Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Release Info

Version number6.22.0
Release date23.10.2019
Supported versions
  • 6.22.0
  • 6.21.2
  • 6.20.2
Supported platforms

Central Server

  • Ubuntu 18.04 LTS

Configuration Proxy

  • Ubuntu 18.04 LTS

Security Server

  • Ubuntu 18.04 LTS
  • RHEL 7
Official documentation
Source code
Software licenseMIT

titleOn this page:

Table of Contents

Changes in This Release


  • Support for publishing REST services to X-Road using OpenAPI 3 descriptions and support for more fine grained access rights managements of REST services.

    • Support for invoking meta service using REST clients. Responses are returned in JSON.

  • Better support for running Security Server on cloud platforms enables use of different cloud services together with Security Server.

    • Cloud services can be used to reduce administrative tasks of operating Security Server, optimise infrastructure costs and increase availability.

  • Support for changing the Security Server owner member after the initial configuration of the Security Server is added. (new)

    • In case the member code of an X-Road member changes, it is possible to change the owner of the existing Security Servers owned by the member without downtime or service breaks.

Completed Issues


Access to the X-Road Backlog and issue details requires signing up for an account. Sign up now and get access to the backlog and issue details immediately.

Issue IDTypeSummary

Add automatic backups on Central Server and Security Server. By default, automatic backups are run once a day and they are automatically removed after 30 days. Retention period and backup execution interval and schedule are configurable by administrators. It is also possible to exclude the database from backups and include configuration files only. If needed, the automatic backup policies can be adjusted by editing /etc/cron.d/xroad-center (Central Server) or /etc/cron.d/xroad-proxy (Security Server) file.

XRDDEV-140NewAdd support for configuring specific slots on HSM devices for the Security Server to use. It is possible to define the slots to be used in the devices.ini configuration file. The configuration is HSM device specific. If specific slots are not defined, all all available slots are scanned when a key is accessed. When specific slots are defined, only the defined slots are accessed. The slots to be used are defined using slot ids.
XRDDEV-384FixUpdate Hibernate dependency from version 5.1.17 to 5.3.10.

Change Security Server service client's default connection type from HTTP to HTTPS. After the change mutual TLS authentication is used by default in the connections between a Security Server and a client information system.

The change affects only clients that are added using a Security Server version >= 6.22.0. Existing clients are not affected. New clients must either upload a certificate or change the connection type before they can be used for consuming services.

XRDDEV-450NewPublish Central Server Docker image on DockerHub.
XRDDEV-456ImprovementAdd support for injecting pin to the autologin extension via environment variable to Security Server Docker container.

Add REST/JSON support to "listClients" metaservice. It is possible to define the response content-type of "listClients" metaservice using the HTTP Accept header. When Accept header's value is set to "application/json" the response is returned in JSON. Otherwise the response is returned in XML.

More information can be found in the Service Metadata Protocol for REST.


Add REST/JSON metaservice "listMethods". The metaservice returns in JSON a list of all REST APIs offered by a service provider. SOAP services offered by the same service provider are excluded from the response. Likewise, the SOAP version of the "listMethods" metaservice returns only SOAP services offered by a service provider. Before version 6.22.0 the SOAP version of the "listMethods" metaservice returned also REST APIs offered by the same service provider.

More information can be found in the Service Metadata Protocol for REST.


Add REST/JSON metaservice "listMethodsallowedMethods". The metaservice returns in JSON a list of all REST services offered by a service provider that the caller has permission to invoke. SOAP services that the caller has permission to invoke offered by the same service provider are excluded from the response. Likewise, the SOAP version of the "listMethods" metaservice returns only SOAP services that the caller has permission to invoke offered by a service provider. Before version 6.22.0 the SOAP version of the "listMethods" metaservice returned also REST APIs that the caller has permission to invoke offered by the same service provider.

More information can be found in the Service Metadata Protocol for REST.


Add REST metaservice "getOpenAPI". The metaservice returns the OpenAPI 3 service description of a REST API. The returned service description is returned using the original content-type in which it has been published - JSON or YAML. The Accept header value set by the client is ignored as the Security Server does not support conversions between different content-types. Publishing an OpenAPI description for REST APIs is not mandatory. An error message is returned in case a service description is not available.

Security Server does not store the OpenAPI description locally. It is fetched from the original source over HTTP(S) every time when "getOpenApi" metaservice is invoked.

More information can be found in the Service Metadata Protocol for REST.

XRDDEV-468NewAdd support for importing a REST API using an OpenAPI 3 service description. The OpenAPI 3 description is read from the given URL and the endpoints defined in the description are stored locally on the Security Server. The OpenAPI 3 description must be well formed and both JSON and YAML formats are supported. Publishing an OpenAPI description for REST APIs is optional.

Implement Security Server time-stamping recovery algorithm during TSA service breaks.

The algorithm implements a fixed retry delay for the time-stamper when fetching time-stamps fails - after failing to fetch time-stamps the time-stamper waits for the defined time period before trying again. This is repeated until fetching time-stamps succeeds. After successfully fetching a time-stamp, the time-stamper returns to normal time-stamping schedule.

Before the version 6.22.0 the Security Server continued to follow the regular time-stamping schedule during TSA service breaks. In case the regular time-stamping interval was long, the recovery took a long time too and requests to be time-stamped accumulated. The recovery algorithm prevents this from happening.

Fixed schedule is defined by "timestamp-retry-delay" system parameter (default: 60 s) that can be overridden in local.ini and country specific meta packages.

XRDDEV-476NewCreate a new X-Road Security Architecture (ARC-SEC) document.
XRDDEV-501FixFix a problem that causes time-stamping to fail when test TSA is used on an Ubuntu 18 host.
XRDDEV-506FixFix recording of outgoing request ("request_out_ts") and incoming response ("response_in_ts") timestamp values for REST messages by operational monitoring. Set request attachment count and response attachment count always to zero for REST messages.

Set operational monitoring "succeeded" field's value for REST messages based on REST service response HTTP status code:

  • 1xx, 2xx, 3xx => succeeded=true
  • 4xx, 5xx => succeeded=false

Add new field to operational monitoring for storing REST and SOAP services' HTTP response status code.

XRDDEV-508ImprovementUpdate Ubuntu 18 installation instructions and package dependencies.
XRDDEV-517FixUpdate third-party Java libraries to the latest version. Changes in the dependencies are documented here.

Fix error when adding a WSDL with a newer version of an existing service.

In version 6.21.0 adding a WSDL containing a newer version of an existing service returned "Service code already exists." error message, and adding the WSDL failed.

XRDDEV-538FixIncrease the default metaspace allocation for "xroad-proxy" component from 80 MB to 128 MB.
XRDDEV-540FixFix Central Server and Security Server installation failure when Active Directory is used for access management.
XRDDEV-547ImprovementAdd support for using an external database instead of a local database running on Security Server. Starting from version 6.22.0 it is possible to configure database connection details during Security Server installation. By default, local database is assumed during installation.

Implement a new management service that enables changing a Security Server's owner after the initial configuration. By default, Security Server owner change requests must be manually approved by the X-Road operator. Automatic approval can be enabled adding the below configuration in "/etc/xroad/conf.d/local.ini" on Central Server:

Code Block

N.B.! To enable this feature after upgrading to version 6.22.0 from an older X-Road version, "managementservices.wsdl" must be refreshed on Central Server's Security Server, and "Security Server owners" global group must be granted access to the new "ownerChange" service.

XRDDEV-561NewImplement management of the Security Server owner change requests in the Central Server UI. If automatic approval of Security Server owner change requests is disabled, the requests must be approved manually in Management Requests section of the Central Server UI. However, the complementary Security Server owner change request is created on the Central Server automatically even if automatic approval is disabled.

Add support for changing Security Server owner to the Security Server. It is possible to change the Security Server owner after the initial configuration without reinstalling and configuring the whole Security Server. Changing Security Server owner requires that first another member is registered on the Security Server, and then the ownership is transferred from the current owner member to the newly registered member. Changing the owner does not cause a service break to the Security Server.

In case the authentication certificate of the Security Server contains owner specific information, it is advised to renew the certificate once the owner has been changed. Technically, the old certificates continues to work with the new owner even if it was issued to the previous owner. Administratively, the authentication certificate should be always issued to the present owner of the Security Server.

In case the previous owner has registered subsystems on the Security Server, they are not affected by the owner change.

N.B.! Old backups taken before the owner change cannot be restored once the owner is changed. An attempt to restore an old backup results an error message. It is recommended to take a manual backup once the owner change has been successfully completed.

XRDDEV-571FixFix problem with REST messages and messagelog when AWS RDS (Amazon Web Services Relational Database Service) is used as an external database. After the fix Security Server is compatible with AWS RDS.
XRDDEV-573NewUpdate Security Server data model to support for more fine-grained authorization of REST APIs.
XRDDEV-574FixFix an "undefined method" error returned by the Security Server when a WSDL is refreshed and a previously existed service has been removed.

Add operational monitoring package as required for the installation of Finnish Security Server meta package ("xroad-securityserver-fi"). Starting from version 6.22.0 installing the Finnish meta package automatically installs the operational monitoring package.

N.B.! Existing Security Server installations must upgrade version and reinstall "xroad-securityserver-fi" meta package to enforce the installation of the operational monitoring package.


Update Security Server to use more fine-grained authorization rules for REST APIs when incoming requests are processed.


Update the Security Server UI to support the management of more fine-grained authorization of REST APIs. Starting from version 6.22.0 the authorization of REST APIs can be done on two different levels:

  • REST API (service code) level authorization – grant access to all endpoints under a REST API.
  • Endpoint (path + method) level authorization. Endpoints can be imported from OpenAPI specification or created manually.

If authorization is defined on REST API level, it applies to all the endpoints under the API. It is not possible to grant access on API level and then deny access to specific endpoint(s). In case an API consists of multiple endpoints and access needs to be granted to only some of them, endpoint level authorization should be used.

If OpenAPI description is provided, Security Server imports all the endpoints defined in the service description automatically. In addition, endpoints can be added manually. Manually added endpoints can be edited and removed, but endpoints imported from an OpenAPI definition are read-only. Changing them must be done updating the OpenAPI definition and then refreshing it in the Security Server UI.

XRDDEV-592ImprovementUpdate Security Server log file permissions to follow the least privilege principle. Remove write permissions from group. Changes are applied to new installations and existing installations on upgrades.
XRDDEV-593ImprovementAdd support for registering another member on Security Server. Starting from version 6.22.0 it is possible to register two members on a Security Server. The feature is needed only when the owner of the Security Server must be changed. This is feature is used to register the new owner member on the Security Server before the owner change.
XRDDEV-610FixCheck the memory usage of different X-Road components and increase the memory allocation if needed.
XRDDEV-612ImprovementRefactor Security Server fine-grained authorization.
XRDDEV-615NewStore REST API endpoints read from an OpenAPI 3 service description in the Security Server's serverconf database.
XRDDEV-622NewAdd Iceland's certificate profile implementation that supports the certificate profile used in the Icelandic X-Road environment. Enables cross-border data exchange between Iceland and countries using the already existing certificate profiles.
XRDDEV-636FixUpdate third-party Java libraries with known vulnerabilities. Changes in the dependencies are documented here.
XRDDEV-648ImprovementBy default, on RHEL7 xroad-proxy listens for consumer information system connections on ports 8080 (HTTP) and 8443 (HTTPS). Update the Security Server Installation Guide for RHEL7 and add instructions how to use standard HTTP(S) ports 80 and 443.
XRDDEV-649FixRemove support for Ubuntu 14.04 LTS. Ubuntu 14.04 LTS reached its end-of-life (EoL) in April 2019 and therefore, it does not receive maintenance updates anymore. Starting from X-Road 6.22.0 Ubuntu 14.04 is not supported anymore and therefore, Ubuntu 14.04 LTS packaging is removed.
XRDDEV-652ImprovementAdd new configuration option to Ansible script for defining extra locales on Ubuntu hosts. It is possible to install country specific locales on Ubuntu hosts using the new "extra_locales" Ansible configuration option.
XRDDEV-666ImprovementUpdate Ansible scripts and add support for installing the Security Server using a remote database.
XRDDEV-670ImprovementUpdate the Security Server User Guide and add instructions how to migrate the Security Server from a local database to a remote database.
XRDDEV-692FixUpdate Jackson Databind dependency to the latest version.
XRDDEV-698FixFix a problem causing the Security Server installation to fail in a Docker container.
XRDDEV-714FixFix a security vulnerability reported by SonarQube.
XRDDEV-716FixUpdate Bouncy Castle dependency to the latest version.
XRDDEV-717FixFix a problem causing Security Server's internal TLS key generation and importing internal TLS certificate to fail.
XRDSD-94FixMake reading configuration from configuration files more fault tolerant. Clean up additional whitespace characters between comma separated configuration parameters.

Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).

New/Updated Dependencies

Changes in dependencies are documented here.

Other Notes

Package Repositories

deb bionic-<version> main

Repository Sign Key Details

Download URL
FingerprintA01B FE41 B9D8 EAF4 872F A3F1 FB0D 532C 10F6 EC5B
3rd party key serverSKS key servers




SHA256 checksum

















































SHA256 checksum