2025-06-18

1

Summary of development activities

Summary of ongoing development activities.

2

X-Road 8 status update

The X-Road 8 status update from the first half of 2025 has been published on the NIIS website. Here’s the latest status update since the last X-Road Community Expert Group meeting:

• Start working on UI changes - update the Central Server and Security Server UIs based on the X-Road 8 visual style guide.

  • The aim is to limit the changes on the UI layer so that the REST management API doesn't need to be changed.

• Continue working on signer refactoring.

  • Move configuration from the keyconf.xml configuration file to the database.

  • At least 30% the signer code has been changed as so far - more changes are still expected.

  • New implementation is be more streamlined and easier to maintain.

• Introduce database-based admin UI authentication for containerised deployment.

  • Implementing the required management features for users and roles in the admin UI is still a work in progress.

  • Native deployments continue to use PAM while containerised deployments use database-based authentication.

  • In later X-Road 8 minor versions database-based authentication can be expanded to native deployments too.

  • The reason why native deployments are not moved to database-based authentication immediately is that PAM supports also external centralised authentication sources (e.g., LDAP and FreeIPA) and providing the same-level support with the database-based authentication makes the implementation a lot more complicated.

• Move backup/restore-related logic to a new Backup Manager module.

  • The module is present in all deployment types (native, containerised), but the implementation of different operations (e.g., backup, restore) varies between the deployment types.

  • The module exposes gRPC endpoints for the Admin UI module to trigger backup/restore processes.

  • The automatic backup job is moved from the Configuration Client module to the new Backup Manager module.

  • Also, gpg key generation will be moved from proxy packages into the new Backup Manager module.

  • The Central Server global configuration sign keys (that are included in the global configuration files) will be stored in the Security Server's database (and not only in the global configuration files on the filesystem) so that it's not necessary to include the global configuration files in the backup anymore.

3

Diagnostics improvements

We looked at options for improving diagnostics options on the Security Server to assist administrators in assessing if connections to the Central Server, Management Services and other Security Servers is working as expected. The plan moving forward is to implement the following changes for version 7.8.0.

Central Server

• Global Configuration

  • Split up current error statuses to give more detailed information regarding the actual failure cause

  • Provide additional information for the global configuration in the diagnostics page:

    • Last successfully downloaded URL(s)

    • Version of the downloaded global configuration

• TSA

  • Split up current error statuses to give more detailed information regarding the actual failure cause

  • Review potentially redundant error cases that are not actually used

• Additional connection check options for global configuration and authentication certificate registration services

  • Add an endpoint on the Central Server side to allow testing global configuration ports 80 and 443

    • This will apply to both the Central Server and Configuration Proxy

  • Add an endpoint on the Central Server authentication certificate registration service to allow testing access via port 4001

  • Add UI elements on the Security Server diagnostics page to check these new endpoints

Security Server

• Use the existing listMethods service to verify connection

• When running the test, the administrator is able to select:

  • The client subsystem (can only be one on the local Security Server)

  • The target subsystem (can be on the same server or another server, including subsystems from federated instances)

  • Method: REST or SOAP

• Depending on the results of the service call, the Security Server will report ok or show the error that occurred when attempting communication

• The same approach can be used for the management service, we will include a separate UI element with the inputs predefined for this specific case

4

The X-Road Community Expert Group is ending

To provide more frequent, accessible, and high-quality engagement, NIIS is transitioning from a single annual X-Road Community Event to quarterly online X-Road Community Events. The key benefits of the new approach are:

• Tailored times for Europe and South America which removes geographic barriers.

• Community stays informed and active year-round.

• Respond quickly to emerging topics and trends.

• Sessions recorded, shareable, and always accessible.

First Quarterly Event will take place in autumn 2025. The main focus will be on X-Road 8 Beta Release.

Since the X-Road Community Event will now be organised more regularly and in a more interactive format, there is no longer a need to hold separate X-Road Community Expert Group meetings. Therefore, this is the final meeting of the X-Road Community Expert Group, and no further meetings will be scheduled after the summer. All past meeting agendas will remain available online for the time being.

Thank you to all the members for your participation, input, and contribution!

5

Open topics

• X-Road has been added to the EU Open Source Solutions Catalog.

• Two new X-Road-related research projects have been kicked off in June 2025:

  • Trusted Research Environments (TRE) and Data Spaces Integration Study.

    • Conducted by the VTT Technical Research Centre of Finland.

    • Project duration 1.6.–31.12.2025.

  • Investigation of Post-quantum Cryptography in the Context of the X-Road Data Exchange Layer.

    • Conducted by The University of Tartu.

    • Project duration 1.6.–31.12.2025.

Next meetings

-