X-Road v7.8 Release Notes

Release Info

Latest version release	7.8.0
Release date	02.02.2026
Supported versions	7.8.0 7.7.1 7.6.3
Supported platforms	Central Server Ubuntu 22.04 LTS Ubuntu 24.04 LTS Configuration Proxy Ubuntu 22.04 LTS Ubuntu 24.04 LTS Security Server Ubuntu 22.04 LTS Ubuntu 24.04 LTS RHEL 8 RHEL 9 Docker
Official documentation	X-Road/doc at master · nordic-institute/X-Road
Source code	GitHub - nordic-institute/X-Road at master
Software license	MIT

1 Release Info
2 Changes in This Release
- 2.1 Summary of changes in version 7.8.0
3 Notices
- 3.1 Version 7.8.0
4 Tickets in Release
5 New/Updated Dependencies
6 Contributors
7 Package Repositories
- 7.1 Repository Sign Key Details
8 Packages

Changes in This Release

Summary of changes in version 7.8.0

Support for selecting between free and paid OCSP and timestamping services on the Security Server.
Support for automatically picking up the supported Certificate Signing Request (CSR) format (PEM / DER) for the selected CA when generating a CSR for authentication or sign certificate on the Security Server.
Enhance the Security Server’s diagnostic capabilities by introducing additional connection debugging tools.
Add support for multiple tokens in the autologin script.
Add support for hardware tokens into the Security Server Sidecar.
Minor enhancements and bug fixes based on user feedback.

Notices

Version 7.8.0

Before strategies for choosing between free and paid OCSP responders and time stamping authorities can be taken into use, the trust services must be correctly configured on the Central Server. Make sure to check with your X-Road Operator.

Tickets in Release

Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).

Issue ID	Type	Summary
Version 7.7.0
XRDDEV-2734	Improvement	Improve the method by which the operational monitoring component on the Security Server resolves its internal IP.
XRDDEV-2919	Improvement	Allow ACME HTTP challenge port to be customised. This helps in cases where the host or container doesn’t have port 80 available to bind to, but the user still wants to use ACME. The port can be customised for native installations by setting the system parameter `acme-challenge-port` in the `[proxy-ui-api]` block to the desired port number (default 80). The port can be customised for Sidecar deployments by setting the environmental variable `XROAD_PROXY_UI_API_ACME_CHALLENGE_PORT` to the desired port number. The ACME protocol requires the HTTP challenge to take place over port 80. When customising the port on the host or container, it needs to be configured on the network level so that port 80 from the public inbound IP of the Security Server will route to the custom port on the host/container.
XRDDEV-2921	Improvement	Improve the diagnostics information available on the diagnostics page of the Security Server user interface regarding the global configuration and TSA connections.
XRDDEV-2922	New	Add functionality to the Central Server to support diagnostic checks for global configuration and authentication certificate registration initiated from the Security Server.
XRDDEV-2923	New	Add functionality to the Security Server that allows testing connections to peer Security Servers and clients via the diagnostics page. This enables Security Server administrators to verify connections to other Security Servers and clients, for example, to confirm that the required firewall configurations are in place.
XRDDEV-2933	Improvement	Improve global configuration download client behavior and implement a better retry logic with exponential back-off to decrease the chances of a deadlock. The retry logic can be tuned by modifying the following system parameters under the [configuration-client] block: `downloader-connect-timeout` (default 10000) Maximum time in milliseconds the global configuration client waits to connect to the remote server. `downloader-read-timeout` (default 30000) Maximum time in milliseconds the global configuration client waits to read data from the remote server after the connection is established.
XRDDEV-2947	Fix	Fix an issue on the Security Server where adding a member to a local group would cause identifier entries to be duplicated.
XRDDEV-2949	Fix	Fix an issue that caused the backup restore process to override the local `db_libpq.env` override file.
XRDDEV-2950	Improvement	Merge translation contribution to the Estonian language by TaaviMeinberg.
XRDDEV-2968	Improvement	Merge a Security Server Sidecar contribution by tuomari. This improvement allows providing the Security Server UI user password as a `hash(SHA512)` by passing the `XROAD_ADMIN_PWD_HASH` environmental variable.
XRDDEV-2973	Improvement	Merge translation contribution to the Portuguese language by georgeroliveira.
XRDDEV-2977	New	Add a new input field to the Central Server UI to define which CSR format should be used with a specific CA. The format is mandatory when adding a new CA or updating and existing one.
XRDDEV-2978	New	Add support for automatically selecting the supported CSR format during the certificate request flow in the Security Server UI. When the CSR format is automatically selected, the CSR format menu is read-only and its value cannot be changed. Automatic selection is enabled when the supported CSR format is defined for the selected CA on the Central Server.
XRDDEV-2979	New	Add functionality to the Central Server UI to allow marking CA’s and TSA’s as being free or paid. When adding a new trust service or updating and existing one, marking them as free or paid is mandatory.
XRDDEV-2980	New	Add support for configuring the strategy used to determine which CA or TSA service is used on the Security Server. The strategy can be chosen by setting the following system parameters: Under the `[message-log]` block `timestamping-prioritization-strategy`(default none) Under the `[signer]` block `ocsp-prioritization-strategy`(default none) Possible strategies for both are: `NONE` (default) - uses the same logic as earlier versions. `ONLY_FREE` - this will only use services marked as free and ignore the rest `FREE_FIRST` - this will use free services first, falling back to paid and then undefined `ONLY_PAID` - this will only use services marked as paid and ignore the rest `PAID_FIRST` - this will use paid services first, falling back to free and then undefined
XRDDEV-2981	New	Add functionality to apply the selected trust service strategy for proxy communications on the Security Server.
XRDDEV-3004	Fix	Fix an issue where the value of the “Updated date” field is not correctly updated when a global group is changed in the Central Server UI.
XRDDEV-3014	Fix	Fix an issue on the Security Server UI, where long member names in the local group management view didn’t wrap correctly, causing the “Remove” button to be hidden.
XRDDEV-3018	Fix	Fix an issue where the configuration client was erroneously started on the Central Server after a backup was restored.
XRDDEV-3020	New	Add functionality to the autologin script to handle multiple tokens, allowing both software and hardware tokens to be logged in automatically. The original behavior still exists - if there is only one line in the `/etc/xroad/autologin` file, it will be used as the pin code for the software token. If the `/etc/xroad/autologin` file contains multiple lines with the format `token_id:pin_code`, the new behavior will be used. If the script `/usr/share/xroad/autologin/custom-fetch-pin.sh` outputs multiple lines with the format `token_id:pin_code` to `STDOUT`, the new behavior is used. The new behavior takes each of the lines and tries to use the pin code with the token id defined on the same line. The autologin process will succeed if all login attempts were successful and error if any of them failed. The returned code is the highest return code between all of the attempts. For the Security Server Sidecar, multiple tokens can also be provided using environmental variables in the format: `XROAD_TOKEN_<id>_PIN`, where the `<id>` is the token ID and the value of the variable is the pin code for the respective token. NB! Note that only multiple tokens are supported with this method, which means it is not possible to define an environmental variable for a single token other than with ID 0.
XRDDEV-3025	Fix	Fix a bug where the header of the keys and certificates page in the Security Server UI was not visible.
XRDDEV-3033	Fix	Fix an inconsistency on the Security Server UI where the column was named “member name”, when the actual contents were “subsystem name”.
XRDDEV-3042	Fix	Fix issue where the `key-management-api-whitelist` and `regular-api-whitelist` were not configurable for the Central Server REST API. The parameters can now be set under the `[admin-service]` block and behave the same way they do for the Security Server REST API.
XRDDEV-3044	Fix	Review memory usage of X-Road 7 components. Increased the messagelog addon module's metaspace default from `80M` to `90M`.
XRDDEV-3047	New	Add a new version of the basic certificate profile that supports ACME. The new profile is identical to the existing one but includes the `SAN` field required by ACME. The new basic profile can be used by setting the following `CertificateProfileInfo` value on the Central Server: `ee.ria.xroad.common.certificateprofile.impl.BasicACMECertificateProfileInfoProvider`
XRDDEV-3048	Improvement	Install the hardware token module addon as baseline in the Security Server Sidecar so that hardware tokens can be used with it. The addon is now included in all the Security Server Sidecar variants.
XRDDEV-3049	Improvement	Migrate to the ECharts JS library on the Security Server UI due to licensing changes in the original charting library used.
XRDDEV-3050	Fix	Fix an issue in the Security Server initialisation flow that was caused by the “Served id exists” warning.
XRDDEV-3062	Fix	Fix an issue with the `PEM` CSR format when used with ACME.
XRDDEV-3064	Improvement	Implement automatic `account-keystore-password` for ACME in `acme.yml`. Before the change, the password had to be manually defined by the Security Server administrator. After the change, the password is generated automatically by the Security Server.
XRDDEV-3072	Improvement	Improve input validation on Security Server and Central Server web UI and REST API to further prevent potential injection vectors.
XRDDEV-3074	Improvement	Improve Content Security Policy (CSP) settings on the Security Server web UI to further harden the frontend against potential attacks.
XRDDEV-3079	Fix	Fix an issue that caused the “Used Servers” section in the Central Server’s “Member Details” view to be always empty.
XRDDEV-3082	Fix	Fix issues with Configuration Proxy where view configuration and create instance commands were not working with the CLI tool.
XRDDEV-3101	Fix	Fix issue causing validation message on the Central Server web UI not working correctly for the Central Server address field validation.
XRDDEV-3104	Fix	Fix issue where the proxy memory setting utility suggested incorrect values in certain cases.
XRDDEV-3105	Fix	Fix issue in the Security Server web UI, where the Access Rights list showed the Local Group ID instead of the code.

New/Updated Dependencies

Dependency	Old Version	New Version
Version 7.8.0
ch.qos.logback.access:logback-access-tomcat	2.0.6	2.0.7
ch.qos.logback:logback-classic	1.5.18	1.5.24
com.codeborne:selenide	7.12.0	7.13.0
com.codeborne:selenide-proxy	7.12.0	7.13.0
com.fasterxml.jackson.core:jackson-annotations	2.19.1	2.19.4
com.fasterxml.jackson:jackson-bom	2.19.1	2.19.4
com.google.guava:guava	33.4.0-jre	33.5.0-jre
com.google.protobuf:protobuf-java-util	4.31.1	4.32.1
com.google.protobuf:protoc	4.31.1	4.32.1
com.zaxxer:HikariCP	6.3.0	7.0.2
commons-cli:commons-cli	1.9.0	1.11.0
commons-codec:commons-codec	1.18.0	1.20.0
commons-io:commons-io	2.19.0	2.21.0
io.dropwizard.metrics:metrics-core	4.2.33	4.2.37
io.dropwizard.metrics:metrics-jmx	4.2.33	4.2.37
io.grpc:grpc-netty-shaded	1.73.0	1.76.0
io.grpc:grpc-protobuf	1.73.0	1.76.0
io.grpc:grpc-stub	1.73.0	1.76.0
io.grpc:protoc-gen-grpc-java	1.73.0	1.76.0
io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations	2.15.0	2.20.1
io.rest-assured:rest-assured	5.5.5	5.5.6
io.swagger.core.v3:swagger-annotations	2.2.34	2.2.41
io.swagger.parser.v3:swagger-parser	2.1.30	2.1.37
io.swagger.parser.v3:swagger-parser-v3	2.1.30