Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Release Info

Version number

7.6.0

Release date

XX.12.2024

Supported versions

  • 7.6.0

  • 7.5.1

  • 7.4.2

Supported platforms

Central Server

  • Ubuntu 22.04 LTS

  • Ubuntu 24.04 LTS

Configuration Proxy

  • Ubuntu 22.04 LTS

  • Ubuntu 24.04 LTS

Security Server

  • Ubuntu 22.04 LTS

  • Ubuntu 24.04 LTS

  • RHEL 8

  • RHEL 9

  • Docker

Official documentation

https://github.com/nordic-institute/X-Road/tree/master/doc

Source code

https://github.com/nordic-institute/X-Road/tree/master

Software license

MIT

Panel
titleOn this page:
Table of Contents
maxLevel3
indent0

Changes in This Release

Summary

  • Support for automatic renewal of authentication and sign certificates issued through ACME on the Security Server.

  • Support for sending e-mail notifications to Security Server administrators on automatic certificate renewals and failures.

  • Support for Elliptic Curve Cryptography (ECC) in data exchange and global configuration distribution.

  • Support for getting operational metrics on a REST service endpoint level, not just on a service level.

  • Add support for multiple languages in the Central Server and Security Server UIs.

  • Introduce improvements to various Security Server application logging outputs.

  • Remove support for Ubuntu 20.04 LTS and Red Hat Enterprise Linux (RHEL) 7 operating systems.

  • Minor enhancements and bug fixes based on user feedback.

Note

Because of the change in the PostgreSQL rpm packages, installing the Security Server on Red Hat Enterprise Linux (RHEL) requires installing PostgreSQL separately before installing the Security Server.

Completed Issues

Issue ID

Type

Summary

XRDDEV-2185

Improvement

Improve the information system TLS certificate table under subsystem internal servers in the Security Server to show the Subject Distinguished Name, Not Before and Not After fields from the certificate in the table. Additionally added support for sorting the table based on the fields.

XRDDEV-2536

Improvement

Introduce support for automatically renewing authentication and sign certificates issued by trusted CAs that support automated certificate management through ACME on the Security Server. Only certificates that have been originally issued using by a CA that supports ACME can be automatically renewed. Automatic renewal is enabled by default and it can be disabled using the proxy-ui-api.acme-renewal-active system property.

The Security Server runs a certificate renewal job once an hour. The interval can be adjusted using the proxy-ui-api.acme-renewal-interval system parameter. The time when a certificate is ready for renewal is determined by the ACME server if the server supports the ACME ARI extension. Otherwise, the time is defined by the proxy-ui-api.acme-renewal-time-before-expiration-date system parameter which defaults to 14 days.

Please see the Security Server User Guide and the System Parameters User Guide for more detailed information about the feature.

Info

Certificates are renewed, but not activated automatically. Certificates must be manually activated by the administrator. Instead, the authentication certificate registration request is sent automatically when an authentication certificate is renewed using ACME.

XRDDEV-2542

Improvement

Introduce option to enable logging the Common Name (CN) field of the client certificate used by a consumer information system to communicate with the Security Server proxy module. When the option is enabled, the CN field is written to the proxy log (/var/log/xroad/proxy.log).

Info

This option is disabled by default and can be enabled by setting the property log-client-cert to true under the [proxy] block in your system parameters.

XRDDEV-2567

Improvement

Add support for collecting operational monitoring data on REST endpoint level. The endpoints are recorded as a combination of HTTP method and request path, for example, GET / /api/v1/books and POST/ /api/v1/books are recorded as different endpoints.

Before the change, collecting operational monitoring data from REST services was only possible from API level.

XRDDEV-2627

Fix

Bump all X-Road components to use JAVA 21.

XRDDEV-2652

Improvement

On the Central Server, add support for:

  1. Listing Security Servers where a member is registered as a non-owner member.

  2. Unregistering a non-owner member from a Security Server.

A list of Security Servers that are used by a member has been added to the Central Server's Member view.

XRDDEV-2656

Fix

Fix an issue that caused the Central Server incorrectly show the initialization wizard when the signer process was stopped even if the server had already been initialized.

XRDDEV-2659

Fix

Fix an issue that allowed deleting a disabled subsystem from the Security Server without needing to unregister the subsystem first.

XRDDEV-2665

Fix

Remove deprecated signer port 5558 from source code and documentation.

XRDDEV-2667

New

Introduce support for sending notification e-mails to member-specific contacts on Security Server when:

  • authentication certificate automatic renewal over ACME succeeded / failed

  • sign certificate automatic renewal over ACME succeeded / failed

  • authentication certificate registration succeeded.

Success and failure notifications can be turned on and off separately with the proxy-ui-api.acme-renewal-success-notification-enabled and proxy-ui-api.acme-renewal-failure-notification-enabled system properties. By default, both notifications are enabled. Instead, the authentication certificate registration notification can be turned on and off with the proxy-ui-api.auth-cert-registered-notification-enabled system property. By default, the notification is enabled.

For the e-mail notifications to work, an external mail server needs to be configured in the /etc/xroad/conf.d/mail.yml file and the Security Server must be able to communicate with it. The configuration can be tested using the Security Server’s Diagnostics view that provides a feature for sending test e-mails.

Info

Information on how to configure the e-mail support is available in the Security Server user manual: https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/ug-ss_x-road_6_security_server_user_guide.md#24-configuring-acme

Note

In version 7.5.x, member-specific contacts were defined in the /etc/xroad/conf.d/acme.yml configuration file. Instead, starting from version 7.6.0, member specific contacts are defined in the /etc/xroad/conf.d/mail.yml configuration file. Member-specific contacts are migrated automatically from /etc/xroad/conf.d/acme.yml to /etc/xroad/conf.d/mail.yml when upgrading the Security Server from version 7.5.x to version >= 7.6.x.

XRDDEV-2682

Fix

Fix an issue with the Security Server Sidecar that caused automatic backups to fail on Kubernetes without a manual configuration change by an administrator.

XRDDEV-2683

Fix

Fix an issue with the Security Server Sidecar that caused conflicting configuration values to be applied from country-specific meta packages. For example, in the Estonian flavor (-ee) of the Sidecar access to the client proxy was allowed only from inside the container itself by default.

XRDDEV-2686

Improvement

Add support for including the proxy-ui-api module's access log in the STDOUT of the Security Server Sidecar.

XRDDEV-2687

Improvement

Add support for verifying and logging messages with non-batch signatures. X-Road 8 will support non-batch signatures and being able to verify and log them is required in X-Road 7 to be interoperable with X-Road 8.

XRDDEV-2692

Fix

Fix an issue with the Security Server Keys and Certificates view that caused visual duplications in the table element under certain circumstances.

XRDDEV-2693

Improvement

Improve Security Server and Central Server codebase to allow for different types of keys to be used instead of hardcoded RSA support.

XRDDEV-2694

Improvement

Add support for using Elliptic Curve Cryptography (ECC) in authentication and sign keys on the Security Server. In addition, RSA keys continue to be supported too.

Info

The EC keys support covers ECDSA keys. Instead, EdDSA keys are not supported.

Info

NB! For backwards compatibility reasons, EC key support is disabled by default. For information regarding configuring EC key support and backwards compatibility considerations, please refer to the documentation available here: https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/ug-ss_x-road_6_security_server_user_guide.md#25-migrating-to-ec-based-authentication-and-signing-certificates

XRDDEV-2695

Improvement

Add support for using Elliptic Curve Cryptography (ECC) in signing and verifying the global configuration. In addition, RSA keys continue to be supported too.

Info

The EC keys support covers ECDSA keys. Instead, EdDSA keys are not supported.

Info

NB! For backwards compatibility reasons, EC key support is disabled by default. For information regaring configuring EC key support and backwards compatibility considerations, please refer to the documentation available here: https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/ug-cs_x-road_6_central_server_user_guide.md#21-migrating-to-ec-based-configuration-signing-keys

XRDDEV-2697

Fix

Fix issues in the Security Server UI that caused unnecessary warnings in the browser console.

XRDDEV-2714

Improvement

Add support for including the output of the global configuration verification process in the STDOUT of the Security Server Sidecar.

XRDDEV-2718

Fix

Fix the following issues with the advanced database connection configuration options:

  • Database connection authentication keys stored under /etc/xroad/ssl/ had their file permissions incorrectly changed during the backup restoration process.

  • Backup restoration script connects only to the first node even if multiple nodes are defined in the connection string.

  • PGHOST parameter ignored during restore process.

XRDDEV-2723

Fix

Update the PKCS11 library to the latest version.

XRDDEV-2728

New

Add support for multiple languages in the Central Server and Security Server UIs. The user is able to select any of the available languages using the language menu available in the Central Server and Security Server UIs. However, this task doesn’t add support for any additional languages besides English.

XRDDEV-2729

Fix

Fix an issue that prevented deleting a subsystem that is both a consumer and producer on the same Security Server. Deleting the subsystem failed due to a database constraint.

XRDDEV-2731

Fix

Improve variable handling on the Security Server UI to preempt Client-Side Path Traversal (CSPT) attacks.

XRDDEV-2732

Fix

Disable listening to ACME HTTP challenges on port 4000 on the Security Server.

XRDDEV-2733

Fix

Harden request path validation on the Security Server for ACME HTTP challenges to preempt potential weaknesses in future implementation changes.

XRDDEV-2759

Fix

Fix an issue on the Security Server that caused the proxy-ui-api service not being started automatically after a fresh metapackage install.

XRDDEV-2765

Fix

Rename two Configuration Client’s ([configuration-client]) system parameters to match the system parameter naming convention:

  • global_conf_tls_cert_verification -> global-conf-tls-cert-verification

  • global_conf_hostname_verification -> global-conf-hostname-verification

If the default values have been overridden in the /etc/xroad/conf.d/local.ini configuration file, they are migrated to the new format automatically during version upgrade.

XRDDEV-2787

New

Add support for the Spanish language in the Central Server and Security Server UIs.

XRDDEV-2788

New

Add support for the Estonian language in the Security Server UI.

XRDDEV-2789

Fix

Fix issue in Security Server web UI, where a large amount of data caused the service client selection to become unresponsive without filtering the view first.

XRDDEV-2794

Fix

A bug fix in the PostgreSQL rpm package causes the Security Server installation on RHEL to fail, because the /var/run/postgresql directory required by the postgresql service is created when yum install completes. While yum install is running, postgresql service can't be started and the Security Server installer is not able to initialize the Security Server databases. The solution is to install PostgreSQL before installing the Security Server.

The Security Server Installation Guide for RHEL has been updated accordingly.

Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).

New/Updated Dependencies

Dependency

Old Version

New Version

Notes

metrics

4.2.26

4.2.29

jetty

12.0.7

12.0.14

hibernate

6.5.2.Final

6.6.2.Final

mapstruct

1.5.5.Final

1.6.3

jackson

2.17.1

2.18.2

spring-boot

3.3.1

3.3.6

bouncycastle

1.78.1

1.79

slf4j

2.0.13

2.0.16

protoc

3.25.3

4.29.0

gRPC

1.64.0

1.68.2

swagger-parser

2.1.22

2.1.24

logback

1.4.14

1.5.12

logback-access

1.4.14

2.0.3

apache-cxf

4.0.4

4.0.5

spring-cloud-dependencies

2023.0.2

2023.0.3

commons-compress

1.26.2

1.27.1

commons-lang3

3.14.0

3.17.0

tika-core

2.9.2

3.0.0

xmlsec

4.0.2

4.0.3

httpclient5

5.3.1

5.4.1

commons-cli

1.8.0

1.9.0

commons-codec

1.17.0

1.17.1

commons-io

2.16.1

2.18.0

postgresql

42.7.3

42.7.4

liquibase-core

4.28.0

4.30.0

feign-hc5

13.3

13.5

swagger-annotations

2.2.22

2.2.26

awaitility

4.2.1

4.2.2

hamcrest

2.2

3.0

HikariCP

5.1.0

6.2.1

quartz

2.3.2

2.5.0

semver4j

5.3.0

5.4.1

acme4j-client

3.3.1

3.4.0

Contributors

The following developers have contributed to the development of this release version. A contribution means at least one Git commit that is included in the release. The full list of contributors of different X-Road® versions is available here.

Other Notes

Package Repositories

Repository Sign Key Details

Download URL

https://artifactory.niis.org/api/gpg/key/public

Hash

935CC5E7FA5397B171749F80D6E3973B

Fingerprint

A01B FE41 B9D8 EAF4 872F A3F1 FB0D 532C 10F6 EC5B

3rd party key server

Ubuntu key server

Packages

Jammy

Package

SHA256 checksum

Noble

Package

SHA256 checksum

RPM / RHEL8

Package

SHA256 checksum

RPM / RHEL9

Package

SHA256 checksum