Harmony eDelivery Access v1.1.0 Release Notes
- Petteri Kivimäki
Changes in This Release
Summary
- More automated Access Point and SMP installation and configuration process.
- Most of the changes affect new installations only. They're not applied on version upgrade.
- Support for version upgrades using package manager.
- Minor enhancements.
- Bug fixes.
Completed Issues
| Issue ID | Type | Summary |
|---|---|---|
| NEDS-24 | Improvement | Add support for upgrading Access Point using package manager. The Access Point can be upgraded using the following commands: sudo apt update sudo apt upgrade The "harmony-ap" service is automatically stopped for the upgrade and automatically restarted after the upgrade if the service has been enabled. Otherwise, the service must be manually restarted after the upgrade. If the "/opt/harmony-ap/bin/setenv.sh" file has been modified manually, the changes will be overwritten when upgrading from version 1.0.0 to 1.1.0. In future version upgrades, manual changes are not overwritten. |
| NEDS-25 | Improvement | Add support for upgrading SMP using package manager. The SMP can be upgraded using the following commands: sudo apt update sudo apt upgrade The "harmony-smp" service is automatically stopped for the upgrade and automatically restarted after the upgrade if the service has been enabled. Otherwise, the service must be manually restarted after the upgrade. If the "/opt/harmony-smp/bin/setenv.sh" file has been modified manually, the changes will be overwritten when upgrading from version 1.0.0 to 1.1.0. In future version upgrades, manual changes are not overwritten. Fix invalid log file path that caused an expection to be logged during the SMP startup. Create and configure content truststore "/etc/harmony-smp/smp-trustore.jks" during fresh installation. The content truststore is not automatically created on version upgrade. It can be created manually by following the steps below. 1. Add the content truststore filename to the system configuration. sudo mysql harmony_smp -e "INSERT INTO SMP_CONFIGURATION (PROPERTY, VALUE, CREATED_ON, LAST_UPDATED_ON) VALUES ('smp.truststore.filename', 'smp-truststore.jks', NOW(), NOW());"
2. Generate a password for the truststore. TRUSTSTOREPASS=$(openssl rand -base64 12) 3. Create the truststore with a mock certificate. sudo keytool -genkeypair -alias mock -keystore /etc/harmony-smp/smp-truststore.jks -storepass $TRUSTSTOREPASS -keypass $TRUSTSTOREPASS -dname "CN=mock" 2>/dev/null 4. Delete the mock certificate. sudo keytool -delete -alias mock -keystore /etc/harmony-smp/smp-truststore.jks -storepass $TRUSTSTOREPASS 2>/dev/null 5. Add the truststore password to the system configuration. sudo mysql harmony_smp -e "INSERT INTO SMP_CONFIGURATION (PROPERTY, VALUE, CREATED_ON, LAST_UPDATED_ON) VALUES ('smp.truststore.password', '{DEC}{$TRUSTSTOREPASS}', NOW(), NOW()) ON DUPLICATE KEY UPDATE VALUE='{DEC}{$TRUSTSTOREPASS}', LAST_UPDATED_ON=NOW();"
6. Restart the "harmony-smp" service. systemctl restart harmony-smp |
| NEDS-33 | New | Conduct European Commission eDelivery AS4 and SMP conformance testing for Access Point and SMP. The Access Point and SMP passed the conformance testing and are now listed as eDelivery conformant solutions: |
| NEDS-71 | Improvement | Create and configure TLS truststore automatically during Access Point installation. The truststore is created during a fresh installation only. It is not created on version upgrade. Instructions for creating the TLS truststore manually are available here. |
| NEDS-72 | Improvement | Configure one-way SSL automatically during Access Point installation. The configuration is created during a fresh installation only. It is not created on version upgrade. Instructions for doing the configuration manually are available here. |
| NEDS-73 | Fix | Change Access Point sign and TLS key size from 3096 to 3072. The change affects new installations only. The key size is not changed on version upgrade. |
| NEDS-74 | Fix | Change SMP sign and TLS key size from 3096 to 3072. The change affects new installations only. The key size is not changed on version upgrade. |
| NEDS-75 | Improvement | Set the Access Point sign key alias automatically during the installation using a user defined value. The installation process prompts for the "Party Name" that is used as the sign key alias. The sign key alias is automatically configured during a fresh installation only. It is not configured during a version upgrade. Instructions for changing the sign key alias manually are available here. |
| NEDS-76 | New | Add additional policies in the Access Point default configuration. Several eDelivery configuration examples include references to "doNothingPolicy.xml" and "signOnlyPolicy.xml" policy documents. Starting from version 1.1.0 the policies are included in the Access Point default configuration. The policies are located in the "/etc/harmony-ap/policies" directory. |
| NEDS-79 | Improvement | Update Access Point error messages so that they don't disclose excessive or sensitive information. |
| NEDS-80 | Improvement | Update SMP error messages so that they don't disclose excessive or sensitive information. |
| NEDS-81 | Improvement | Make the Access Point dynamic discovery client use the Access Point's TLS truststore instead of the system's default truststore. When Dynamic Discovery is used, the SMP's TLS certificate must be imported to the Access Point truststore. Before the change, the SMP's TLS certificate had to be imported to the system's default truststore. The change is applied automatically to fresh installations only. In existing installations, the configuration change must be done manually.
/opt/harmony-ap/bin/setenv.sh #!/bin/sh export JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.apache.catalina.webresources \ -Ddomibus.config.location=/etc/harmony-ap -Ddomibus.work.location=/opt/harmony-ap/work \ -Djavax.net.ssl.trustStore=/etc/harmony-ap/tls-truststore.jks -Djavax.net.ssl.trustStorePassword=<tls_truststore_password>" |
| NEDS-82 | Improvement | Create and configure TLS truststore "/etc/harmony-smp/tls-trustore.jks" during fresh SMP installation. The TLS truststore is not automatically created on version upgrade. It can be created manually by following the steps below. 1. First, complete the version upgrade from version 1.0.0 to 1.1.0. 2. Generate a password for the truststore. TLSTRUSTSTOREPASS=$(openssl rand -base64 12) 3. Export the SMP's own TLS certificate. Remember to update the "<tls_keytstore_password>" placeholder with the password of the TLS keystore. The password can be found in the "/etc/harmony-smp/tomcat-conf/server.xml" file. sudo keytool -export -alias selfsigned -file /etc/harmony-smp/selfsigned.cer -keystore /etc/harmony-smp/tls-keystore.jks -storepass <tls_keystore_password> 2>/dev/null 4. Create the truststore with the exported certificate. sudo keytool -import -noprompt -alias selfsigned -file /etc/harmony-smp/selfsigned.cer -keystore /etc/harmony-smp/tls-truststore.jks -storepass $TLSTRUSTSTOREPASS 2>/dev/null 5. Delete the exported certificate file. rm -f /etc/harmony-smp/selfsigned.cer 6. Update the "/etc/harmony-smp/tomcat-conf/server.xml" configuration file and add the "truststoreFile" and "truststorePass" properties to the "Connector" element (lines 7 and 8). After the change, the element should look like this: /etc/harmony-smp/tomcat-conf/server.xml <Connector SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true"
keystoreFile="/etc/harmony-smp/tls-keystore.jks"
keystorePass="{{tls_keystore_password}}"
truststoreFile="/etc/harmony-smp/tls-truststore.jks"
truststorePass="{{tls_truststore_password}}"
clientAuth="false"
sslProtocol="TLS" />
7. Update the "/opt/harmony-smp/bin/setenv.sh" configuration file, and add "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword" properties to the configuration. After the change, the configuration file should look like this: /opt/harmony-smp/bin/setenv.sh #!/bin/sh
export CLASSPATH=/etc/harmony-smp
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/etc/harmony-smp/tls-truststore.jks \
-Djavax.net.ssl.trustStorePassword={{tls_truststore_password}}"
8. Restart the "harmony-smp" service. systemctl restart harmony-smp |
| NEDS-85 | New | Create a changelog document. The changelog document contains a list of changes in each Harmony eDelivery Access version. It's available in GitHub and in the Access Point ("/usr/share/doc/harmony-ap/") and SMP ("/usr/share/doc/harmony-smp/") debian packages. |
Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).
New/Updated Dependencies
-
Contributors
The following developers have contributed to the development of this release version. A contribution means at least one Git commit that is included in the release.
Other Notes
Package Repositories
| Repository | URL |
|---|---|
| Focal | deb https://artifactory.niis.org/harmony-release-deb focal-current main |
Repository Sign Key Details
| Download URL | https://artifactory.niis.org/api/gpg/key/public |
|---|---|
| Hash | 935CC5E7FA5397B171749F80D6E3973B |
| Fingerprint | A01B FE41 B9D8 EAF4 872F A3F1 FB0D 532C 10F6 EC5B |
| 3rd party key server | Ubuntu key server |
Packages
Focal
| Package | SHA256 checksum |
|---|---|
harmony-ap_1.1.0-0.ubuntu20.04_all.deb | c2c4f067e7c8a216c52e9d6fa8ff6808e8647044ff65e810a7f7f45d099dbc9f |
harmony-smp_1.1.0-0.ubuntu20.04_all.deb | aba495cad5b8fed0bad9257e1e02db72c42db01d9eaebceed865ea553be8b224 |