Changes in This Release
Summary
Support for automatic renewal of authentication and sign certificates issued through ACME on the Security Server.
Support for sending e-mail notifications to Security Server administrators on automatic certificate renewals and failures.
Support for Elliptic Curve Cryptography (ECC) in data exchange and global configuration distribution.
Support for getting operational metrics on a REST service endpoint level, not just on a service level.
Add support for multiple languages in the Central Server and Security Server UIs.
Introduce improvements to various Security Server application logging outputs.
Remove support for Ubuntu 20.04 LTS and Red Hat Enterprise Linux (RHEL) 7 operating systems.
Minor enhancements and bug fixes based on user feedback.
Note |
---|
Because of the change in the PostgreSQL rpm packages, installing the Security Server on Red Hat Enterprise Linux (RHEL) requires installing PostgreSQL separately before installing the Security Server. |
Completed Issues
Issue ID | Type | Summary | ||||
---|---|---|---|---|---|---|
Improvement | Improve the information system TLS certificate table under subsystem internal servers in the Security Server to show the Subject Distinguished Name, Not Before and Not After fields from the certificate in the table. Additionally added support for sorting the table based on the fields. | |||||
Improvement | Introduce support for automatically renewing authentication and sign certificates issued by trusted CAs that support automated certificate management through ACME on the Security Server. Only certificates that have been originally issued using by a CA that supports ACME can be automatically renewed. Automatic renewal is enabled by default and it can be disabled using the The Security Server runs a certificate renewal job once an hour. The interval can be adjusted using the Please see the Security Server User Guide and the System Parameters User Guide for more detailed information about the feature.
| |||||
Improvement | Introduce option to enable logging the Common Name (
| |||||
Improvement | Add support for collecting operational monitoring data on REST endpoint level. The endpoints are recorded as a combination of HTTP method and request path, for example, Before the change, collecting operational monitoring data from REST services was only possible from API level. | |||||
Fix | Bump all X-Road components to use JAVA 21. | |||||
Improvement | On the Central Server, add support for:
A list of Security Servers that are used by a member has been added to the Central Server's Member view. | |||||
Fix | Fix an issue that caused the Central Server incorrectly show the initialization wizard when the signer process was stopped even if the server had already been initialized. | |||||
Fix | Fix an issue that allowed deleting a disabled subsystem from the Security Server without needing to unregister the subsystem first. | |||||
Fix | Remove deprecated signer port | |||||
New | Introduce support for sending notification e-mails to member-specific contacts on Security Server when:
Success and failure notifications can be turned on and off separately with the For the e-mail notifications to work, an external mail server needs to be configured in the
| |||||
Fix | Fix an issue with the Security Server Sidecar that caused automatic backups to fail on Kubernetes without a manual configuration change by an administrator. | |||||
Fix | Fix an issue with the Security Server Sidecar that caused conflicting configuration values to be applied from country-specific meta packages. For example, in the Estonian flavor ( | |||||
Improvement | Add support for including the | |||||
Improvement | Add support for verifying and logging messages with non-batch signatures. X-Road 8 will support non-batch signatures and being able to verify and log them is required in X-Road 7 to be interoperable with X-Road 8. | |||||
Fix | Fix an issue with the Security Server Keys and Certificates view that caused visual duplications in the table element under certain circumstances. | |||||
Improvement | Improve Security Server and Central Server codebase to allow for different types of keys to be used instead of hardcoded RSA support. | |||||
Improvement | Add support for using Elliptic Curve Cryptography (ECC) in authentication and sign keys on the Security Server. In addition, RSA keys continue to be supported too.
| |||||
Improvement | Add support for using Elliptic Curve Cryptography (ECC) in signing and verifying the global configuration. In addition, RSA keys continue to be supported too.
| |||||
Fix | Fix issues in the Security Server UI that caused unnecessary warnings in the browser console. | |||||
Improvement | Add support for including the output of the global configuration verification process in the | |||||
Fix | Fix the following issues with the advanced database connection configuration options:
| |||||
Fix | Update the PKCS11 library to the latest version. | |||||
New | Add support for multiple languages in the Central Server and Security Server UIs. The user is able to select any of the available languages using the language menu available in the Central Server and Security Server UIs. However, this task doesn’t add support for any additional languages besides English. | |||||
Fix | Fix an issue that prevented deleting a subsystem that is both a consumer and producer on the same Security Server. Deleting the subsystem failed due to a database constraint. | |||||
Fix | Improve variable handling on the Security Server UI to preempt Client-Side Path Traversal (CSPT) attacks. | |||||
Fix | Disable listening to ACME HTTP challenges on port | |||||
Fix | Harden request path validation on the Security Server for ACME HTTP challenges to preempt potential weaknesses in future implementation changes. | |||||
Fix | Fix an issue on the Security Server that caused the | |||||
Fix | Rename two Configuration Client’s (
If the default values have been overridden in the | |||||
New | Add support for the Spanish language in the Central Server and Security Server UIs. | |||||
New | Add support for the Estonian language in the Security Server UI. | |||||
Fix | Fix issue in Security Server web UI, where a large amount of data caused the service client selection to become unresponsive without filtering the view first. | |||||
Fix | A bug fix in the PostgreSQL rpm package causes the Security Server installation on RHEL to fail, because the The Security Server Installation Guide for RHEL has been updated accordingly. |
Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).
New/Updated Dependencies
Dependency | Old Version | New Version | Notes |
---|---|---|---|
metrics | 4.2.26 | 4.2.29 | |
jetty | 12.0.7 | 12.0.14 | |
hibernate | 6.5.2.Final | 6.6.2.Final | |
mapstruct | 1.5.5.Final | 1.6.3 | |
jackson | 2.17.1 | 2.18.2 | |
spring-boot | 3.3.1 | 3.3.6 | |
bouncycastle | 1.78.1 | 1.79 | |
slf4j | 2.0.13 | 2.0.16 | |
protoc | 3.25.3 | 4.29.0 | |
gRPC | 1.64.0 | 1.68.2 | |
swagger-parser | 2.1.22 | 2.1.24 | |
logback | 1.4.14 | 1.5.12 | |
logback-access | 1.4.14 | 2.0.3 | |
apache-cxf | 4.0.4 | 4.0.5 | |
spring-cloud-dependencies | 2023.0.2 | 2023.0.3 | |
commons-compress | 1.26.2 | 1.27.1 | |
commons-lang3 | 3.14.0 | 3.17.0 | |
tika-core | 2.9.2 | 3.0.0 | |
xmlsec | 4.0.2 | 4.0.3 | |
httpclient5 | 5.3.1 | 5.4.1 | |
commons-cli | 1.8.0 | 1.9.0 | |
commons-codec | 1.17.0 | 1.17.1 | |
commons-io | 2.16.1 | 2.18.0 | |
postgresql | 42.7.3 | 42.7.4 | |
liquibase-core | 4.28.0 | 4.30.0 | |
feign-hc5 | 13.3 | 13.5 | |
swagger-annotations | 2.2.22 | 2.2.26 | |
awaitility | 4.2.1 | 4.2.2 | |
hamcrest | 2.2 | 3.0 | |
HikariCP | 5.1.0 | 6.2.1 | |
quartz | 2.3.2 | 2.5.0 | |
semver4j | 5.3.0 | 5.4.1 | |
acme4j-client | 3.3.1 | 3.4.0 |
Contributors
The following developers have contributed to the development of this release version. A contribution means at least one Git commit that is included in the release. The full list of contributors of different X-Road® versions is available here.
GitHub Username |
---|
Other Notes
Package Repositories
Repository | URL |
---|---|
Jammy | deb https://artifactory.niis.org/xroad-release-deb jammy-7.5.0 main |
Noble | deb https://artifactory.niis.org/xroad-release-deb noble-7.5.0 main |
RPM / RHEL8 | https://artifactory.niis.org/xroad-release-rpm/rhel/8/7.5.0/ |
RPM / RHEL9 | https://artifactory.niis.org/xroad-release-rpm/rhel/9/7.5.0/ |
Docker |
Repository Sign Key Details
Download URL | |
---|---|
Hash | 935CC5E7FA5397B171749F80D6E3973B |
Fingerprint | A01B FE41 B9D8 EAF4 872F A3F1 FB0D 532C 10F6 EC5B |
3rd party key server |
Packages
Jammy
Package | SHA256 checksum |
---|---|
Noble
Package | SHA256 checksum |
---|---|
RPM / RHEL8
Package | SHA256 checksum |
---|---|
RPM / RHEL9
Package | SHA256 checksum |
---|---|