X-Road v7.5.0 Release Notes
Release Info
Version number | 7.5.0 |
|---|---|
Release date | 05.07.2024 |
Supported versions |
|
Supported platforms | Central Server
Configuration Proxy
Security Server
|
Official documentation | |
Source code | |
Software license |
Changes in This Release
Summary
Support for automated certificate management on the Security Server through ACME.
Information on how to configure ACME on the Security Server can be found in the Security Server User Guide.
Support for adding / removing Central Server cluster nodes without having to distribute a new version of the configuration anchor.
Support for Ubuntu 24.04 LTS.
Central Server, Security Server and Configuration Proxy can be migrated from Ubuntu 22.04 LTS to the latest Ubuntu 24.04 LTS version.
Ubuntu 24.04 LTS support includes installation packages, and instructions for fresh install and migration from Ubuntu 22.04 LTS.
NB! Ubuntu 20.04 is only supported to provide an easier upgrade path to Ubuntu 24.04, we suggest production environments use Ubuntu 22.04 or Ubuntu 24.04
Support for Red Hat Enterprise Linux 9 (RHEL9).
Security Server can be migrated from RHEL8 to the latest RHEL9 version.
RHEL9 support includes installation packages, and instructions for fresh install and migration from RHEL8.
NB! RHEL7 is only supported to provide an easier upgrade path to RHEL8 or RHEL9, we suggest production environments use RHEL8 or RHEL9.
Minor enhancements and bug fixes based on user feedback.
NB! For the Finnish meta-package version of X-Road (xroad-securityserver-fi), ACME is enabled by default. This applies to the Finnish variants (-fi) of the Security Server Sidecar Docker image too.
For Ubuntu users, who have been running the Security Server since before version 7.4.0, it means that you will likely encounter a port conflict. This is due to versions prior to 7.4.0 using port 80 as the default client information system port for HTTP and ACME now requiring the same port for accepting HTTP challenges.
Fresh installs on Ubuntu starting from 7.4.0 are not affected and neither are the RHEL based installations, as those all use port 8080 by default.
To resolve the issue, you have two options:
If you are not using ACME, it can be disabled by setting the
acme-challenge-port-enabledflag tofalsein your configuration for theproxy-ui-apimodule: https://docs.x-road.global/Manuals/ug-syspar_x-road_v6_system_parameters.html#39-management-rest-api-parameters-proxy-ui-api. This will disable the HTTP challenge and everything will work as before after the services have been restarted.Remove the overrides (
client-http-port, client-https-port) from the file/etc/xroad/conf.d/local.inifor ports 80 and 443: https://docs.x-road.global/Manuals/ug-syspar_x-road_v6_system_parameters.html#32-proxy-parameters-proxy. After restarting the services, the ports will then default to 8080 and 8443 respectively. Important: This change will also require changing the Security Server URL in any information system in client/consumer role using the Security Server to use either port 8080(HTTP) or 8443(HTTPS/HTTPS NO AUTH). In addition, the firewall configuration regarding ports 80, 443, 8080 and 8443 must be updated accordingly. The list of required firewall configurations can be found in the Security Server Installation Guide.
Completed Issues
Issue ID | Type | Summary |
|---|---|---|
Improvement | Improve parsing of OpenAPI descriptions when adding a service to the Security Server to provide a similar level of warnings to the WSDL parsing. | |
New | Introduce support to add ACME enabled CAs to the Central Server with additional configuration. ACME-related configuration items can be added to the existing CAs too which means that enabling ACME for a CA does not require adding a new CA. Information on how to manage ACME-related certification service setting on the Central Server is available in the Central Server User Guide. | |
New | Support Ubuntu 24.04 on the Central Server and Configuration Proxy components. Migration guides from Ubuntu 22.04 to Ubuntu 24.04 are available in the X-Road Knowledge Base: | |
New | Support Ubuntu 24.04 on the Security Server components. Migration guides from Ubuntu 22.04 to Ubuntu 24.04 are available in the X-Road Knowledge Base. | |
New | Support RHEL9 on the Security Server components. Migration guides from RHEL8 to RHEL9 are available in the X-Road Knowledge Base. | |
Improvement | Update the Kubernetes Security Server Sidecar User Guide and Kubernetes Security Server Sidecar Security User Guide to provide instructions to run the Security Server Sidecar using Azure Kubernetes Service (AKS). Now the user guides cover AKS and Amazon Elastic Kubernetes Service (Amazon EKS). | |
Improvement | Improve dialog navigation and interactions in the Central Server web interface. Add support for closing dialogues using the Escape key and activating dialogues' primary action (e.g., save, search, next, etc.) using the Enter key. | |
New | Introduce capability to request a sign certificate from a trusted CA via the ACME protocol on the Security Server. Information on how to configure ACME on the Security Server can be found in the Security Server User Guide. | |
New | Introduce capability to request an authentication certificate from a trusted CA via the ACME protocol on the Security Server. Information on how to configure ACME on the Security Server can be found in the Security Server User Guide. | |
Fix | Fix an issue in the signer component that caused HSM connection recovery to be delayed by 20 minutes after restarting the signer. | |
Improvement | Support for adding / removing Central Server cluster nodes without having to distribute a new version of the configuration anchor. Improve the global configuration so that node information is correctly passed to the Security Servers and used by them to allow for adding and removing of Central Server nodes without needing a new configuration anchor to be uploaded. | |
Fix | Fix an issue on the Security Server that caused dangling database entries to be left after deleting a client. | |
Fix | Fix an issue in the Security Server sidecar Docker image that caused a Kubernetes deployment to fail when the PostgreSQL data directory was stored in a volume using a persistent volume claim. | |
Fix | Fix a delete button placement issue on the certificate view in the Security Server web interface. | |
Fix | Update the Jetty library used in the Security Server proxy component. | |
Fix | Update the Spring Boot library used in the Security Server and Central Server components. | |
New | Allow defining additional options for PostgreSQL CLI tools used in the Security Server and Central Server processes. Information on how to use this new configuration is available in the Security Server and Central Server user guides. | |
Improvement | Bump the Security Server sidecar Docker images to Ubuntu 24.04. NB! Upgrading to version 7.5.x requires additional steps, please refer to the following manuals for the details: | |
Fix | Fix an issue that caused cleaning up global configuration V2 and V3 temporary files to fail if global configuration generation failed. | |
Fix | Fix an issue where a user in the Registration Officer role on the Central Server was not able to add a member due to the member classes endpoint having too strict role requirements. | |
Improvement | Improve the Central Server flow when a Security Server adds a subsystem or member that is not yet registered on the Central Server. Now the member can automatically be created when the management request related to it is approved. When automatic approvals are enabled, requests containing a new member are not automatically approved. For security considerations, the Central Server administrator will still manually need to approve such requests.
| |
Fix | Fix an issue that caused the Security Server to return too much information in an error message in case of a database misconfiguration. | |
Improvement | Update the timestamping acceptable failure period ("message-log.acceptable-timestamp-failure-period") from 5 hours to 48 hours in the Finnish meta package ("xroad-securityserver-fi"). After the change, Security Servers that have installed the Finnish meta package remain operational up to 48 hours when the timestamping service is unavailable. | |
Fix | Fix an issue that caused the Security Server to incorrectly show a success message when changing the soft-token PIN even if the operation actually failed. | |
Fix | Fix an issue that caused a wrong identifier type to be shown in the Central Server UI. | |
Fix | Fix an issue that caused deleting a member, unregistering a subsystem and deleting a Security Server to fail on the Central Server. |
Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).
New/Updated Dependencies
Dependency | Old Version | New Version | Notes |
|---|---|---|---|
io.dropwizard.metric | 4.1.26 | 4.2.26 |
|
org.eclipse.jetty | 11.0.17 | 12.0.7 |
|
org.glassfish.jaxb | 4.0.3 | 4.0.5 |
|
org.hibernate | 6.2.9.Final | 6.5.2.Final |
|
com.fasterxml.jackson | 2.15.2 | 2.17.1 |
|
com.zaxxer:HikariCP | 5.0.1 | 5.1.0 |
|
org.postgresql:postgresql | 42.5.4 | 42.7.3 |
|
org.springframework.boot | 3.1.5 | 3.3.1 |
|
org.springframework.cloud | 2022.0.4 | 2023.0.2 |
|
com.google.guava | 32.1.3-jre | 33.0.0-jre |
|
org.bouncycastle | 1.69 | 1.78.1 |
|
org.slf4j | 2.0.9 | 2.0.13 |
|
ch.qos.logback | 1.4.11 | 1.4.14 |
|
org.liquibase:liquibase-core | 4.19.0 | 4.28.0 |
|
io.swagger.parser.v3 | 2.1.18 | 2.1.22 |
|
org.apache.commons:commons-text | 1.10.0 | 1.12.0 |
|
com.bucket4j:bucket4j-core | 7.4.0 | 8.10.1 |
|
io.swagger.core.v3:swagger-annotations | 2.2.17 | 2.2.22 |
|
com.google.protobuf | 3.24.3 | 3.25.3 |
|
io.grpc | 1.58.0 | 1.64.0 |
|
jakarta.validation:jakarta.validation-api | 3.0.2 | 3.1.0 |
|
Contributors
The following developers have contributed to the development of this release version. A contribution means at least one Git commit that is included in the release. The full list of contributors of different X-Road® versions is available here.
Other Notes
Package Repositories
Repository | URL |
|---|---|
Focal | deb https://artifactory.niis.org/xroad-release-deb focal-7.5.0 main |
Jammy | deb https://artifactory.niis.org/xroad-release-deb jammy-7.5.0 main |
Noble | deb https://artifactory.niis.org/xroad-release-deb noble-7.5.0 main |
RPM / RHEL7 | https://artifactory.niis.org/xroad-release-rpm/rhel/7/7.5.0/ |
RPM / RHEL8 | https://artifactory.niis.org/xroad-release-rpm/rhel/8/7.5.0/ |
RPM / RHEL9 | https://artifactory.niis.org/xroad-release-rpm/rhel/9/7.5.0/ |
Docker |
Repository Sign Key Details
Download URL | |
|---|---|
Hash | 935CC5E7FA5397B171749F80D6E3973B |
Fingerprint | A01B FE41 B9D8 EAF4 872F A3F1 FB0D 532C 10F6 EC5B |
3rd party key server |
Packages
Focal
Package | SHA256 checksum |
|---|---|
xroad-addon-hwtokens_7.5.0-0.ubuntu20.04_amd64.deb | 32122e9a8e860814110f598809436585b892a6dfae8a8e197689bf585f1e9cd3 |
xroad-addon-hwtokens_7.5.0-1.ubuntu20.04_amd64.deb | 081279c8a05d9ef105f6a740a0e2e7c710009dd8af4c00d638a3299ac3ff4c31 |
xroad-addon-messagelog_7.5.0-0.ubuntu20.04_all.deb | eaf0c97406a3614a24ce51aef86f5ef5b753ac08307d5d77fa4015193861baa4 |
xroad-addon-messagelog_7.5.0-1.ubuntu20.04_all.deb | 19f95a6fa4c05c77c739c0d3195572c059f5887734d472e179ea0b409a53fc6c |
xroad-addon-metaservices_7.5.0-0.ubuntu20.04_all.deb | 9e86d0c75269917abb33ba11f50eaa8d2883d4631f278b0c1c179ceaad9393fc |
xroad-addon-metaservices_7.5.0-1.ubuntu20.04_all.deb | f4914f9da524d91b51d697e23ae9700bda1204d60923d4d52a662f2cbca93282 |
xroad-addon-opmonitoring_7.5.0-0.ubuntu20.04_all.deb |