versions 8, 9, or 10. Microsoft will no longer provide critical security updates for these unsupported versions, which may introduce vulnerabilities to your data. Therefore, effective in the next release, iMIS no longer supports Internet Explorer versions 8, 9, and 10. Be sure to review the system requirements for supported browsers.

For more information, see System Requirements.

Discontinued support of Windows 8.0 operating system

Microsoft no longer supports the Windows 8.0 operating system. This means that users will not receive automatic fixes, or critical updates, which leaves systems running on this version open to security breaches. As a result, effective in the next release, iMIS will not support Windows 8.0. Please review the System Requirements for supported operating systems.

New business object: CsContactBasic

A new business object, CsContactBasic, has been added. This business object is for basic contact information, and is more efficient than CsContact.

Use the following business objects when querying:

  • CsContactBasic – for basic contact information from the Name table
  • CsContact – for financial or group membership information
  • NetContact – if you need a GUID contact key

Many sample queries have been updated to use the new CsContactBasic business object.

New configuration option for the Invoice Payment Link content item

The Invoice Payment Link content item has a new configuration option, Enable join button for non-members and inactive members. This option enables a Join Now button on a contact's profile page. Staff users and company administrators can use this button to join as a member on behalf of the contact.

This new option is not enabled by default; however, this option is automatically enabled when the Invoice Payment Link content item is added to a content record.

Removal of ContentWorkflow.exe

The ContentWorkflow.exe has been removed and replaced with the Content and Navigation Workflow scheduled task in iMIS Process Automation. After upgrading, ensure that this task has been enabled and correctly configured in order to receive expiration notices of content and navigation that will be removed.

Removal of TributeNotificationContactID

The TributeNotificationContactID field has been removed from the GiftReport table, and removed from the related business objects (GiftHistory and GiftsReceived). The data from this column can be referenced from Trans_Notify.NOTIFY_ID.

Trans_Notify is a multi-instance table which more accurately reflects multiple notify contacts if the a tribute was entered through the iMIS Desktop or the Advanced Accounting Console. If any custom IQA queries or reports relied on the TributeNotificationContactID column, they must be updated to use either:

  • CsTransNotify.Notify Id if showing all notify contacts per tribute is desired.
  • FirstNotifyContactPerGift.Notify Id if showing just one notify contact per tribute is desired.

The FirstNotifyContactPerGift business object works for tributes made through the web where only one notify contact is allowed. This business object also keeps the donation from appearing multiple times within a query even if it has multiple notify contacts. To find queries that may need updating, we recommend running the Query Browser utility and clicking the Find All button in the section Scan for Bad Queries.

Removal of Content Html C# script blocks

On upgrade, C# script blocks will be removed from out-of-the-box Content Html content items. Any copied Content Html content items will no longer support C# script blocks, including any custom code that was added to any content. Once these content items are saved and published the C# script block will be removed.

JavaScript script blocks will continue to be supported. If JavaScript cannot be used instead of C#, the C# code needs to be ported to a first class content type and a new content item needs to be created.

Contact Account Creator simplified

The Confirm email and Confirm username fields have been removed from the Contact Account Creator content item.

Unsupported website themes

The following master pages and associated themes are no longer supported, and will eventually be removed:

  • Forest: Aspen, Aspen Mobile, Aspen2, Birch
  • Planets: Mars, Mercury, Venus
  • Mountains: Everest

Each of these themes is marked as Deprecated in the Starter Database. If you are currently using one of these out-of-the-box themes, we recommend using a different theme, or creating and applying a copy of the theme. See Using out-of-the-box-themes for more information.

Crystal reports deprecated from the Staff site

Crystal Reports 9 runtime will no longer be installed, and 32-bit Crystal reports have also been deprecated from the Staff site. Crystal Report functionality for the Desktop and Advanced Accounting Console has not changed and will remain the same. User-created Crystal reports will not be deleted from the Staff site, but iMIS will not recognize the report as an accepted file format to be displayed. If you are using any of these reports, it is recommended that you recreate the report using IQA.

All iMIS Crystal reports have been removed from the Staff site, along with the following Continuum navigation items:

  • Campaign reports
  • Segmentation reports
  • RFM reports
  • Process Manager reports

Desktop source codes

Previously, source codes were created using general lookup/validation tables. In this release of iMIS, source codes are no longer created using general lookup tables, and are instead created through iMIS Marketing Campaigns. See Setting up campaigns for more information related to source codes.

Removal of Email a Friend

The Email a Friend functionality is deprecated. If you have links pointing to the Email a Friend page, you will see a message. The Social Share content item is the suggested replacement.

EntityManager class removed from API

EntityManager class was removed from the API including the FindSingle method. As a replacement, you should use Find(QueryData query) and FindByIdentity(IdentityData identity).

Consolidated SOA data contracts

Breaking changes have been made to the SOA data contract libraries. All SOA contracts are now consolidated to one Asi.Contracts.dll library. Namespaces and class names remain unchanged. Projects referencing data contract libraries will require updating

Remotely accessing the REST API

As a security enhancement, users must now be granted permission to remotely access the REST API. To grant access, add the RemoteService security role to approved users.

Changes to internal API for IQA

Some breaking changes to internal ASI API signatures have been made, including the internal API for IQA. This does not affect the supported SOA consumers.

Process any unposted import batches

Changes have been made to the way that import batch data is stored. Previously, import batch data was saved to the file system. Now the import batch data will be saved to the iMIS database in the ImportBatch table.

Before upgrading, be sure to completely process and post all previously uploaded import files including:

  • Donations
  • Campaign source codes
  • Friendraising activities
  • Standing Order payment files

Any previously processed import batch data will not be imported into the ImportBatch table.

The following SOA data contracts have been removed:

  • Asi.Soa.Communications.DataContracts
    • ImportSourceCodeBatchsummaryData
    • ImportSourceCodeBatchData
    • ImportSourceCodeBatchRequest
  • Asi.Soa.Core.Datacontracts Namespace
    • ImportLogData
    • ImportLogDataCollection

For more information, see the iMIS SDK Developer Guide.

Multi-factor authentication preventing login with MembershipWebService API

If multi-factor authentication is enabled, system administrators will not be able to log in using the MembershipWebService API. System administrators must either log in as a non-system administrator user, or disable the multi-factor authentication in the Staff site.

Google Maps API key now required

A change to Google's API requires that users have a Google Maps API key in order to utilize Google Maps on their websites. To obtain a Google Maps API key, see the Google Maps API documentation. To enter this key in iMIS, go to Settings > RiSE > Quick setup, and enter the key in the Google Maps API key field.

Note: Depending on your usage, you may need to begin paying for this service. See Google's API Usage Limits for more information.

The DB Maintenance Tool and Panel Editor

When using the DB Maintenance Tool to add a multi-instance data source for use by the panel editor, the DB Maintenance Tool will no longer create the trigger asiUDMBO_<table name>_Insert. For tables created prior to this release, you should manually delete the same trigger if you intend to use the table as a multi-instance panel editor data source.

DemoDB renamed to StarterDB

Formally known as DemoDB, the StarterDB is an existing database that is preconfigured with sample data, such as out-of-the-box Quick Start Sites. When installing iMIS, select StarterDB from the Use an existing database drop-down.

Accessing the WSDL metadata definition

In order for the WSDL definition to be properly accessed by third-party vendors, the out-of-the-box web.config file for the Scheduler site must be modified:

  1. Open the C:\AsiPlatform\Asi.Scheduler_[your instance]\web.config file.
  2. Change the line:
    3. <serviceMetadata httpGetEnabled="true" httpGetUrl="" />

    to the following:

    <serviceMetadata httpGetEnabled="true" httpGetUrl="" httpsGetEnabled="true" httpsGetUrl="" />

Default publishing server must be enabled for process automation tasks to run

The Default publishing server must be enabled.

First, configure the Redis caching service to be accessible by any secondary servers:

  1. Locate the Redis folder on the Default server at C:\Program Files (x86)\Redis.
  2. Edit the redis.windows-service.conf configuration file. Change the line:

    3. bind 127.0.0.1

    to the following:

    bind 0.0.0.0

    Note: This will expose the Redis service publicly.

  3. Do the following to prevent unauthorized access through Redis:
    1. By default, Redis uses port 6379. Limit access to this port to specifically trusted IP addresses only. At a minimum, this includes the addresses of any secondary iMIS servers.
    2. To secure the host service’s port, configure Internet Protocol Security (IPSec) to prevent unauthorized access. For complete walkthroughs of Internet Protocol Security (IPSec) on Windows, see Microsoft’s IPSec guidance.
    3. To verify that the Redis Internet Protocol Security (IPSec) is working as expected, download the Redis Desktop Manager to a machine that should not have access. Attempt to connect to the Redis server. You should be unable to connect to the Redis server.

If the Default publishing server is disabled, your scheduled tasks will not run. If the Default publishing server is changed, then you must restart both the new and the former Default publishing servers.

For multi-server installs, you must use the same Default publishing server for all servers. Modify the web.config file for secondary servers to point to the primary server's URL:

  1. Locate the web.config files in the root of the website:
    • C:\Program Files (x86)\ASI\iMIS\Net\web.config
    • C:\AsiPlatform\Asi.Scheduler_[your instance]\web.config

      • Note: If you are not self-hosted, you must contact your host for assistance modifying web.config files.

  2. Modify the following in the web.config file:
    • Modify the <setting key="EntityManagerDefaultBaseUri" value="https://[www.yourdomainname.com]/asi.scheduler_[instance]" /> line to point to the primary server's URL.
    • Modify the <setting key="localhost" value="[server_name]" /> line to include a value for the primary server’s machine name.

Publishing Server Code must be unique on all servers

In multi-server installs, the Publishing Server Code must be unique on all servers. The upgrade process will ensure there is only one publishing server marked Default:

  • If you do not already have an existing publishing server, the upgrade process will create a publishing server that is then set as Default.
  • If you have a single existing publishing server, the upgrade process will set that publishing server as the Default.
  • If you have more than one existing publishing server sharing a database, the upgrade process will set one of the publishing servers as the Default per database.

After upgrade, you can verify the existence of a single default publishing server by going to RiSE > Maintenance > Publishing servers. The Default column will indicate which publishing server is the default.

Setting different time zones for instances on the same server

System Administrators can set the time zone of an iMIS database instance independent of other databases on the same server. If multiple instances are hosted on the same server, they do not have to use the time zone of the database server.

Upon upgrade, the new time zone setting is set to the pre-upgrade time zone of the database server. If hosting multiple databases on one server, you might decide to modify the time zone on a database instance. Before you change this setting, go to Setting the system Time zone to review items to be aware of.

Connect to a database when launching the Content Browser and Query Browser

The ContentBrowser.exe and QueryBrowser.exe now require database information before launching, such as the SQL Server Instance, Database User, Database Name, and User Password.

Existing iMIS instances created using the Multi-Instance Utility cannot be upgraded

The current iMIS Installer is not aware of existing iMIS instances created using the Multi-Instance Utility available in previous versions of iMIS, as those instances were not created using an installer. The Multi-Instance Utility functionality is now part of the iMIS Installer. iMIS instances created using the Multi-Instance Utility cannot be upgraded using the iMIS Installer. However, the instance can be recreated using the iMIS Installer.

Removal of Communities content from the search index

If you modified your C:\AsiPlatform\Asi.Scheduler_[your instance]\web.config file to prevent Communities from being indexed for search, that file is overwritten upon upgrade and your modified code is removed.

There is a new system setting to address disabling publishers, which will respect the disabled Communities publishing. The Communities checkbox in the Indexing preferences settings page will be deselected, and Communities will not be indexed for search.

Process automation

Users that have not purchased the Process automation - Plus license have been provided a limited ability to modify out-of-the-box alerts and tasks that includes adding and editing triggers, data sources, and actions. For more information, see Process automation FAQ.

Scoring

Users that have not purchased the Scoring - Plus license have been provided limited Scoring abilities.is now a licensed feature in iMIS:

  • Scoring - Standard allows users to use and make basic changes to any starter formula included with iMIS, enable or disable specific score formulas, redefine starter-score formulas, display a contact's engagement score on your website, create Process Automation alerts (if licensed for Process Automation), and use scoring data in your own dashboard queries.
  • Scoring - Plus gives users full control over scoring, allowing users to define an unlimited number of scores and reconfigure existing scores.

For more information, contact your AiSP or ASI Technical Support.

Changes to iATS and SecurePay payment gateway configuration

When configuring the iATS or SecurePay payment gateway, you must specify the Host URL. If no Host URL is specified:

  • The ASI-hosted tokenization engine will default to the North American URL for iATS.
  • SecurePay uses the Merchant ID and Password to determine whether a live or test URL should be used.

AutoPay service address moved and renamed

The AutoPay service address has been moved from Commerce to Finance under general Settings. It is now called DataVault service address.

Recurring membership queries have been updated

The following IQA queries have been updated to remove the column Frequency:

  • $/Membership/DefaultSystem/Queries/AutoPay/Automatic payment enrollments
  • $/Membership/DefaultSystem/Queries/AutoPay/Members enrolled in automatic payments
  • $/Samples/Dashboards/AutoPay/Membership/Auto-pay membership details
  • $/Samples/Dashboards/AutoPay/Membership/Cancelled membership enrollments

AR Statement report has been updated

The AR Statement report has been renamed as Account Statement. The updated report features an optional ID parameter, and a new header alignment.

Fundraising SSRS reports have been updated to remove legacy Appeal

Desktop Fundraising SSRS reports that made reference to an Appeal have been renamed to label the data as Source Code. This change is consistent with the Staff site Marketing module.

Certain user-created event queries and reports require a new filter

With the addition of event templates, the CsEvent business object was modified. This modification prevents event templates from appearing in system query results. However, if you are using a custom query or report that does not use a CsEvent business object but is still returning event templates (for example, custom SQL data sources for an SSRS report, custom business objects, or custom IQAs), you will need to modify the data source so that event templates do not appear in the results.

If the report or business object contains the Meet_Master table, then apply the following filter:

Meet_Master.Template_State_Code=0

Otherwise, you need to join tables to Meet_Master and apply the filter.

Contact security queries have been updated to return unique results

The AllUsersAccessQuery has been modified. By default, this query ($/Samples/Security/UserAccess/Contacts available to all users) is now configured so that the Only display unique results option is enabled. This ensures that duplicate contact rows are not returned, as this can cause the query to fail and search indexing to be interrupted, resulting in new contacts not being searchable through the keyword search.

Interaction Log type of Print

Currently, every issued receipt that was sent has an Interaction Log type of Email. After this release, the Interaction Log type will now include either Print or Email. Issued receipts that were printed previous to this release will continue to have the Interaction Log type of Email.

Recurring donation invoice queries have a hidden InvoiceRefNum column

The following queries used by the Batch Invoice Payment Processing content item have been updated to include a hidden code_InvoiceRefNum column:

  • Find recurring donation invoices
  • Find recurring donation invoices ALL
  • Find recurring donation invoices TODAY

If you have created custom queries that are used by the Batch Invoice Payment Processing content item, you must update those queries to include the code_InvoiceRefNum column. Use the following values:

  • Property - Reference Num
  • Alias - code_InvoiceRefNum

If your queries are not updated, you will receive an error.

Scoring queries use new business object

Scoring queries now use the new business object, NetContactBasic. This business object is now the preferred method to get the Contact Key. It prevents duplicate records from being created for combo records.

Navigation items moved

The following Commerce settings navigation items have been moved to Finance:

  • Automatic payment gateways
  • AutoPay Status
  • Payment method sets