X-Road v7.0.0 Release Notes
Release Info
Version number | 7.0.0 |
|---|---|
Release date | 30.11.2021 |
Supported versions |
|
Supported platforms | Central Server
Configuration Proxy
Security Server
|
Official documentation | |
Source code | |
Software license |
Changes in This Release
Summary
New X-Road 7 look and feel for the Security Server UI.
Security improvements on the Security Server:
Encrypt backup files (opt-in)
Verify integrity of backup files on restore.
Remove executable files from backups.
Improvements in Security Server message logging:
Encrypt message payload in message log database (opt-in)
Encrypt message log archives (opt-in)
Group message log archives by subsystem (opt-in)
Support for fully disabling message logging.
Change PIN code on the Security Server.
Return REST API type (OPENAPI3 / REST) and API endpoints in REST metaservice responses.
Run the Security Server on Java 11 by default.
Make Security Server more modular by enabling installation without a local Postgres server
Version compatibility check for version upgrades - it is no longer possible to update from an unsupported version.
Official Docker support added to the Security Server with the Security Server Sidecar images.
Other enhancements and bug fixes.
The following blog posts provide additional information about the biggest changes in X-Road 7.0.0:
https://www.niis.org/blog/2021/9/29/configuration-changes-in-x-road-7
https://www.niis.org/blog/2021/9/29/message-logging-in-x-road-7
https://www.niis.org/blog/2021/10/2/protecting-data-at-rest-in-x-road-7
The X-Road 7 migration guide is available here
Upgrade to version 7.0.0 is supported from version 6.26.0 only. In case you're running an older version, please upgrade to version 6.26.0 first, and then to version 7.0.0.
Completed Issues
Issue ID | Type | Summary |
|---|---|---|
Improvement | Update the timestamping service URL automatically on the Security Server when the URL is updated on the Central Server. The feature is disabled by default. To enable it, add the following configuration to /etc/xroad/conf.d/local.ini [proxy-ui-api]
auto-update-timestamp-service-url=trueWhen the timestamping URL is updated by the Security Server there is an info level log entry in the following file: When there are multiple timestamping services with the same name and the URL and one of those is updated on the Central Server, the Security Server does not perform the update because it's not able to distinguish between the services. Instead it adds a warning level log entry. | |
Improvement | Add "x-forwarded-for" HTTP header to the Security Server proxy access log ("/var/log/xroad/clientproxy_access.log"). If a client information system connects to the Security Server through a proxy, the header contains the original IP address of the client. | |
Improvement | Diagnostics now correctly reports if it is unable to verify the OCSP response due to an application level problem, e.g., invalid OCSP responder certificate. If the response verification fails and other responders are available, those will be also tried. If there are configuration changes affecting available OCSP responders, obsolete OCSP responders will be removed from the diagnostics view. Previously that required restarting signer. Fixes a vulnerability that caused the OCSP responder certificate not being verified properly. Before the fix, it wasn't verified that the OCSP responder certificate was signed by the CA that issued the certificate. | |
Improvement | Diagnostics now correctly reports if it is unable to verify the timestamp returned by a TSA due to an application level problem, e.g., invalid TSA certificate. Previously a successful simple connection check masked all application level errors. TSA diagnostics now shows both connection and application level failures from batch timestamping attempts. | |
Improvement | Invalidate the internal key cache in the Security Server immediately when the internal TLS key or certificate changes instead of waiting for the cache to expire. In this way, the changes become effective immediately. | |
New | Add support to install the Security Server and Central Server without a local PostgreSQL server. If a remote database is used, it's not necessary to install a local PostgreSQL server. Installing with a local database works like before - installing xroad-securityserver and xroad-centralserver packages install a local PostgreSQL server. Installing the local PostgreSQL server can be skipped by explicitly installing the xroad-database-remote package, e.g.: apt/yum install xroad-database-remote xroad-securityserverThe relevant documentation is available here:
| |
New | Add support to the Security Server management API to allow changing the software token pin code. | |
New | Add support to the signer console to allow changing the software token pin code. | |
New | Add support to the Security Server UI to allow changing the software token pin code. | |
Improvement | Clarify the error messages that are returned when the TLS handshake between two Security Servers fails and when the connection between the provider Security Server and a service fails due to a certificate error. Before, the same error message was returned in both cases. After the change, different error messages are returned. | |
Improvement | Improve permission handling in the new Security Server UI to make it more resilient to issues. | |
New | Create a shared UI library for the Security Server and new Central Server. | |
New | Implement the new X-Road 7 look and feel in the Security Server UI. | |
Fix | Fix a bug in the Security Server management API that caused inconsistencies in how certificate-related permissions were handled. | |
Fix | Remove the "Please enter soft token PIN" link from global alerts in the Security Server UI if the user does not have the required permission to carry out the action. | |
Fix | Fix the Security Server UI keys and certificates filtering to include both the friendly name and ID so that both of them can be used for filtering. | |
Fix | Fix the Security Server UI Add Services dialog in the Service Clients wizard so that long lists of services don't hide the dialog action buttons. | |
Improvement | Various small improvements to the Security Server UI code so that it follows best practices. | |
Improvement | Improve the usability of Security Server UI's Local Group Add Members dialog and Service Access Rights dialog. | |
New | Add a check that prevents version upgrades from an unsupported X-Road version. X-Road’s current lifecycle policy is to support the latest version plus two previous versions. The supported versions are defined on MAJOR.MINOR level so the release of patch versions (MAJOR.MINOR.PATCH) does not effect on the support. Also, version upgrades are supported and tested between the supported versions. However, with X-Road 7.0.0, there's one exception – upgrade to version 7.0.0 is supported from version 6.26.0 only. If you're running an older version of X-Road, upgrade to version 6.26.0 is required first before upgrading to version 7.0.0. More information about how to upgrade in steps is available here:
| |
Improvement | Improve the Security Server UI keys and certificates table to provide better visual feedback about different key and certificate statuses. | |
Improvement | Improve the way message log records are updated in the database to better handle cases where multiple nodes might be trying to update the same records, e.g., a Security Server cluster with an external load balancer uses a shared message log database between the nodes. | |
Improvement | Improve the way the Security Server handles control characters in identifiers so that they don't cause issues on the frontend or management API level. | |
Fix | Fix a bug in the Security Server UI certificate details page where updating the page caused some information to be missing from the UI. | |
Improvement | Improve the Add Client wizard on the Security Server. Enable sending a client registration request only if the client to be registered has valid sign certificate with a good OCSP response. | |
Improvement | Add Java version information to the Security Server UI diagnostics page. | |
Improvement | Make the OpenAPI description of the Security Server management REST API available on the Security Server. The API description is now available on the Security Server at: "https://<hostname/ip>:4000/api/v1/openapi.yaml" | |
Fix | Fix an issue in the Central Server UI that caused the System Settings view to break when the member owning the management services Security Server was deleted. | |
Improvement | Improve the "getOpenAPI" metaservice so that the host part is removed from the server URL when an OpenAPI description is returned. After the change, the behavior is consistent with the "getWsdl" metaservice for SOAP services. This changes the current behaviour of the metaservice for getting the OpenAPI descriptor in the following way when handling the "server.url" parameters inside the description:
For example:
| |
New | Update the Security Server to run on JAVA 11 by default. | |
New | Add support to encrypt Security Server backups. The feature is opt-in and is disabled by default. Details on how to configure and enable backup encryption can be found in the Security Server user manual: | |
Fix | Fix the Security Server UI diagnostics view timestamping service column name to be "Previous update" instead of "Next update" to correctly label the data. | |
New | Add integrity verification of Security Server backup files on restore. Further details about the feature are available in the Security Server user manual: | |
New | Remove executable files from the Central Server and Security Server backups. The change requires manual migration if local configuration overrides have been defined in ""/etc/xroad/services/local.conf". The X-Road 7 migration guide is available here This changes the current backup and restore mechanism in a considerable way so please review your usage to make sure you update your settings to work with the new restrictions.
Please note that the backups are incompatible between X-Road 6 and X-Road 7. | |
Improvement | Add a basic certificate profile that doesn't contain a hard-coded country code and therefore, is not connected to any specific country. The basic profile can be used to get started with X-Road. The profile can be used by setting the below CertificateProfileInfo value on the Central Server. CertificateProfileInfo valueee.ria.xroad.common.certificateprofile.impl.BasicCertificateProfileInfoProvider | |
Fix | Fix a XSS vulnerability in the Central Server UI system settings view, where users could add executable Javascript code into the description of a member class, which would be executed on page load. | |
Improvement | Increase the maximum width of the Security Server UI views to better use the available screen space. | |
Improvement | Overhaul the Security Server UI keys and certificates view to provide a better user experience. | |
New | Add support to group message log archives by member or subsystem. Grouping is opt-in and is not enabled by default.
More information about the message log configuration can be found in the Security Server user manual: | |
Improvement | Improve the page not found error page design in the Security Server UI. | |
Improvement | Improve the verification of the Security Server's internal TLS certificate when a new certificate is uploaded. After the change, the Security Server verifies that the certificate belongs to the Security Server's internal TLS key, otherwise an error message is returned. | |
Improvement | Restart the relevant Security Server services after a country-specific metapackage install so that the configuration overrides are picked up automatically without a manual restart. | |
New | Move the message log archiving to a separate process to improve the fault tolerance of the Security Server. This change introduces a new X-Road java process (systemd unit: xroad-addon-messagelog.service) that logs to "/var/log/xroad/messagelog-archiver.log". systemctl start xroad-addon-messagelog | |
Fix | Fix the profile of the SSL certificate used by the Security Server UI and management API so that curl is able to validate the certificate. | |
New | Change X-Road specific configuration properties to start with the prefix "XROAD_" on the Central Server, Security Server and Configuration Proxy. The change requires manual migration if local configuration overrides have been defined in ""/etc/xroad/services/local.conf". The X-Road 7 migration guide is available here More information about the configuration properties in X-Road 7 is available at: | |
New | Add a permission denied page to the Security Server UI to give better visual feedback in case users try to visit a page their role does not allow them to. | |
New | Add an option to install the Security Server with the message log addon disabled. When the message log addon is disabled, no messages are logged and no timestamping service is needed. This is an optional step during the installation, but default the addon is still installed. Information on how to disable the addon is available at:
| |
New | Add support to encrypt message log archives files on the Security Server. This feature is opt-in and is disabled by default. More information on how to configure the feature is available in the Security Server user manual: | |
New | Add support to encrypt the message log database records on the Security Server. This feature is opt-in and is disabled by default. More information on how to configure the feature is available in the Security Server user manual: | |
Improvement | Update the message log archive file names to be deterministic. In practice, it means that given the same input (grouping, message records, previous archive linking info digest), the output (file name and contents) is the same after possible encryption is removed. More information on the archive file names is available in the Security Server user manual: | |
Improvement | Improve OpenAPI service description checks on the Security Server to verify that the description is using a supported version. When a new REST API with OpenAPI description is added to the Security Server, the OpenAPI version of the service description is verified and an error is returned if the version number is not supported by the Security Server. | |
Improvement | Add content security policy headers to the web interfaces for the Security Server and Central Server to improve security. | |
Improvement | Remove references to BDR plugin version 1 for PostgreSQL by 2ndQuadrant from the Central Server scripts so that other BDR versions can be used. Before the change, the Central Server installation scripts contained hard-coded references to BDR1 that caused errors in case a later BDR version was used. | |
Improvement | Add ability to skip database restoration during a restore operation on the Central Server so that it can be done manually for 3rd party database replication and high availability solutions (e.g. BDR3). This can be done only using the command-line to initiate the restoration. More information can be found in the Central Server user manual: |