EJBCA Software Appliance 2.5 Release Notes

DECEMBER 2023

We are excited to announce the release of EJBCA Software Appliance 2.5.

This release brings support for multiple network interface cards (NICs) and extended hardware security module (HSM) support. With this release, we have also updated EJBCA Enterprise to version 8.2.

Highlights

New Version of EJBCA Enterprise

EJBCA Enterprise has been updated to version 8.2. For more information, see the EJBCA Release Notes.

Multiple Network Interface Card (NIC) Support

The Software Appliance now offers multiple Network Interface Card (NIC) support and allows you to configure network interfaces on the Network tab. 

You can configure up to ten distinct interfaces, each supporting the configuration of up to three static IPv4/IPv6 addresses per Network Interface Card (NIC). Furthermore, you can maximize the efficiency of your network connectivity by configuring various services on different interfaces, with the only constraint being the dedicated default interface, which always has the Web configuration service enabled to prevent you from accidentally locking yourself out.

Support for Utimaco CryptoServer LAN FIPS

EJBCA Software Appliance supports the Utimaco CryptoServer LAN FIPS firmware which provides heightened security measures, meeting the strict standards of FIPS for cryptographic operations.

Support for new nShield 5c HSM and Security World Firmware

EJBCA Software Appliance supports the new nShield 5c HSM, which offers advanced features and security capabilities. In addition, support for the Security World firmware version 13.4.4 provides improved performance and ensures efficient and reliable execution of cryptographic processes. 

License Management

License management is now available in Software Appliance 2.5.

The license file is optional for now and your appliance will continue to work without restrictions.

Initiating or using the Software Appliance does not necessitate a license and existing users upgrading to version 2.5 or later will encounter no alterations. If license management is relevant for you, you will find the license file in your download folder, where you can also access the latest version of Software Appliance 2.5. If there is no license file in the download area, then this license feature is not relevant to you currently.

Keyfactor Branding enhancement

The user interface of the Software Appliance has been updated with Keyfactor branding enhancements. This includes an improved color scheme, and logo and favicon updates. 

Improvements and corrections

The following lists other improvements and corrections included in the release.

• Client certificate authentication no longer logs out users after 30 seconds: An issue where users were automatically logged out after 30 seconds when using client certificate authentication has been resolved. This issue was caused by session iframes that were reporting that the user was no longer logged in.
• NTP server address length restriction has been increased to 253: The maximum length of an NTP server address has been increased to allow for more characters. Previously, the maximum length was 39 characters, which could cause issues when entering longer NTP server addresses.
• MariaDB database has been updated to version 10.6.16: The MariaDB database has been updated to version 10.6.16 to address a security vulnerability (CVE-2023-22084). This update improves the overall security of the SW Appliance.
• "Bad Request" error message no longer occurs when saving configurations in profiles: An issue that caused a "Bad Request" error message to appear when saving configurations in profiles has been resolved. This issue prevented users from saving their profiles. The fix involves handling large certificates more efficiently.
• Network configuration now prevents assigning broadcast addresses as IP addresses: Previously, it was possible to configure the Software Appliance in a way that made it inaccessible. This was caused by allowing broadcast addresses to be assigned as IP addresses. This issue has been fixed by implementing validation checks that prevent broadcast addresses from being assigned.
• Entrust nShield configuration is now regenerated on startup: An issue that prevented the Entrust nShield configuration from being regenerated on startup has been resolved. This issue could lead to incorrect status information for the HSM or connections to more HSMs than expected. The fix ensures that the nShield configuration is properly reloaded on each startup, preventing these issues.

Upgrade Information

Please note the following known limitation for the EJBCA LRA Software Appliance:

• The EJBCA RA CoAP service must be enabled on at least one network interface card (NIC) for the EJBCA Registration Authority (RA) to start.

For information on the required steps to update the version of the EJBCA Software Appliance, see Update Software Appliance Version.