X-Road v6.22.0 Release Notes

Release Info

Version number6.22.0
Release date23.10.2019
Supported versions
  • 6.22.0
  • 6.21.2
  • 6.20.2
Supported platforms

Central Server

  • Ubuntu 18.04 LTS

Configuration Proxy

  • Ubuntu 18.04 LTS

Security Server

  • Ubuntu 18.04 LTS
  • RHEL 7
Official documentationhttps://github.com/nordic-institute/X-Road/tree/master/doc
Source codehttps://github.com/nordic-institute/X-Road/tree/master
Software licenseMIT
On this page:

Changes in This Release

Summary

  • Support for publishing REST services to X-Road using OpenAPI 3 descriptions and support for more fine grained access rights managements of REST services.

    • Support for invoking meta service using REST clients. Responses are returned in JSON.

  • Better support for running Security Server on cloud platforms enables use of different cloud services together with Security Server.

    • Cloud services can be used to reduce administrative tasks of operating Security Server, optimise infrastructure costs and increase availability.

  • Support for changing the Security Server owner member after the initial configuration of the Security Server is added. (new)

    • In case the member code of an X-Road member changes, it is possible to change the owner of the existing Security Servers owned by the member without downtime or service breaks.

Completed Issues

Access to the X-Road Backlog and issue details requires signing up for an account. Sign up now and get access to the backlog and issue details immediately.

Issue IDTypeSummary
XRDDEV-136New

Add automatic backups on Central Server and Security Server. By default, automatic backups are run once a day and they are automatically removed after 30 days. Retention period and backup execution interval and schedule are configurable by administrators. It is also possible to exclude the database from backups and include configuration files only. If needed, the automatic backup policies can be adjusted by editing /etc/cron.d/xroad-center (Central Server) or /etc/cron.d/xroad-proxy (Security Server) file.

XRDDEV-140NewAdd support for configuring specific slots on HSM devices for the Security Server to use. It is possible to define the slots to be used in the devices.ini configuration file. The configuration is HSM device specific. If specific slots are not defined, all all available slots are scanned when a key is accessed. When specific slots are defined, only the defined slots are accessed. The slots to be used are defined using slot ids.
XRDDEV-384FixUpdate Hibernate dependency from version 5.1.17 to 5.3.10.
XRDDEV-428Improvement

Change Security Server service client's default connection type from HTTP to HTTPS. After the change mutual TLS authentication is used by default in the connections between a Security Server and a client information system.

The change affects only clients that are added using a Security Server version >= 6.22.0. Existing clients are not affected. New clients must either upload a certificate or change the connection type before they can be used for consuming services.

XRDDEV-450NewPublish Central Server Docker image on DockerHub.
XRDDEV-456ImprovementAdd support for injecting pin to the autologin extension via environment variable to Security Server Docker container.
XRDDEV-462New

Add REST/JSON support to "listClients" metaservice. It is possible to define the response content-type of "listClients" metaservice using the HTTP Accept header. When Accept header's value is set to "application/json" the response is returned in JSON. Otherwise the response is returned in XML.

More information can be found in the Service Metadata Protocol for REST.

XRDDEV-463New

Add REST/JSON metaservice "listMethods". The metaservice returns in JSON a list of all REST APIs offered by a service provider. SOAP services offered by the same service provider are excluded from the response. Likewise, the SOAP version of the "listMethods" metaservice returns only SOAP services offered by a service provider. Before version 6.22.0 the SOAP version of the "listMethods" metaservice returned also REST APIs offered by the same service provider.

More information can be found in the Service Metadata Protocol for REST.

XRDDEV-464New

Add REST/JSON metaservice "allowedMethods". The metaservice returns in JSON a list of all REST services offered by a service provider that the caller has permission to invoke. SOAP services that the caller has permission to invoke offered by the same service provider are excluded from the response. Likewise, the SOAP version of the "listMethods" metaservice returns only SOAP services that the caller has permission to invoke offered by a service provider. Before version 6.22.0 the SOAP version of the "listMethods" metaservice returned also REST APIs that the caller has permission to invoke offered by the same service provider.

More information can be found in the Service Metadata Protocol for REST.

XRDDEV-465New

Add REST metaservice "getOpenAPI". The metaservice returns the OpenAPI 3 service description of a REST API. The returned service description is returned using the original content-type in which it has been published - JSON or YAML. The Accept header value set by the client is ignored as the Security Server does not support conversions between different content-types. Publishing an OpenAPI description for REST APIs is not mandatory. An error message is returned in case a service description is not available.

Security Server does not store the OpenAPI description locally. It is fetched from the original source over HTTP(S) every time when "getOpenApi" metaservice is invoked.

More information can be found in the Service Metadata Protocol for REST.

XRDDEV-468NewAdd support for importing a REST API using an OpenAPI 3 service description. The OpenAPI 3 description is read from the given URL and the endpoints defined in the description are stored locally on the Security Server. The OpenAPI 3 description must be well formed and both JSON and YAML formats are supported. Publishing an OpenAPI description for REST APIs is optional.
XRDDEV-474Improvement

Implement Security Server time-stamping recovery algorithm during TSA service breaks.

The algorithm implements a fixed retry delay for the time-stamper when fetching time-stamps fails - after failing to fetch time-stamps the time-stamper waits for the defined time period before trying again. This is repeated until fetching time-stamps succeeds. After successfully fetching a time-stamp, the time-stamper returns to normal time-stamping schedule.

Before the version 6.22.0 the Security Server continued to follow the regular time-stamping schedule during TSA service breaks. In case the regular time-stamping interval was long, the recovery took a long time too and requests to be time-stamped accumulated. The recovery algorithm prevents this from happening.

Fixed schedule is defined by "timestamp-retry-delay" system parameter (default: 60 s) that can be overridden in local.ini and country specific meta packages.

XRDDEV-476NewCreate a new X-Road Security Architecture (ARC-SEC) document.
XRDDEV-501FixFix a problem that causes time-stamping to fail when test TSA is used on an Ubuntu 18 host.
XRDDEV-506FixFix recording of outgoing request ("request_out_ts") and incoming response ("response_in_ts") timestamp values for REST messages by operational monitoring. Set request attachment count and response attachment count always to zero for REST messages.
XRDDEV-507Improvement

Set operational monitoring "succeeded" field's value for REST messages based on REST service response HTTP status code:

  • 1xx, 2xx, 3xx => succeeded=true
  • 4xx, 5xx => succeeded=false

Add new field to operational monitoring for storing REST and SOAP services' HTTP response status code.

XRDDEV-508ImprovementUpdate Ubuntu 18 installation instructions and package dependencies.
XRDDEV-517FixUpdate third-party Java libraries to the latest version. Changes in the dependencies are documented here.
XRDDEV-526Fix

Fix error when adding a WSDL with a newer version of an existing service.

In version 6.21.0 adding a WSDL containing a newer version of an existing service returned "Service code already exists." error message, and adding the WSDL failed.

XRDDEV-538FixIncrease the default metaspace allocation for "xroad-proxy" component from 80 MB to 128 MB.
XRDDEV-540FixFix Central Server and Security Server installation failure when Active Directory is used for access management.
XRDDEV-547ImprovementAdd support for using an external database instead of a local database running on Security Server. Starting from version 6.22.0 it is possible to configure database connection details during Security Server installation. By default, local database is assumed during installation.
XRDDEV-560New

Implement a new management service that enables changing a Security Server's owner after the initial configuration. By default, Security Server owner change requests must be manually approved by the X-Road operator. Automatic approval can be enabled adding the below configuration in "/etc/xroad/conf.d/local.ini" on Central Server:

[center]
auto-approve-owner-change-requests=true

N.B.! To enable this feature after upgrading to version 6.22.0 from an older X-Road version, "managementservices.wsdl" must be refreshed on Central Server's Security Server, and "Security Server owners" global group must be granted access to the new "ownerChange" service.

XRDDEV-561NewImplement management of the Security Server owner change requests in the Central Server UI. If automatic approval of Security Server owner change requests is disabled, the requests must be approved manually in Management Requests section of the Central Server UI. However, the complementary Security Server owner change request is created on the Central Server automatically even if automatic approval is disabled.
XRDDEV-562New

Add support for changing Security Server owner to the Security Server. It is possible to change the Security Server owner after the initial configuration without reinstalling and configuring the whole Security Server. Changing Security Server owner requires that first another member is registered on the Security Server, and then the ownership is transferred from the current owner member to the newly registered member. Changing the owner does not cause a service break to the Security Server.

In case the authentication certificate of the Security Server contains owner specific information, it is advised to renew the certificate once the owner has been changed. Technically, the old certificates continues to work with the new owner even if it was issued to the previous owner. Administratively, the authentication certificate should be always issued to the present owner of the Security Server.

In case the previous owner has registered subsystems on the Security Server, they are not affected by the owner change.

N.B.! Old backups taken before the owner change cannot be restored once the owner is changed. An attempt to restore an old backup results an error message. It is recommended to take a manual backup once the owner change has been successfully completed.

XRDDEV-571FixFix problem with REST messages and messagelog when AWS RDS (Amazon Web Services Relational Database Service) is used as an external database. After the fix Security Server is compatible with AWS RDS.
XRDDEV-573NewUpdate Security Server data model to support for more fine-grained authorization of REST APIs.
XRDDEV-574FixFix an "undefined method" error returned by the Security Server when a WSDL is refreshed and a previously existed service has been removed.
XRDDEV-580New

Add operational monitoring package as required for the installation of Finnish Security Server meta package ("xroad-securityserver-fi"). Starting from version 6.22.0 installing the Finnish meta package automatically installs the operational monitoring package.

N.B.! Existing Security Server installations must upgrade version and reinstall "xroad-securityserver-fi" meta package to enforce the installation of the operational monitoring package.

XRDDEV-586New

Update Security Server to use more fine-grained authorization rules for REST APIs when incoming requests are processed.

XRDDEV-588Improvement

Update the Security Server UI to support the management of more fine-grained authorization of REST APIs. Starting from version 6.22.0 the authorization of REST APIs can be done on two different levels:

  • REST API (service code) level authorization – grant access to all endpoints under a REST API.
  • Endpoint (path + method) level authorization. Endpoints can be imported from OpenAPI specification or created manually.

If authorization is defined on REST API level, it applies to all the endpoints under the API. It is not possible to grant access on API level and then deny access to specific endpoint(s). In case an API consists of multiple endpoints and access needs to be granted to only some of them, endpoint level authorization should be used.

If OpenAPI description is provided, Security Server imports all the endpoints defined in the service description automatically. In addition, endpoints can be added manually. Manually added endpoints can be edited and removed, but endpoints imported from an OpenAPI definition are read-only. Changing them must be done updating the OpenAPI definition and then refreshing it in the Security Server UI.

XRDDEV-592ImprovementUpdate Security Server log file permissions to follow the least privilege principle. Remove write permissions from group. Changes are applied to new installations and existing installations on upgrades.
XRDDEV-593ImprovementAdd support for registering another member on Security Server. Starting from version 6.22.0 it is possible to register two members on a Security Server. The feature is needed only when the owner of the Security Server must be changed. This is feature is used to register the new owner member on the Security Server before the owner change.
XRDDEV-610FixCheck the memory usage of different X-Road components and increase the memory allocation if needed.
XRDDEV-612ImprovementRefactor Security Server fine-grained authorization.
XRDDEV-615NewStore REST API endpoints read from an OpenAPI 3 service description in the Security Server's serverconf database.
XRDDEV-622NewAdd Iceland's certificate profile implementation that supports the certificate profile used in the Icelandic X-Road environment. Enables cross-border data exchange between Iceland and countries using the already existing certificate profiles.
XRDDEV-636FixUpdate third-party Java libraries with known vulnerabilities. Changes in the dependencies are documented here.
XRDDEV-648ImprovementBy default, on RHEL7 xroad-proxy listens for consumer information system connections on ports 8080 (HTTP) and 8443 (HTTPS). Update the Security Server Installation Guide for RHEL7 and add instructions how to use standard HTTP(S) ports 80 and 443.
XRDDEV-649FixRemove support for Ubuntu 14.04 LTS. Ubuntu 14.04 LTS reached its end-of-life (EoL) in April 2019 and therefore, it does not receive maintenance updates anymore. Starting from X-Road 6.22.0 Ubuntu 14.04 is not supported anymore and therefore, Ubuntu 14.04 LTS packaging is removed.
XRDDEV-652ImprovementAdd new configuration option to Ansible script for defining extra locales on Ubuntu hosts. It is possible to install country specific locales on Ubuntu hosts using the new "extra_locales" Ansible configuration option.
XRDDEV-666ImprovementUpdate Ansible scripts and add support for installing the Security Server using a remote database.
XRDDEV-670ImprovementUpdate the Security Server User Guide and add instructions how to migrate the Security Server from a local database to a remote database.
XRDDEV-692FixUpdate Jackson Databind dependency to the latest version.
XRDDEV-698FixFix a problem causing the Security Server installation to fail in a Docker container.
XRDDEV-714FixFix a security vulnerability reported by SonarQube.
XRDDEV-716FixUpdate Bouncy Castle dependency to the latest version.
XRDDEV-717FixFix a problem causing Security Server's internal TLS key generation and importing internal TLS certificate to fail.
XRDSD-94FixMake reading configuration from configuration files more fault tolerant. Clean up additional whitespace characters between comma separated configuration parameters.

Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).

New/Updated Dependencies

Changes in dependencies are documented here.

Other Notes

Package Repositories

RepositoryURL
Bionic
deb https://artifactory.niis.org/xroad-release-deb bionic-<version> main
RPM
https://artifactory.niis.org/xroad-release-rpm/rhel/7/<version>

Repository Sign Key Details

Download URLhttps://artifactory.niis.org/api/gpg/key/public
Hash935CC5E7FA5397B171749F80D6E3973B
FingerprintA01B FE41 B9D8 EAF4 872F A3F1 FB0D 532C 10F6 EC5B
3rd party key serverSKS key servers

Packages

Bionic

Package

SHA256 checksum

xroad-addon-hwtokens_6.22.0-1.ubuntu18.04_all.deb

1981a19cd86d01059187e77d21647fada6403ff3d8c3dfc9c7010f712444f446

xroad-addon-messagelog_6.22.0-1.ubuntu18.04_all.deb

1cc0bf7f98ff7b9c86a24684485cda513911c0eb60322d67d119852c9a9b71df

xroad-addon-metaservices_6.22.0-1.ubuntu18.04_all.deb

d7d58ceb5f0f2745f8058ea2687a376acd640c519eca297054ee23685fcda738

xroad-addon-opmonitoring_6.22.0-1.ubuntu18.04_all.deb

905a9b7929bd6f0406b64f4fc5729dba517858f2b3de2770b378fdab5b5cba16

xroad-addon-proxymonitor_6.22.0-1.ubuntu18.04_all.deb

d425f1622e690b3cad0611926c186beeef46c4e96b1ff36afceb1a098052626d

xroad-addon-wsdlvalidator_6.22.0-1.ubuntu18.04_all.deb

4b2898c3a0f460a41a0ac5669d41eef199fb981c2892f97f1647020f8d21b5e4

xroad-autologin_6.22.0-1.ubuntu18.04_all.deb

ab4e05aa109a390d16f5fadba7322b03bef82b2b4be0b8903ee6461a816b6b89

xroad-center-clusterhelper_6.22.0-1.ubuntu18.04_all.deb

85e02f53a537ee3e3caba717938595b5adfd5a15535f1b4c5e4935a5487d1eb3

xroad-base_6.22.0-1.ubuntu18.04_amd64.deb

3f075610780c6ef54ac6fc955bb99dad233d8eb71054f99cc99ae54871a6c17f

xroad-center_6.22.0-1.ubuntu18.04_all.deb

f0b5de662af8cdc0e0c90abd194d8ba53d452f61a8d97128d00373eb68e2ee18

xroad-centralserver-monitoring_6.22.0-1.ubuntu18.04_all.deb

80802a92355a503eb8e54ed17d47ae26563b51622e3a9be7035ad58c99a9cbbc

xroad-centralserver_6.22.0-1.ubuntu18.04_all.deb

53a248b08374e710196dc15658d09593b78c9ee7b41424e9362e4495e2174038

xroad-confclient_6.22.0-1.ubuntu18.04_amd64.deb

33c8dedfd8c2bad35317ace5fdb5f6d0b8e08fe9c6350993d10f9aec195658dc

xroad-confproxy_6.22.0-1.ubuntu18.04_all.deb

304069188e6ca75fc4e140330b1c44301bdf9d9036e2d690cfee01260da72d74

xroad-jetty9_6.22.0-1.ubuntu18.04_all.deb

c2613748fb4487f6df64cc10a06acf59f30bd3e9bcdf52fcba71e6910fdb4a93

xroad-monitor_6.22.0-1.ubuntu18.04_all.deb

1c567cfde8a47437c06b55d04796aeaefce062c009a73984313facd63c280055

xroad-nginx_6.22.0-1.ubuntu18.04_amd64.deb

f8565617fc17684cd6c5b9e3d703175ea5f7f8a1ca0714b03cb0e4fb9b904160

xroad-opmonitor_6.22.0-1.ubuntu18.04_all.deb

f11aac71e52582ac19ce784ace51601e9b9b267834d8fcdb2b4fb332f69fc597

xroad-proxy_6.22.0-1.ubuntu18.04_all.deb

0e067cb0dfc1569c6e1a3a006be54b0fee585a4dbdee6f0de5fa7ad9c1c61a1f

xroad-securityserver-ee_6.22.0-1.ubuntu18.04_all.deb

54c4dc94672f7262c97b44eed082163878efa9ed195390eb935be19296b24450

xroad-securityserver-fi_6.22.0-1.ubuntu18.04_all.deb

0abb3586afc5c0ef9e1022d25737f46501ffb6c610c6813f90b80e15e71a1b04

xroad-securityserver_6.22.0-1.ubuntu18.04_all.deb

f76826a2f8ef2af781d9bdac0b42c81cedb69ad0d0bc89d8a55ac8fe4503bf0d

xroad-signer_6.22.0-1.ubuntu18.04_amd64.deb

1b8480c94af0405f2d4e0b764232ddd9c2715e5ff5fdf6aa29a4d97d18297175

RPM

Package

SHA256 checksum

xroad-addon-messagelog-6.22.0-1.el7.x86_64.rpm

647121500e0b4df044ce6ff61571ceca13afed52ade277786c089e577e8cb110

xroad-addon-metaservices-6.22.0-1.el7.x86_64.rpm

84db6709b789bbce4b17353bb42232a553f40c2bdec7b7ebaa6c93e1b4929991

xroad-addon-opmonitoring-6.22.0-1.el7.x86_64.rpm

67609e24505c198270fa70cc2e0b5f3a0c52a2297bb9b8471352c6df4ef3291d

xroad-addon-proxymonitor-6.22.0-1.el7.x86_64.rpm

83f0b703b2e71facb91e5b1e679bd806cd89639fcfa94415dac1efb089df7ae3

xroad-addon-wsdlvalidator-6.22.0-1.el7.x86_64.rpm

aa1921c759b9b524ea4b69875bf06afa69cb3ef785dc7bc201cf16b9f25dd439

xroad-autologin-6.22.0-1.el7.noarch.rpm

642c66c80daa1b2c1b21954eda44f19bbf8548d7e2b0d359fbc601ef94c96861

xroad-base-6.22.0-1.el7.x86_64.rpm

488174663c3faba6e2004863238ec158dd0f365e7471115fc50d8881f3792794

xroad-common-6.22.0-1.el7.x86_64.rpm

f9538641414952c013d074b78c84560d8d05d13be89ba29275cc44e21b1c736a

xroad-confclient-6.22.0-1.el7.x86_64.rpm

4806f54bad0a78ef9b3edfe93245f631360002b9018e7bfc83f0d8df8fe7fb50

xroad-jetty9-6.22.0-1.el7.x86_64.rpm

d191281863e00313cbc875147b1cbd710620627075cda1004f606235451c1de2

xroad-monitor-6.22.0-1.el7.x86_64.rpm

320052ba534897ba90f55a7859f217f4601118324aac8bc25093b5f408642513

xroad-nginx-6.22.0-1.el7.x86_64.rpm

45720e4ccba48635f38698c980e2345e045bf40d8cd41dd934732d8275c39944

xroad-opmonitor-6.22.0-1.el7.x86_64.rpm

fddafaf3b0802151eb0031ca6b408dcd0e34051e23b4771042686ade364ed04a

xroad-proxy-6.22.0-1.el7.x86_64.rpm

ac3d025479e01252c25fec6998a315c00bda2d32e156da6957ca4aedc58a3156

xroad-securityserver-6.22.0-1.el7.noarch.rpm

80e8e56537651e2b68955009c08e038389600fdcb51bd5bed78e66bd1f26dc33

xroad-securityserver-fi-6.22.0-1.el7.noarch.rpm

7cd0c3183018bdc3f5eecb5cf3f92b118660a55c3b69601ec83007742e562247

xroad-signer-6.22.0-1.el7.x86_64.rpm

a2f7b5a78ed985c0f69ff3f6dce8ae07cb3964b8d49a942922a4b9cf4dc117f2