10. Updates

Warning

Before updating, please assure, that you have a backup of your encryption key and also of your database. Having a backup of your linotp.ini file is also a good idea!

10.1. Updating from LinOTP 2.6.1.1 to LinOTP 2.7

LinOTP 2.7 is a major release that contains some big package structure changes.

In our effort to be completely open source we have removed our EE (Enterprise Edition) packages and merged them into the old CE (Community Edition) packages leaving you with packages that contain all the features. The CE/EE terminology is obsolete.

If you had previously edited your linotp.ini to activate the audit trail please update the file and replace:

linotpAudit.type = linotpee.lib.Audit.SQLAudit

with:

linotpAudit.type = linotp.lib.audit.SQLAudit

10.1.1. Updating a deb install

If you are updating from one of our repositories simply:

apt-get update && apt-get upgrade

If you previously had a LinOTP Community Edition you may want to additionally install the linotp-smsprovider package:

apt-get install linotp-smsprovider

If you are installing via dpkg you have to remove the obsolete packages first:

apt-get remove linotp-ee linotp-useridresolver-ee
dpkg -i linotp linotp-useridresolver linotp-smsprovider

The LinOTP Admin clients have been renamed:

  • linotp-adminclient-ce is now called linotp-adminclient-cli
  • linotp-adminclient-ee is now called linotp-adminclient-gui

Install them like this:

sudo apt-get install linotp-adminclient-gui linotp-adminclient-cli

10.1.2. Updating a pip install

Before upgrading to LinOTP 2.7 you need to remove the obsolete EE packages:

pip uninstall LinOTP-EE LinOtpUserIdResolverEE

Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):

pip install --upgrade LinOTP LinOtpUserIdResolver SMSProvider

After this you need to restart your LinOTP webserver.

To upgrade the LinOTP Admin clients you have to remove the obsolete packages first:

pip uninstall LinOTPAdminClientCE LinOTPAdminClientEE
pip install LinOTPAdminClientCLI LinOTPAdminClientGUI

10.1.3. Changelog

LinOTP core

  • Integrated linotp-ee package into this package, adding:
    • Support for SQL Audit
    • Tools such as: linotp-decrypt-otpkey, linotp-tokens-used, linotp-backup, linotp-restore, etc.
    • Support for HSM
    • eTokenDat, PSKC, DPWplain and vasco token import
  • Fixed broken custom-template handling (#12555)
  • Fixed some corner cases of JSON and CSV audit output (#12550, #12556)
  • Fixed erroneous QR-Code generation
  • Pinned WebOb version to < 1.4 due to incompatibility with Pylons (#12586)
  • WebUI: Moved ‘License’ menu entry to ‘Help/Support’
  • WebUI: Added ‘Help/About’ dialog
  • WebUI: Cleaned up a little and exchanged the LinOTP logos

Documentation

  • Adapted to new package structure (linotp and linotp-ee as well as linotp-useridresolver and linotp-useridresolver-ee have been integrated into a single package)
  • Fixed warnings and made general corrections
  • Exchanged LinOTP logo

LinOTP admin client

  • Renamed package from linotp-adminclient-ce to linotp-adminclient-cli
  • Renamed package from linotp-adminclient-ee to linotp-adminclient-gui
  • Exchanged LinOTP logo
  • Removed M2Crypto dependency, since license verification is done on the server

UserIdResolver

  • Integrated linotp-useridresolver-ee package into this package, adding support for:
    • LDAP and AD UserIdResolvers
    • SQL UserIdResolvers

10.2. Updating from LinOTP 2.6.1 to LinOTP 2.6.1.1

LinOTP 2.6.1.1 is a patch release for LinOTP 2.6.1

SMSProvider 2.6.1.1 has one new dependency:

  • socksipy, either contained in httplib2 >= 0.7 or from its own package.

10.2.1. Updating a deb install

Install the necessary dependencies:

apt-get install python-socksipy

Unfortunately on Debian and Ubuntu you are forced to install the python-socksipy package because Debian Squeeze does not support python-httplib2 >= 0.7 and therefore requires python-socksipy.

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.1.1-1_all.deb \
        linotp-smsprovider_2.6.1.1-1_all.deb \
        libpam-linotp_2.6.1.1-1_all.deb

10.2.2. Updating a pip install

Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):

pip install --upgrade linotp pam_py_linotp

A SMSProvider pip installation will need following additional python package:

  • httplib2 >= 0.7 or socksipy.

To upgrade the enterprise edition components you need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/SMSProvider-2.6.1.1.tar.gz

After this you need to restart your LinOTP webserver.

10.2.3. Changelog

LinOTP core

  • Fixed Yubikey token so it supports LinOTP/RADIUS challenge-response
  • Removed ‘const’ JS variable that broke IE9
  • Added Yubikey public ID to token description when importing CSV file (#12417)
  • Fixed erroneous active-token-count in WebUI (#12523)

SMS Provider

  • Fixed HTTPSMSProvider on Debian Squeeze with httplib2 0.6 (#12510)

PAM LinOTP

  • Fix build of binary package on Launchpad

PAM Python LinOTP

  • Fixed package build

10.3. Updating from LinOTP 2.6.0.3 to LinOTP 2.6.1

LinOTP 2.6.1 has two new dependencies:

  • python-migrate for additional client information in the Audit trail and
  • python-httplib2.

10.3.1. Updating a deb install

Install the necessary dependencies:

apt-get install python-migrate python-httplib

Download all necessary LinOTP packages and issue the following command:

dpgk -i linotp_2.6.1-1_all.deb \
        linotp-ee_2.6.1-1_all.deb \
        linotp-useridresolver_2.6.1-1_all.deb \
        linotp-useridresolver-ee_2.6.1-1_all.deb \
        linotp-smsprovider_2.6.1-1_all.deb

10.3.2. Updating a pip install

A pip installation will need following additional python packages:

  • httplib2,
  • sqlalchemy-migrate.

These should be installed automatically when issuing the commands:

pip install --upgrade linotp
pip install /path/to/LinOtpUserIdResolverEE-2.6.1.tar.gz
pip install /path/to/LinOtpUserIdResolver-2.6.1.tar.gz
pip install /path/to/SMSProvider-2.6.1.tar.gz

Check with:

pip freeze

10.3.3. Changelog

LinOTP core

  • Added support for BasicAuthentication to HttpSMSProvider
  • Prevent resolver creation with same name (and different case)
  • Improved /auth/index forms and deprecated /auth/requestsms
  • Improve entropy by using /dev/urandom (#12243)
  • Added streaming output to audit/search JSON and CSV (#12392)
  • Made wildcard search in SQL Resolver more precise (#12135)
  • Small graphical WebUI fixes (#12229)
  • Added possibility to change the phone number of SMS token (#2953)
  • Require * for wildcard token search (#2838)
  • Removed PIL as a hard dependency (you may use pillow-pil) (#12409)
  • Only enable apache site on first installation (not upgrade) (#12246, #12457)
  • Supress error during installation if no ‘lse_release’ exists #(12237)
  • Shorten UserIdResolver display string in UserView (#2678)
  • Added python-httplib2 dependency
  • Added challenge-response and http-POST to remote token (#12433, #12451)
  • Added challenge-response to RADIUS token (#12432)
  • Added client information to audit log (#12417)
  • Enable ‘Enter’ key in auth/index forms (#12103, #12446)
  • Allow SmtpSMSProvider to raise exceptions (#12419)
  • Several challenge-response error handling fixes (#12416, #12420, #12427)
  • Several OpenID fixes (#12415, #12428, #12265, #12190, #12264)
  • Fix hostname/port FQDN splitting (#12410)
  • Added man page for linotp-auth-radius
  • Removed obsolete log warnings and errors (#12396, #12443)
  • Prevent challenges from being sent when multiple tokens match (#12413)
  • Fixed check_yubikey so that it supports two slots (#12477)
  • Enabled realm assignment during Yubikey enrollment
  • Added autoassignment for Yubikeys
  • Added new policy ‘ignore_autoassignment_pin’
  • Removed newlines in token CSV export (#12465)

LinOTP EE

  • Solved some SQLAlchemy unicode warnings
  • Added streaming output to audit/search JSON and CSV (#12392)
  • Removed deprecated FileAudit (use SQLAudit instead) (#12434)
  • Added client information to audit log (#12417)
  • Improved help message of linotp-sql-janitor tool

UserIdResolver

  • Made wildcard search in SQL Resolver more precise (#12135)
  • Fix LDAP Resolver error that occurs during checkstatus (#12442)

LinOTP admin client

  • Added dependency for python-usb
  • Enabled realm assignment during Yubikey enrollment
  • Added client information to audit log (#12417)

Documentation

  • Removed FileAudit documentation since FileAudit is deprecated (#12434)
  • Documented additional PasswdResolver fields (e-mail, telephone) (#12418)
  • Added Howtos from website to documentation (#12430)
  • Documented new OpenID storage database options (#12415)
  • Updated package dependencies (#12395, #12452, #12409)
  • Documented new policy ‘ignore_autoassignment_pin’

libpam LinOTP

  • Remove user check in libpam-linotp since the existence of the user is not a prerequisite (VPN, automount) (#12429)

SMSProvider

  • Allow SmtpSMSProvider to raise exceptions (#12419)

10.4. Updating from LinOTP 2.6 to LinOTP 2.6.0.3

LinOTP 2.6.0.3 is a patch release for LinOTP 2.6 and 2.6.0.x.

10.4.1. Updating a deb install

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.0.3-1_all.deb \
        linotp-useridresolver-ee_2.6.0.3-1_all.deb

10.4.2. Updating a pip install

Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.0.3.tar.gz

After this you need to restart your LinOTP webserver.

10.4.3. Changelog

LinOTP core

  • Fix problem with LDAPS connection (#12431)
  • Catch token exceptions to prevent errors when processing several tokens (#12416)

UserIdResolver

  • Fix error that prevented LDAP Resolver from unbinding (#12423)

10.5. Updating from LinOTP 2.6 to LinOTP 2.6.0.1

LinOTP 2.6.0.1 is a patch release for LinOTP 2.6.

10.5.1. Updating a deb install

If you have downloaded all packages you need to issue the following command:

dpkg -i linotp_2.6.0.1-1_all.deb \
        linotp-useridresolver_2.6.0.1-1_all.deb \
        linotp-useridresolver-ee_2.6.0.1-1_all.deb \

10.5.2. Updating a pip install

Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.0.1.tar.gz

After this you need to restart your LinOTP webserver.

10.5.3. Changelog

LinOTP core

  • Added radius client testing tool “linotp-auth-radius”, which supports challenge response
  • Fix the otppin=2 (no pin) problems with email and totptoken (#12399 #12398)
  • Fix for email token to support otppin=2 (closes #12398)
  • Fix ‘Logout’ button (closes #12371)

UserIdResolver

  • Bind the resolvers object to the request for performance. closes #12372
  • Improved sqlresolver checkpass to also support {sha} and {ssha} passwords.

Command line client

  • Added automation, send token list via email or upload to windows share (#12390)

10.6. Updating from LinOTP 2.5.2 to LinOTP 2.6

LinOTP 2.6 introduces a common challenge response mechanism. For this a new table “challenges” was added to the database model.

10.6.1. Updating a deb install

If you have downloaded all packages, you need to issue the following command:

dpkg -i linotp_2.6-1_all.deb \
        linotp-ee_2.6-1_all.deb \
        linotp-useridresolver_2.6-1_all.deb \
        linotp-useridresolver-ee_2.6-1_all.deb \
        linotp-doc_2.6-1_all.deb \
        linotp-smsprovider_2.6-1_all.deb

Note

If you want to use the new challenge response mechanism with your RADIUS clients, you also need to update the FreeRADIUS packages.

10.6.2. Updating a pip install

Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOTP-EE-2.6.tar.gz
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.6.tar.gz
pip install --upgrade /path/to/LinOtpDoc-2.6.tar.gz
pip install --upgrade /path/to/Smsprovider-2.6.tar.gz

To create the new table “challenges” run:

paster setup-app <your-path-to>/etc/linotp2/linotp.ini

After this you need to restart your LinOTP webserver.

10.6.3. Changelog

  • Added Challenge Response functionality for all tokens.
  • Added Challenge Response Policy (#12234)
  • Searching for tokens in the WebUI now uses wildcards. To find “benjamin” you will have to search for “ben*”. “ben” will return nothing.
  • Added UserPassOnNoToken Policy (#12145)
  • Export token list to csv (#2963)
  • Add additional user attributes in the token list api (#12187)
  • Export audit list to csv (#2963)
  • Added /auth/index3 with 3 lines (#12138)
  • Use Yubikey with prefix like the serial number (#12039)
  • Enroll Yubikey with Challenge Response and Yubikey NEO (#12186)
  • SMS-Token: The mobile number can now be used in the mailto field (#12151)
  • Add non-blocking behaviour when sending SMS OTP (#2986)
  • The token description can be set in the WebUI (#12163)
  • The Resolver dialog now start the realm dialog if no realm is defined (#12160)
  • The yubikey in Yubivo mode (with 44 characters output) is supported (#2989)
  • Import Yubico CSV in Yubico mode for Yubikeys, that were generated with the Yubico personalization tool (#12326)
  • The token type list is sorted when enrolling in the management WebUI (#12231)
  • The authorize policies can contain regular expressions for the token serial number (#12197)
  • Added script ‘linotp-token-usage’ for token statistics (#12299)
  • Added severals cripts for simpler installation and maintenance: linotp-create-certificate, linotp-create-enckey, linotp-create-auditkeys, linotp-fix-access-rights (#2883)
  • /validate/check can return addition token details of the authenticated token. Configured by the policy ‘detail_on_success’ (#2661)
  • Support for eToken dat file import (#12124)
  • Policies can now be deactivated and activated (#2903)
  • Added new token type E-mail token, that sends OTP via smtp (#2704, #12332)
  • Improve pam_linotp for build process and challenge response support (#12176)
  • Using POST instead of GET requests in selfservice UI (#12161)
  • Improved the HTML online help, to be available online from linotp.org or installed on the server
  • Removed several misleading error messages during installation
  • Improved several error messages
  • rlm_linotp now also builds on Ubuntu 12.04 (#12154)
  • Improved the certificate handling for the LDAP resolver (#12089)
  • Improved the performance when loading many users in the WebUI (#12076)
  • Fixed a padding problem in the OCRA token (#12202)
  • Fixed the logout link in the management Web UI (#12022)
  • Fixed SMS token without serial number (#12322)
  • Fixed the signature checking in the SQL audit module (#12267, #2700)
  • Fixed apache config to use secure cookies (#12148)

10.7. Updating from LinOTP 2.5.1 to LinOTP 2.5.2

10.7.1. Updating a deb install

With version 2.5.2 the naming of some packages changed:

old name in version 2.5.1 new name in version 2.5.2
linotpuseridresolver linotp-useridresolver
linotpuseridresolveree linotp-useridresolver-ee
linotpdoc linotp-doc
smsprovider linotp-smsprovider

Transition packages with the old names are used to perform the update.

You need to issue the following command:

dpkg -i linotpuseridresolver_2.5.2-1_all.deb \
        linotpuseridresolveree_2.5.2-1_all.deb \
        linotpdoc_2.5.2-1_all.deb \
        smsprovider_2.5.2-1_all.deb \
        linotp_2.5.2-1_all.deb \
        linotp-ee_2.5.2-1_all.deb \
        linotp-useridresolver_2.5.2-1_all.deb \
        linotp-useridresolver-ee_2.5.2-1_all.deb \
        linotp-doc_2.5.2-1_all.deb \
        linotp-smsprovider_2.5.2-1_all.deb

Afterwards you can remove the old packages:

dpkg -r linotpdoc linotpuseridresolver linotpuseridresolveree smsprovider

10.7.2. Updating a pip install

Issue the following command to update your pip installation (LinOTP Server Installation – the tar.gz, virtualenv and pip way):

pip install --upgrade linotp

Then upgrade the enterprise edition components. You need to download the latest version from the customer portal and issue the commands:

pip install --upgrade /path/to/LinOTP-EE-2.5.2.tar.gz
pip install --upgrade /path/to/LinOtpUserIdResolverEE-2.5.2.tar.gz
pip install --upgrade /path/to/LinOtpDoc-2.5.2.tar.gz
pip install --upgrade /path/to/Smsprovider-2.5.2.tar.gz

10.7.3. Changelog

Dokumentation

  • Added documentation for MS SQL server support.
  • Added howto for forwarding RADIUS request depending on LDAP group membership.
  • Added Yubikey documentation for Yubikey NANO.

LinOTP Server

  • Added dynamic token modules. All tokens can now be loaded dynamically.
  • Added policy import and export.
  • Added possibility to display action history in selfservice.
  • Added new Token: Yubikey in orignial yubikey mode (44 characters) to authenticate with the yubico online cloud service.
  • Added a script (linotp-pip-update) to update a pip installation.
  • Added authentication to ocra controller.
  • Added the possibility to give the CA certificate with the LDAP Resolver when using LDAPS.
  • Added univention UCS / LinOTP documentation.
  • Added users and resolvers to policies in selfservice, authentication, enrollment and authorization.
  • Added a policy checker to the WebUI.
  • Assign Token by OTP value in selfservice.
  • Implemented additional API to to a get_serial_by_otp in selfservice.
  • Improved policies: exclude clients.
  • Improved PSKC import to import OCRA suite.
  • Increase font size (style italic) to make it easier to assign a token to a user.
  • Limit size of realm and resolver dialogs. If hundret resolvers or realms are defined, the dialog is too big.
  • Make the cookie a secure cookie, means it must be transferred via SSL
  • Performance fix - reduce userid lookup.
  • Add poissibility to set maximum auth count and validity period.
  • The mobile number (instead of phone) will now be used in selfservice for SMS token.
  • closed: More detailed information when the SMS is sent via /validate/check of /validate/smspin.
  • closed: The preset of the mobile number for an SMS token is now contained in the token.mako file.
  • closed: The user was not able to authenticate to selfservice.
  • closed: Deprecation Information about searching tokens.
  • closed: Use SecureFormatter in linotp.ini.
  • closed: The sms text from the policy is used to send the SMS.
  • closed: We require python 2.6.
  • closed: Make sure that genkey is in defined range.
  • Renamed the webprovissionOCRA to activateQR.
  • Reverted to the timeStepping=30 for the setup.
  • fixed: Correct audit entry, when the userpassword (otppin=1) is wrong.
  • fixed: Added a search button to flexigrid.
  • fixed: Added SecureFormatter to be able to remove non printable characters from the log args
  • fixed: The audit trail does not show entries with sqlalchemy 0.8.0
  • fixed: The setting of the OCRA PIN does not work in the WebUI.
  • fixed: Return space instead of empty string in case of MS SQL server
  • fixed: Problems with redundant MS SQL server.
  • fixed: Problem, that an admin was not able to view the users in the realm he has rights to.
  • fixed: The broken FileAudit module.
  • fixed: The possiblity to do cross site scripting in the doc controller. (serve documentation statically)
  • fixed: Problems in token search.
  • fixed: User enumeration with validate/smsping.
  • fixed: Tokeniterator exact user match.
  • fixed: Permissions for SSL privkey and who.ini.
  • fixed: The system settings (WebUI) are not stored, if data on another tab is missing.
  • fixed: OCRA bug for missing leading zeros - truncation to last digit.

GTK Client

  • The Yubikey can now be enrolled with GTK client based on python 2.7.
  • Modified the GTK client this way, that the realm filter is always available.
  • Added the possibility to give the CA certificate with the LDAP Resolver.
  • Added import of policies to GTK client.
  • Added the possiblity to export the policies to a file.
  • Audit log now shows the last entry first.
  • Added eToken enrollment command line tools.
  • Fixed missing dependency for configobj.
  • Fixed the jumping of the filter cursor.
  • Fixed display of policy in GTK client.

10.8. Updating from LinOTP 2.5.0 to LinOTP 2.5.1

10.8.1. Updating a deb install

Issue the command:

dpkg -i linotp_2.5.1_all.deb linotp-ee_2.5.1_all.deb linotpuseridresolveree_2.5.1_all.deb \
    linotpdoc_2.5.1_all.deb python-qrcode_2.4.2_all.deb

10.8.2. Updating a pip install

Warning

Before updating a pip installation you very much need to backup your files in /etc/linotp2! The pip installing logic is not that sophisticated, it might overwrite existing config files. So please backup at least: /etc/linotp2/linotp.ini and /etc/linotp2/encKey!

If you have installed LinOTP using pip as described in LinOTP Server Installation – the tar.gz, virtualenv and pip way, you first can upgrade the main server components via the internet to the latest version:

pip install -–upgrade linotp

Then upgrade the enterprise edition components. You need to download the newer version the customers portal:

pip install qrcode
pip install –-upgrade /path/to/packages/LinOTP-EE-2.5.1.tar.gz
pip install –-upgrade /path/to/packages/LinOtpUserIdResolverEE-2.5.1.tar.gz
pip install –-upgrade /path/to/packages/LinOtpDoc-2.5.1.tar.gz

10.8.3. Changelog

LinOTP Server

  • added QR-Code enrollment in management web UI and selfservice portal
  • added QR-Code image to reply
  • added HTML documentation for LinOTP Web UI
  • added import OCRA seeds via CSV
  • added possibility to send 500er HTTP error instead of status:false
  • added alert-box (pop under)
  • added support for AD uidType DN, objectGUID and sAMAccountName
  • added man pages for command line tools
  • improved python PIP installation
  • improved performance with dynamic token classes
  • define the contents of the lost password token (#806)
  • only active tokens are counted for the licensing (#810)
  • using sqlalchemy for where clauses in SQLResolver
  • fixed translation
  • fixed broken totp resync
  • fixed empty password are neglected ldap_simple bind
  • fixed connection close() in checkMapping()

10.9. Updating from LinOTP 2.4.4 to LinOTP 2.5.0

10.9.1. Updating a deb install

Before updating, please assure, that you have a backup of your encryption key and also of your token database.

Issue the command:

dpkg -i linotp_2.5.0-8_all.deb linotp-ee_2.5.0_all.deb linotpuseridresolveree_2.5.0-2_all.deb

If you want to use OCRA functionality you also need to update your database. You can do this by issuing the command:

paster setup-app /etc/linotp2/linotp.ini

After this please check the access rights of your logfiles in /var/log/linotp/.

10.9.2. Updating a pip install

Warning

Before updating a pip installation you very much need to backup your files in /etc/linotp2! The pip installing logic is not that sophisticated, it might overwrite existing config files. So please backup at least: /etc/linotp2/linotp.ini and /etc/linotp2/encKey!

If you have installed LinOTP using pip as described in LinOTP Server Installation – the tar.gz, virtualenv and pip way, you first can upgrade the main server components via the internet to the latest version:

pip install –-upgrade linotp

Then upgrade the enterprise edition components. You need to download the newer version the customers portal:

pip install –-upgrade /path/to/packages/LinOTP-EE-2.5.0.tar.gz
pip install –-upgrade /path/to/packages/LinOtpUserIdResolverEE-2.5.0-2.tar.gz

10.9.3. Changelog

LinOTP Server

  • Added OCRA token and QR-TAN functionality.
  • Make TOTP token honor DefaultOTPLength configuration.
  • Fixed bug, where a previous OTP value could be used again.
  • Added support for DB2 Token database.
  • Added framework of security modules to support HSMs to store the encryption keys.
  • Added TOTP Google authenticator to self service .
  • Improved SQLuserIdResolver (Performance).
  • Improved LDAPResolver (entryUUID or ObjectGUID).
  • Added passthru policy to authenticate users without token.
  • Added client IPs to policies.
  • Selfservice: added reset of failcounter.