EJBCA 6.14 Release Notes
It's with no small amount of pride that we'd like to announce the release of EJBCA 6.14, one of the most feature rich releases to come out in a long while. Let's get straight to it, because we have quite a bit to discuss.
Features
The Certificate Management REST API
A long requested and requested feature is for EJBCA to support a spick and span new REST API, and EJBCA 6.14 introduces the first iteration of our EJBCA REST Interface.
So far we've only implemented basic certificate management methods, and we'll be slowly moving on with implementing more powerful features in the near future. You'll find the complete offline API as a part of our documentation here, or deployed locally with your EJBCA installation. For those of you wishing to integrate with EJBCA using REST we deploy Swagger on non-production installations in order to expose the API. Just like with all new protocols added to EJBCA, the REST API is disabled by default and needs to be manually activated.
Complete Proxification of the EJBCA Web Services API
A huge milestone for the EJBCA, we put in a huge effort into providing proxification for nearly all EJBCA WS calls. This means that CAs relying on communication with 3rd party applications can now be placed behind an outgoing-only firewall, with communications being relayed through an EJBCA RA.
Roadmap Update
We're now looking forward to Q3 and EJBCA 7.0, which will be our next Common Criteria candidate. In doing so our goal is to make the complete technology leap from JSP to JSF in our CA UI, a first step to greatly improving the usability of EJBCA. Be also aware that EJBCA 7.0 will drop support for JDK7, so if you haven't upgraded to JDK8 or later yet we strongly recommend doing so.
Upgrade Information
Read the EJBCA 6.14 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 6.14.0, refer to our JIRA Issue Tracker.
Issues Resolved in 6.14.0
Technical Requirement
ECA-6978 - Implement Rest conventions
ECA-7022 - Specify license information for swagger dependencies
Bug
ECA-3298 - One Junit failure on DB2
ECA-4729 - getRequestServerName with ejbca behind a reverse proxy via ajp returns wrong server name
ECA-5416 - SoftCryptoToken used for database protection always debug logs stacktrace about PKCS12 keystore password
ECA-6292 - Common PKI CertHash OCSP extension should be a singleExtension instead of a responseExtension
ECA-6654 - PublicCryptoToken can't be used for database protection verification
ECA-6763 - EJB CLI still logs too much irrelevant info
ECA-6774 - Fix the active status logo in internal key binding.
ECA-6848 - Regression: 'Provide request info' hidden when only 'Select key algorithm' should be
ECA-6862 - CertificateDataSessionBean.findUsernameByIssuerDnAndSerialNumber declared final
ECA-6869 - Upgrade code for 6.11 creates access rules that are not normalized
ECA-6880 - fix unit tests for Commuity MariaDB+ubuntu+JBOSS711GA configuration
ECA-6887 - Return value for rejected approvals in EjbcaWS.getRemainingNumberOfApprovals(int) is incorrect
ECA-6895 - Refine behavior of ApprovalSessionBean.getRemainingNumberOfApprovals(int)
ECA-6901 - Handle non-DNs gracefully in CertTools.isDNReversed
ECA-6923 - Missed slashes in documentation links
ECA-6947 - Validator view not refreshed, editing Validators modifies cache content
ECA-6950 - Documentation: Custom certificate extension data link broken
ECA-6951 - Documentation links on Admin GUI overview page broken
ECA-6959 - Cache CA name lookup in RoleMembers page view scope
ECA-6997 - Database upgrade version comparison does not handle varying number if fields
ECA-7000 - Improve isFullQualifiedDomainName
ECA-7001 - ExternalCommandCertificateValidator handles stdout and stderr incorrectly
ECA-7004 - Public key blacklist validator fails match on RSA keys when not all algorithms are specified in validator
ECA-7014 - External Command Certificate Validator should fail on non-zero exit code
ECA-7015 - The enum constant UNKNOWN needs a corresponding case label in this enum switch
ECA-7016 - Unlikely argument problems in ACME implementation
ECA-7027 - WS API documentation has wrong URL
ECA-7031 - Documentation Link broken for 'Manage Publishers'
ECA-7040 - Regression: External RA (polling) does not work for Keystore Requests
ECA-7043 - Upgrade with long version number can fail
ECA-7057 - Fix documentation link from Public Web
ECA-7063 - Peer connector settings are not saved when creating a new peer connector
ECA-7078 - Jenkins builds failure for test EjbcaWSCVCTest
ECA-7079 - Jenkins builds failure for SystemTests of REST API
ECA-7080 - Jenkins builds failure for AcmeWorkflowTest of ACME
ECA-7083 - CaaValidator always succeeds when the domain ignore list matches
ECA-7084 - Fix Jenkins test error: Non unique method in RA Master API
ECA-7085 - Some JUnit tests don't run
ECA-7086 - Regression: Help labels and at least one option is gone from the CAA Validator
ECA-7088 - some REST-related unit tests are failing in EJBCA_TRUNK_UNIT_PUPPET
ECA-7090 - Swagger inputs in snakecase are not evaluated in REST method input
ECA-7094 - Error "Can't reset to root in the middle of the path" during `ant install` on JBoss ≥6.4.19
ECA-7099 - CRL generation as CRL Issue interval can miss some intervals
ECA-7100 - Revocation CA lookup for nonConflictingCertificateData does not use normalized DN format
ECA-7101 - EjbcaWS.getProfile leaks information about CA's and EEPs
ECA-7108 - X509CA.upgrade could upgrade CA Overlap Time wrong from ancient version
ECA-7111 - Troubleshooting missing from documentation
ECA-7112 - Fix test failure EndEntityProfileSessionBeanTest.testAuthorization
ECA-7115 - WS customLog call calculates CA ID wrong if caName is missing
ECA-7116 - WS customLog call swaps username and admin certificate parameters in log
ECA-7140 - Ignore Top Level Domains field in CAA Validators no longer work
ECA-7141 - orm entry for AcemNonceData incorrect for PostgreSQL
ECA-7142 - Documentation Link broken for under OcspKeyBinding Tab
ECA-7144 - RaMasterApi dispatches non-serializable objects
ECA-7145 - Invalid error handling for EjbcaWS.getProfile (remote)
ECA-7148 - Jenkin's job EJBCA_TRUNK_UNIT_PUPPET compilation failure
ECA-7149 - Jenkins job EJBCA_TRUNK_UNIT_PUPPET has failing unit test of RsaKeyValidatorTest.testRocaWeakKeys
ECA-7150 - Regression ejbca-db-cli crashes with ClassNotFoundException: AcmeNonceData
ECA-7155 - Manage ACME Aliases is linking to SCEP documentation
ECA-7157 - Fields notBefore and notAfter in the order object are optional
ECA-7158 - HEAD endpoint for new-order is missing and required for certbot compliance
ECA-7159 - REST API /expire offset and maxNumberofResults doesn't work on multiple nodes
ECA-7160 - HEAD endpoint for new-account is missing and required for certbot compliance
ECA-7167 - Regression: Cannot generate keystore with autogenerated password from RA
ECA-7173 - ConcurrentModificationException while editing end entity with custom, dynamic, extensions
ECA-7176 - Regression: RA Web upload CSR auto-parsing stopped working
ECA-7179 - Regression: RA Web cleanup deletes existing end entity
ECA-7180 - NPE in ProfileAndTraceInterceptor
ECA-7181 - CertBot fails due to null values in JSON
ECA-7182 - ACME Link headers are not encoded according to the standard
ECA-7183 - Fix ACME notAfter validation failure
ECA-7184 - Check for incorrect approval settings for ACME CA/profile fails
ECA-7192 - ziprelease excludes configdump.sh from release zip
New Feature
ECA-5711 - RA API call base for ACME
ECA-6750 - System tests: VA Publisher with Throwaway certs
ECA-6845 - Fixing unittests EJBCA_TRUNK_MARIADB_RHEL64_JBOSSEAP64_OPENJDK8 Jenkins build
ECA-6851 - Create automated test for ECAQA-3
ECA-6853 - Add Peer RA Protocol Rule for SCEP
ECA-6854 - Create automated test for ECAQA-76
ECA-6858 - Create automated test for ECAQA-67
ECA-6867 - Create automated test for ECAQA-24
ECA-6868 - Create automated test for ECAQA-62
ECA-6874 - Create module for REST API
ECA-6876 - Implement client certificate authentication for REST API
ECA-6878 - REST API call: List of CAs
ECA-6882 - Create JAXRS "certificate" endpoint in ejbca-rest-api module
ECA-6891 - POST service endpoint to certificatecontroller for requesting new server certificate
ECA-6893 - ACME: Implement dns-01 validation method
ECA-6896 - Create automated test for ECAQA-42
ECA-6897 - Create automated test for ECAQA-8
ECA-6898 - User documentation REST API
ECA-6902 - Create REST service for downloading CA certificates
ECA-6903 - REST method for revoking a certificate
ECA-6904 - GET method to get certificates that are about to expire
ECA-6934 - Add RA proxying of EjbcaWS.findUser(UserMatch) and EjbcaWS.editUser(UserDataVOWS)
ECA-6937 - Create a common exception handler for the REST API
ECA-6941 - Add Swagger to the REST API
ECA-6942 - Create automated test for ECAQA-74
ECA-6944 - Create automated test for ECAQA-28
ECA-6948 - Use HEX serial number as identifier in the REST API
ECA-6953 - REST Json provider configuration
ECA-6954 - REST exceptions cleanup
ECA-6955 - REST soft exceptions
ECA-6956 - Create remaining JUnit test for REST
ECA-6957 - REST system tests
ECA-6958 - REST Use profile names as input instead of ID
ECA-6964 - Refactor cert enrollment REST service to do profile and endentity lookups behind RaMasterApi to improve performance
ECA-6970 - Add RA Proxying of EjbcaWS.getAvailableCertificateProfiles
ECA-6971 - Add RA Proxying of EjbcaWS.getAvailableCAsInProfile
ECA-6972 - Add RA proxying to EjbcaWS.processCertReq
ECA-6973 - Add RA proxying to EjbcaWS.cvcRequest
ECA-6974 - Add RA proxying to EjbcaWS.customLog
ECA-6975 - Add RA proxying to EjbcaWS.findCerts
ECA-6982 - Add RA proxying to EjbcaWS.getAuthorizedEndEntityProfiles
ECA-6983 - Add RA proxying to EjbcaWS.getCertificate(String, String)
ECA-6984 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTime
ECA-6985 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTimeAndType
ECA-6986 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTimeAndIssuer
ECA-6987 - Add RA proxying to EjbcaWS.getLastCAChain
ECA-6988 - Add RA proxying to EjbcaWS.getProfile(int, String)
ECA-6989 - Add RA proxying to EjbcaWS. getLatestCRL
ECA-6990 - Add RA proxying to EjbcaWS.getRemainingNumberOfApprovals
ECA-6991 - Add RA proxying to EjbcaWS.isApproved(int)
ECA-6992 - Add RA proxying to EjbcaWS.isAuthorized(int)
ECA-6993 - Add RA proxying to EjbcaWS.pkcs12Req(String, String, String, String, String)
ECA-6994 - Add RA proxying to EjbcaWS.republishCertificate(int)
ECA-6999 - REST endpoint for keystore enrollment
ECA-7007 - REST endpoint to get CRL
ECA-7008 - REST endpoint to search for certificates
ECA-7010 - REST endpoint to check certificate revocation status
ECA-7011 - Start using Converters in REST related response, request and entity classes
ECA-7029 - Link Rest API documentation to the proper place
ECA-7030 - Prevent Swagger exposure in Production
ECA-7032 - Add RA proxying to EjbcaWS.getPublisherQueueLength(String)
ECA-7033 - REST endpoint to finalize enrollment after approval
ECA-7034 - Add RA proxying to EjbcaWS.revokeUser(String, int, boolean)
ECA-7035 - Add CLI command to list publishers
ECA-7038 - Extend EJBCA EJB CLI to allow adding RoleMembers of any supported type
ECA-7039 - Add Cavium Nitrox III as known HSM driver
ECA-7051 - Add protocol configuration for REST
ECA-7052 - Add REST APIs to Peer RA Protocol access rules
ECA-7053 - Add ACME to Peer RA Protocol access rules
ECA-7067 - Add positive audit log messages for all Validation operations
ECA-7076 - REST API - SystemTest - Authorized client requesting a new server certificate
ECA-7077 - REST API - SystemTest - Authorized client revokes a certificate
ECA-7092 - REST API license headers to Enterprise
ECA-7122 - Add RA proxying to EjbcaWS with request local instance first.
ECA-7126 - Add RA Proxying of EjbcaWS.getAvailableCAs
ECA-7127 - Rest APi unit tests are not run in Jenkins
ECA-7156 - Implement CAA identities
ECA-7178 - contacts should not be mandatory for ACME's POST newAccount endpoint
Task
ECA-6861 - Initial prototype of REST API
ECA-6871 - Add Fabiens cmp monitoring script to extras
ECA-6879 - Identification of certificates in REST API
ECA-6890 - Document Wildfly 12 configuration
ECA-6949 - Fix the Jenkins build EJBCA_TRUNK_MARIADB_RHEL64_JBOSSEAP64_OPENJDK8
ECA-7136 - Ensure quality in CAA Validator
ECA-7137 - Ensure quality in REST-API
ECA-7139 - Ensure quality in WS RA-proxying
Improvement
ECA-6090 - Add ability to specify multiple issuers in CAA validator
ECA-6162 - CT log request - optional full hierarchy, full Json request in debug log
ECA-6436 - Ability to set explicit.ecc.publickey.parameters for crypto tokens
ECA-6849 - Simplification of p11 token login (Crypto Token Activation)
ECA-6856 - Use consistent format of library license references
ECA-6863 - Fix easy to fix compiler warnings in Admin GUI classes
ECA-6873 - Improve handling when receiving SCEP getCACaps request for missing CA
ECA-6883 - Refactor X509CAInfo constructors to use build pattern
ECA-6884 - Run Web Tests on windows
ECA-6885 - CMP: add senderKID to responses when they are signed
ECA-6888 - unidfnr.enabled should have a default value
ECA-6892 - Create exhaustive regression tests for ApprovalSessionBean.getRemainingNumberOfApprovals(int)
ECA-6900 - Shift "Contributors" page from ejbca.org into Confluence Documentation
ECA-6905 - ACME draft-12 update: Remove tls-sni-02 and oob-01
ECA-6906 - ACME draft-12 update: Use camelcase instead of dash
ECA-6907 - ACME draft-12 update: New finalize workflow
ECA-6908 - ACME draft-12 update: Update and review all JavaDoc
ECA-6910 - ACME draft-12 update: Remove authz and cert resources "up" Link
ECA-6911 - ACME draft-12 update: newNonce should respond with HTTP 200
ECA-6912 - ACME draft-12 update: Update AcmeAccount creation workflow
ECA-6913 - ACME draft-12 update: Directory meta info should indicate if external account is required
ECA-6914 - ACME draft-12 update: Wildcard certificate issuance
ECA-6915 - ACME draft-12 update: Remove AcmeAuthorization scope
ECA-6916 - ACME draft-12 update: Update AcmeChallenge workflow
ECA-6917 - ACME draft-12 update: Verify response code for wrong content type
ECA-6918 - ACME: AcmeAccount should belong to an AcmeConfiguration
ECA-6920 - ACME persistence: AcmeNonceData
ECA-6922 - ACME draft-06 cleanup: Remove custom JAX-B serialization
ECA-6924 - ACME: Verify certbot compliance
ECA-6926 - ACME: Enable as part of release
ECA-6931 - ACME: Implement the missing calls in RaMasterApi to allow proxy use
ECA-6932 - ACME UI Configuration: GlobalAcmeConfiguration and AcmeConfigurations
ECA-6960 - ACME draft-12 update: Remove authzDeactivate resource "up" Link
ECA-6966 - Info log details when a database upgrade is started
ECA-6977 - Certificate Transparency, add verification of embedded SCTs and upgrade version of google/certificate-transparency-java
ECA-6980 - Remove root certificate from CT submission
ECA-6981 - GUI: Crypto Tokens form usability
ECA-6995 - GUI: End Entities search result revocation usability
ECA-7005 - Small improvement to CT debug logging
ECA-7017 - REST Jackson library unification
ECA-7018 - Add ACME to modular protocols configuration
ECA-7020 - When a CT log returns an error, log at info level instead of debug
ECA-7028 - modify REST enrollKeystore to accept JSON body rather than query parameters
ECA-7036 - Unidfnr data class should have unid as part of protection string.
ECA-7037 - File system property to disable X.509 client cert requirement for Admin GUI
ECA-7041 - Access rule '/cryptotoken/keys/generate/' is required to create CSR for OCSP Key Binding
ECA-7044 - Support Role namespace in EJB CLI
ECA-7045 - Reorganize crypto tokens documentation into a concept and an operational section
ECA-7048 - Adapt new RA API methods to RA API Guidelines
ECA-7049 - Make sure all RA API methods work both locally and remotely, where applicable
ECA-7056 - Create a "CA Overview" page in the documentation
ECA-7081 - Log all CRL parameters used when making a decision to generate a CRL or not
ECA-7087 - improve EJBCA_TRUNK_UNIT_PUPPET jenkins build (or runsa ant target) somehow, so that build error would make the build red
ECA-7091 - Remove Norwegian FNR from log
ECA-7095 - Enable "Don’t allow ROCA weak keys" in CA/B Forum RSA Key Validation Template
ECA-7097 - Merge REST revocation response classes
ECA-7113 - Make the dns resolver and iana root anchor configurable for acme
ECA-7121 - REST - return correct response code from POST and PUT endpoints
ECA-7123 - REST revocationstatus returns 'revoked' for non-existing entries
ECA-7124 - Complete IEjbcaWS JavaDoc for new RA master API calls.
ECA-7129 - Use static json for static swagger REST API documentation
ECA-7131 - SystemTest for REST Certificates search
ECA-7132 - Remove "default" ACME alias
ECA-7134 - Improve REST endpoint Swagger descriptions
ECA-7147 - Use consistent serial number response format in REST API
ECA-7166 - Update the documentation links for the OCSP keybindings page
ECA-7172 - Add new index for searches on AuditRecordData
ECA-7174 - Improve ProfileAndTraceInterceptor to print arguments properly
ECA-7177 - Increase CRL upload size from 60 KB to 250 MB
ECA-7186 - ACME Configuration: Hide EMPTY profile and add info text about Default CA etc.
ECA-7191 - Add request/response logging for REST calls