X-Road v6.20.0 Release Notes
- Petteri Kivimäki
- Ilkka Seppälä
Changes in This Release
Summary
- Support for Ubuntu 18.04 LTS.
- Central Server, Security Server and Configuration Proxy can be migrated from Ubuntu 14.04 LTS to the latest Ubuntu 18.04 LTS version.
- Ubuntu 14.04 LTS will quit receiving maintenance updates in Q2/2019 which is why migration is required.
- Ubuntu 18.04 LTS support includes installation packages, and instructions for fresh install and migration from Ubuntu 14.
- Security Server provides built-in support for Finnish data classification system level ST IV.
- The default security configuration has been updated according to the Finnish Communications Regulatory Authority's requirements.
- Messagelog time-stamping has been improved so that messagelog records are always verifiable regardless of the number of processed messages and Security Server’s load.
- Security Server's security and maintainability is improved replacing customised and outdated 3rd party components with the latest off-the-shelf versions of the components.
- In addition, maintainability is improved removing unsupported features and dead code from the codebase.
Completed Issues
Access to the X-Road Backlog and issue details requires signing up for an account. Sign up now and get access to the backlog and issue details immediately.
| Issue ID | Type | Summary |
|---|---|---|
| XRDDEV-8 | Fix | Replace an outdated custom version of Apache CXF's WSDL validator with the latest factory version. The fix reduces technical debt. N.B.! The change may affect adding and/or refreshing services (WSDL documents) on Security Server. The new version of the validator might reject some WSDL documents that the previous version accepted. |
| XRDDEV-10 | Fix | Replace outdated Logback logging module by more robust Slf4jRequestLog module. The fix reduces technical debt. |
| XRDDEV-29 | Improvement | Update cryptographic strength of key exchange to 128bits on communication between Security Servers, and operational monitoring daemon and client. Introduce whitelist setting to configure accepted cipher suites on Security Server. The change is backwards compatible - when Security Server version >= 6.19.0 communicates with a version <= 6.18.0, the old cryptographic strength of key exchange (< 128 bits) is used. After the improvement Security Server meets Finnish Communications Regulatory Authority's (FICORA) technical requirements for transferring ST IV classified information (on Finnish data classification system). N.B.! Red Hat Enterprise Linux 7 (RHEL7) supports the new configuration starting from RHEL 7.3 - support for the new configuration requires RHEL 7.3 or newer. |
| XRDDEV-60 | Improvement | Add a script and related documentation for re-configuring the IP addresses of Central Server nodes in a high-availability (HA) cluster. |
| XRDDEV-62 | Improvement | Log a warning in Security Server's proxy.log when the amount of timestamped records reaches 70% of timestamp-records-limit. The warning indicates to Security Server administrator that the value of timestamp-records-limit should be increased. |
| XRDDEV-86 | Fix | Store X-Road version information in a platform independent way. Version information is available for X-Road components even if installation packages have not been installed, e.g. running Security Server in a Docker container. |
| XRDDEV-94 | New | Create Security Server installation packages for Ubuntu 18.04 LTS. |
| XRDDEV-95 | New | Create Central Server installation packages for Ubuntu 18.04 LTS. |
| XRDDEV-96 | New | Create Configuration Proxy installation packages for Ubuntu 18.04 LTS. |
| XRDDEV-97 | New | Create Ubuntu 18.04 LTS upgrade instructions for Security Server. |
| XRDDEV-98 | New | Create Ubuntu 18.04 LTS upgrade instructions for Central Server. |
| XRDDEV-99 | New | Create Ubuntu 18.04 LTS upgrade instructions for Configuration Proxy. |
| XRDDEV-101 | New | Create Ubuntu 18.04 LTS installation instructions for Central Server, Configuration Proxy and Security Server. |
| XRDDEV-105 | Fix | Fix error causing global configuration returning outdated data on a federation setup. The error is rare and can occur in a situation where two federated instances are started up after they have been both shut down long enough for global configuration to expire. |
| XRDDEV-106 | Fix | Improve Security Server performance by making authentication key handling more efficient. |
| XRDDEV-108 | Fix | Fix error in operational monitoring regarding measuring the processing time of requests - time that is consumed between sending out a request and receiving a response. The previous logic might have caused operational monitoring to return incorrect and even negative values. |
| XRDDEV-117 | Improvement | Improve Security Server's XML parser's external entity processing to make XML parsing secure by default. |
| XRDDEV-138 | Fix | Fix wrong namespace in X-Road Service Metadata Protocol (PR-META) document. |
| XRDDEV-141 | Fix | Fix an error causing a query to fail when a service is available on two or more Security Servers, and the host name resolution of one of the Security Servers fails. |
| XRDDEV-143 | Improvement | Make Signer component's module manager update interval configurable. Security Server administrator can override the default value using a configuration file. |
| XRDDEV-144 | Fix | Make timeout value used in batch signatures configurable. Security Server administrator can override the default value using a configuration file. |
| XRDDEV-145 | Improvement | Improve messagelog time-stamping so that messagelog records are always verifiable regardless of the number of processed messages and Security Server’s load. When the number of messages to time-stamp reaches the maximum value, batch time-stamping cycle is repeated until the number of time-stamped records is lower than timestamp-records-limit. |
| XRDDEV-146 | Fix | Drop support for global configuration v1. Officially supported X-Road versions all use global configuration v2. N.B.! Security Server versions <=6.7.13 are no longer supported by Central Server versions >= 6.20.0. |
| XRDDEV-162 | Fix | Update NIIS package repository (https://artifactory.niis.org) to official documentation. |
| XRDDEV-165 | Fix | Make client-side Security Server to enforce whitelisted cipher suites in the connections between Security Servers. |
| XRDDEV-168 | Fix | Remove unused code from the code base. |
| XRDDEV-169 | Improvement | Add installation instructions for Security Server on RHEL7. |
| XRDDEV-170 | Improvement | Add support for setting up a Security Server cluster running on Ubuntu 18.04 LTS using Ansible setup scripts. |
| XRDDEV-177 | Fix | Update X-Road software version number format that is shown in the Version tab of the Security Server UI. Release version number format is x.y.z and snapshot version number format is x.y.z-SNAPSHOT-commitDate-commitHash. |
| XRDDEV-178 | New | Add support for Central Server clustering on Ubuntu 18.04 LTS. |
| XRDDEV-184 | Improvement | Convert ASiC verifier's documentation (UG-SIGDOC) from Word to Markdown. |
| XRDDEV-191 | Fix | Add environmental monitoring daemon and environmental monitoring query to X-Road's architecture documentation (ARC-G). |
| XRDDEV-192 | Improvement | Add support for extracting a message from ASiC container when verification of the container fails. The improvement enables extraction of messages from ASiC containers when SOAP payload is not logged in messagelog database. |
| XRDDEV-220 | Fix | Fix an intermittent failure in connection creation between Security Servers. |
| XRDDEV-222 | New | Create Ubuntu 18.04 LTS upgrade instructions for Security Server cluster. |
| XRDDEV-229 | Improvement | Finnish national settings: Update default authentication and signing key length to 3072 bits (earlier 2048 bits). |
| XRDDEV-231 | Improvement | Add X-Road brand colors and and X-Road logo in Central Server and Security Server UIs. |
| XRDDEV-232 | Improvement | Add a Feedback page including links to X-Road Service Desk and X-Road Backlog in Central Server and Security Server UIs. |
| XRDDEV-248 | Fix | Set a timeout value for the SSL handshake when establishing a connection between Security Servers. Previously, the Security Server could wait forever for the SSL handshake to complete after the TCP connection was set up. |
| XRDDEV-256 | Improvement |