Migrating to ADS 26.1

info

This guide is intended for users familiar with ADS who are planning a deployment or upgrade to version 26.1.

Axiomatics Decision Service (ADS) 26.1 introduces significant architectural changes, native integration for Attribute connectors, and built-in Contextual Authorization Query (CAQ) functionality.

To accommodate this new functionality, ADS now operates in three distinct modes:

• ads: core ADS service only.
• caq: specialized mode with only CAQ functionality enabled.
• ads_caq: combined mode running both the core ADS service and CAQ functionality.

Depending on your current deployment, the primary migration paths are

• ADS 1.x or 2.x -> ADS 26.1 (ads mode)
• CAQ -> ADS 26.1 (caq mode)

Optionally, you can deploy ADS in ads_caq mode, which combines the core ADS service with CAQ capabilities. Review the guidelines below based on your current version and target deployment mode.

Current deployment	Target mode	Focus areas
ADS 1.x	ads	Account for all changes listed below, as they are not backward-compatible. Skip the CAQ-related information.
ADS 1.x	ads_caq	Account for all changes listed below, including all CAQ-related information.
ADS 2.x	ads	- License format - Integration of Attribute connectors Other changes listed in this guide do not affect your deployment.
ADS 2.x	ads_caq	- License format - Integration of Attribute connectors - CAQ functionality details
CAQ	caq or ads_caq	- License format - CAQ functionality details Deploy ADS following the instructions provided in this documentation set.

CAQ functionality

Starting with version 26.1, ADS includes CAQ functionality to execute reverse queries. A reverse query identifies the specific authorization access requests that would result in a given Policy Decision Point (PDP) decision.

The combined ads_caq mode is recommended only for proofs of concept (POCs), pre-production, or low-performance environments. For production environments requiring both ADS and CAQ, we strongly advise deploying them as separate services to ensure optimal performance and scalability.

note

You must acquire the appropriate license for your chosen operating mode. This applies even if you are migrating from standalone CAQ to ADS 26.1 running exclusively in caq mode.

License format and file

Running ADS 26.1 requires a new license file if you are upgrading from versions prior to ADS 2.x. If you are already on ADS 2.x, no action is required. The new license file is named axiomatics_ADS.license, in contrast to the prior axiomatics_PDP.license.

Current deployment	Target mode	License
ADS 2.x	ads	No action required
ADS 2.x	caq or ads_caq	New license needed
CAQ	Any mode	New license needed
Other	Any mode	New license needed

Spring Boot

ADS 26.1 utilizes the Spring BootOpens in a new tab framework, offering a modern and flexible architecture that simplifies configuration, enhances integration options, and improves diagnostics. Key impacts of this migration from Dropwizard include:

• Changes to configuration properties in the deployment.yaml file.
• Replacement of Dropwizard's health checks with new endpoints.
• Adoption of the Spring Boot model for application lifecycle events and initialization.

Changed functionality

The key functional changes compared to the previous version are:

• Metrics and monitoring
• Domain configuration
• Service ports and endpoints
• Authentication
• Logging
• Kubernetes deployment
• Attribute Connectors in JAR deployment

Metrics and monitoring

Monitoring and observability are now handled through new endpoints. ADS now supports Prometheus (pull), InfluxDB (push) and Azure Application Insights backends.

Domain configuration

All domain-related settings are now grouped under the top-level domain key in the deployment.yaml file.

• ADS 1.x: Domain configuration was often stored in XML.
• ADS 26.1: Domains are no longer supported in XML and are exclusively declared under the domain: key in YAML format. All domain-related properties, such as path, refreshInterval, and maxRetries, are grouped under this key.

Service ports and endpoints

Previously (ADS 1.x), administration and application endpoints used separate, customizable ports. ADS 26.1 defaults to a single port defined under server.port in deployment.yaml, but separate configuration remains an option.

Authentication

Authentication configuration has been refactored. While ADS1.x supports Basic, none, and Token-based authentication, the structure and behavior have changed in ADS 26.1.

• Authentication is now configured under spring.security.
• Authentication is enabled by default in ADS 26.1 and is controlled through the authentication.enabled property.
• JWT token-based authentication is now supported through Spring Security.
• Passwords can be hashed using {bcrypt}, {sha256} or {pbkdf2}.
• Authentication for remote domain retrieval is now supported (Basic or OAuth2).

Here's a quick comparison between the two ADS versions:

Feature	ADS 1.x	ADS 2.x and 26.1
Basic auth	authentication.type	spring.security.user
Disable auth	authentication.type: none	authentication.enabled: false
Token support	Custom	JWT/OAuth2
Password hashing	SHA-256 hashed	Built-in hash formats supported
Remote domain auth	Supported	Basic / OAuth2

Logging

Logging configuration has been refactored in ADS 26.1, shifting from Dropwizard-based setup to Spring Boot–style configuration using YAML. The available log levels remain the same, but the structure and options for customization have changed.

• Log levels are now defined under logging.level.root instead of a flat level property.

• The loggers property used in ADS 1.x has been replaced by direct keys under logging.level, such as com.axiomatics.audit.

• Output settings like appenders and timeZone are no longer supported in deployment.yaml.

• Custom log output (file, console, or JSON) is now controlled by providing a Logback configuration file using the logging.config property.

• ADS audit logs are now generated in JSON format by default, offering reduced log size, enhanced readability, and improved overall performance for ADS. (CAQ logs are available in XML format exclusively.)

  note

  You can still configure ADS to output audit logs in XML format if required.

• Dropwizard’s internal logging structure has been removed.

See Audit logging for details.

Attribute connectors

ADS 26.1 bundles all standard Attribute connectors (SQL, Table, LDAP, HTTP, and Parser) for both K8s and JAR deployments by default. You no longer have to manually download and install the Attribute connector JARs.

If you need to use custom Attribute connectors or add external dependencies such as JDBC drivers for SQL-based connectors, you can use a custom image and include them in the container image by placing the .jar files in the resources/lib/ directory before deployment. This ensures they are available on the classpath when ADS starts.

Deprecated features

The following features are no longer supported in ADS 26.1:

• Deprecated endpoints

  • POST /asm-pdp/pdp (SOAP)
  • POST /asm-pdp/authorize (REST)

• XML-based domain configuration

  Older ASM versions used XML domain files. ADS 26.1 requires domain files to be written in YAML and referenced under the domain: block.

  note

  While XML remains supported for ASM 6.2.x, it is considered a legacy format.

• ASM as metrics backend

  ADS 26.1 does not allow ASM to serve as a metrics backend. This functionality is removed and observability is now managed using Spring Boot with support for Prometheus (pull), InfluxDB (push), and Azure Application Insights. If you relied on ASM for metrics, a transition to one of the supported backends is necessary.

• Deprecated properties

  	Status	Notes
  legacyXmlConfig	Deprecated	Originally used for deprecated XML-based domains.
  metricsBackends	Deprecated	Replaced by management.metrics.
  authentication.type	Deprecated	Replaced by spring.security.

Migration procedure

1. Request a new license from Axiomatics Support.

   note

   Use the new axiomatics_ADS.license format.

2. Place the license file in your deployment environment and reference it in deployment.yaml.

3. Back up your current configuration and domain files.

   If you have an XML domain file, contact Axiomatics Customer SupportOpens in a new tab to help with the conversion to YAML.

4. Remove any deprecated features from your setup.

5. ADS 1.x to 26.1 only: Convert your configuration to the new deployment.yaml structure using the Deployment configuration samples as a starting point.

   Important

   If your deployment.yaml specifies default values for environment variables, make sure to remove any hyphens (-) appended to them as they're incompatible with 26.1.

6. Install ADS 26.1 using the official installation instructions.

   Apply your YAML configuration and verify that the new license is detected at startup.

7. Start ADS 26.1 and validate its behavior, including policy evaluation and the health and metrics endpoints.

If you have questions or encounter issues during the migration, please contact Axiomatics Customer SupportOpens in a new tab.