EJBCA 7.0.0 Release Notes
It's not often that we get to celebrate the emergence of a major release of EJBCA, and this has been a long time coming. World, meet EJBCA 7!
So what's new you ask? New workflows? VR based UI? Is everything solved using blockchains, machine learning and quantum cryptography?
Well, we're afraid not. What we actually have done is dug down and replaced nearly all of the backing code for the UI, some of which has been around ever since EJBCA's inception back in 2002. Same old trusty EJBCA, but with a newly furnished engine. While this may sound a bit lackluster at first glance, this is the first major beachhead that will allow the PrimeKey team to start making great strides in improving EJBCA's user experience for our customers and their clients. This is not the end, but the start of an exciting new journey.
Technology Leap to JDK8/JEE7
Probably the most impactful change of upgrading to EJBCA 7 is that we're dropping support of JDK7, and by extension JEE6 reliant application servers. In essence, from here on in that means that the minimum supported application server is JBoss EAP7/Wildfly 10. If your current installation is running on an earlier JDK or application server we recommend upgrading those first, going through an intermediate release of EJBCA if necessary. The EJBCA Upgrade Guide has detailed instructions for which workflow to follow if this applies to you.
This leap is partly motivated by the end of professional support for JDK7 from Oracle coming this summer, but also because it both allows us to upgrade older libraries (which have long since ceased receiving security updates) and to be able to make use of much of the newer technology which has been developed in the intervening years in order to improve your user experience.
JDK11 Support
While not completely tried and tested yet, we've begun implementing support for JDK11, and have it working in our test environment. For production environments, we recommend sticking to JDK8 for the time being, but for the adventurous among you, we would by all means appreciate any feedback.
Roadmap Update
Deprecating the Public Web and slimming down the CA Web UI
As mentioned above, we're heading into an exciting new era for EJBCA. The time has come for us to finally begin deprecating old functionality, and as we have mentioned before, two primary sections are on the chopping block: RA functionality in the CA Web and the Public Web, with the intent of them being fully replaced by the RA Web. Our goal in the coming months is to replicate the remaining missing features in the RA Web (we're nearly there), and further improve workflows in order to minimize context switching between the UIs, leading to a more natural user experience for EJBCA administrators. Once we feel secure that this is done we're going to perform a soft drop of the pages (hiding them by default, but still making them available if needed) before dropping them entirely in the long term. If your workflows still rely on those two feature sets, we recommend taking a look at the RA Web.
Appliance Release
EJBCA 7 (or a later minor release) will be included in Appliance version 3.3.0 and is scheduled towards the end of Q1.
Upgrade Information
Read the EJBCA Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 7.0.0, refer to our JIRA Issue Tracker.
Issues Resolved in 7.0.0
New Features
ECA-3076 - Detect and audit log when an administrator logs out of the CA Web UI
ECA-6777 - Create new DB column for storing CSR in CertificateData
ECA-7225 - Note in approvals that values have been changed from the default
ECA-7256 - Allow the creation of unenrolled EEs from the RA Web
ECA-7339 - PSD2 ASN.1 module and API code
ECA-7383 - Core API support for multi-value RDN and End Entity Profile validation of multi-value RDNs
ECA-7401 - Implement ConfigDump export for MultiGroupPublisher
ECA-7413 - Add SHA348withRSAandMGF1 and SHA512withRSAandMGF1 to the list of selectable signature algorithms
ECA-7414 - Make EJBCA build with Java 11
ECA-7419 - Can't paste ACME root anchor with tabs
ECA-7440 - Configdump exports parts of ACME configuration even if excluded
ECA-7444 - User Data Source access control does not let superadmins select "Any CA"
ECA-7470 - Possibility to add array values in edit CA CLI
ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC
ECA-7556 - ClientToolBox command for running a health check
ECA-7562 - Add WS CLI method to get remaining number of approvals
ECA-7586 - Implement a session timeout from the CA Web UI
Improvements
ECA-3724 - Convert Certificate Profiles pages to JSF
ECA-4348 - Remove remaining NetID integration code
ECA-4377 - CertTools.isCertificateValid logging refers to OCSP.
ECA-4630 - Convert Edit End Entity Profile page to JSF
ECA-5804 - Make ApprovalSessionTest less timing sensetive
ECA-5851 - Convert Certificate Authority pages to JSF
ECA-5932 - Upgrade bundled Hibernate jars
ECA-6210 - Stop using Ejb3Configuration in DatabaseSchemaScriptCommand
ECA-6801 - Convert EJBCA Home page to JSF
ECA-6802 - Convert CA Activation Page to JSF
ECA-6803 - Convert CA Structure & CRLs page to JSF
ECA-6804 - Convert Edit Crypto Tokens page to XHTML
ECA-6805 - Convert Manage Crypto Tokens page to XHTML
ECA-6806 - Convert Manage Publishers page to JSF
ECA-6807 - Convert Edit Publishers page to JSF
ECA-6808 - Convert Manage End Entity Profiles page to JSF
ECA-6810 - Convert Manage User Data Sources page to JSF
ECA-6811 - Convert Edit User Data Source page to JSF
ECA-6812 - Convert Manage Hard Token Issuers page to JSF
ECA-6813 - Convert Edit Hard Token Issuers page to JSF
ECA-6816 - Convert Manage Approval Profiles page to XHTML
ECA-6817 - Convert Edit Approval Profile page to XHTML
ECA-6818 - Convert Audit Log page to XHTML
ECA-6819 - Convert Manage Keybindings page to XHTML
ECA-6820 - Convert Edit Keybindings page to XHTML
ECA-6821 - Convert Manage Peer Connectors page to XHTML
ECA-6822 - Convert Edit Peer Connectors page to XHTML
ECA-6824 - Convert Manage Services page to XHTML
ECA-6825 - Convert Edit Services page to XHTML
ECA-6826 - Convert Manage CMP Aliases page to JSF
ECA-6827 - Convert Edit CMP Alias page to JSF
ECA-6828 - Convert Manage EST Aliases page to JSF
ECA-6829 - Convert Edit EST Alias page to JSF
ECA-6830 - Convert Manage SCEP aliases page to XHTML
ECA-6831 - Convert Manage SCEP alias page to XHTML
ECA-6832 - Convert System Configuration page to XHTML
ECA-6833 - Convert Preferences page to JSF
ECA-7263 - Remove "Administration" title from CA UI
ECA-7276 - Database CLI import from XML format
ECA-7284 - Fix broken web tests for JSF conversion
ECA-7289 - Improvements to Certificate Transparency section in certificate profiles
ECA-7292 - Add proper error handling for JSF
ECA-7298 - EJBCA CLI's "Merge CA Tokens" leaves unused crypto tokens behind
ECA-7312 - Increase initial size of ProtectionStringBuilder for Certificate Profiles to avoid unessecary warnings in debug log
ECA-7313 - Change mime type for CRLs from application/x-x509-crl to application/pkix-crl as defined in RFC5280
ECA-7314 - Implement "Custom Certificate Extension Data" field for RA enrollment
ECA-7315 - findCertificatesByExpireTime API calls, CLI and RA UI, should not return already expired certificates
ECA-7317 - SCEP error messages when CA can not be found are not complete
ECA-7325 - Extend tests for Custom Certificate Extensions
ECA-7327 - Convert viewcainfo.jsp and viewcertificate.jsp popUps to jsf
ECA-7334 - Review End Entity Profiles UI Tests
ECA-7343 - Refactor org.ejbca.webtest.helper.CaHelper
ECA-7344 - Refactor org.ejbca.webtest.helper.AdminRolesHelper
ECA-7348 - Introduce a CaStructureHelper for UI tests
ECA-7355 - Review Convert CA Structure & CRLs UI tests
ECA-7356 - Introduce an ApprovalProfilesHelper for UI tests
ECA-7357 - Review Approval Profiles UI tests
ECA-7362 - Review Administrator Roles UI Tests
ECA-7365 - Add a Jenkins job for EJBCA UI Tests
ECA-7367 - Acme must be in status unavailable under System Configuration (community edition)
ECA-7371 - Usage of sun.security.pkcs11 is not allowed when compiling in Java 11
ECA-7375 - Crypto Tokens page messages are displayed twice.
ECA-7380 - Missing space between 'Title' and '?' in Manage Crypto Tokens page
ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET'
ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest
ECA-7437 - Clean up unused imports, parameterize, remove unused variables ect.
ECA-7456 - VendorAuthenticationTest.test01_3GPPMode depends on server time zone
ECA-7471 - Allow system tests to run with EJBCA not on localhost
ECA-7491 - Use relative URLs in AdminGUI
ECA-7492 - Fun refactoring task - WebLanguages class uses property arrays, but should be remade in more OOP way
ECA-7508 - EJBCA-CLI: Do not add duplicate role members
ECA-7514 - Fix failing tests in EjbcaRestHelperUnitTest
ECA-7518 - Allow tests to run with TLS certificates not issued by ManagementCA
ECA-7522 - Add proper configuration to jenkins-files/*/conf/
ECA-7527 - Investigate and fix ACME failing tests in trunk
ECA-7530 - Convert ACME Configuration page to xhtml
ECA-7531 - Convert ACME Alias Configuration page to xhtml
ECA-7532 - Add Deviation List Signer Extended Key Usage
ECA-7537 - Simplify and improve configuration of CMP tests
ECA-7541 - Change CT log policy labels to not use mathematical symbols
ECA-7546 - Make API and log use of requestID and approvalID consistent and easier to understand
ECA-7547 - Allow OCSP KeyBinding certificate without Key Usage
ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job
ECA-7557 - Fix failing CMP TCP system tests
ECA-7563 - Separate out EjbcaWSTest.test02FindUser into its own test class
ECA-7566 - EjbcaWS.findUser() does not work for subjectEmail
ECA-7567 - Allow browser binary to be configured for Web Tests
ECA-7573 - Improve error handling and remove dead code in AdminWeb
ECA-7574 - Convert Approval Actions page to XHTML
ECA-7575 - Convert Approval Action page to XHTML
ECA-7576 - Clarifications in the Multi Group Publisher documentation
ECA-7579 - Editing EE functionality in RA Web is hidden behind the View-button
ECA-7594 - fun refactoring task: ViewCertificateManagedBean parseRequest method needs the button control logic refactored out into their own methods
ECA-7604 - Get rid of PublisherDataHandler class
ECA-7605 - Fix admin-gui build.xml
ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage
ECA-7612 - VendorAuthenticationTest test case fail in Jenkins
ECA-7614 - Implement ECAQA-196 test scenario.
ECA-7616 - Code refactoring in MultiGroup Publisher Data class.
ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes
ECA-7634 - ACME test improvements
ECA-7636 - Update system requirements in documentation
ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost
ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user
ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files
ECA-7645 - CrmfRAPbeRequestTest fails on community edition
ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure
ECA-7649 - POC Automate profiles installation for Firefox
ECA-7650 - Ability to upload CT log key in raw B64 format
ECA-7654 - Update '© 2002–2018 PrimeKey Solutions AB' to 2019
ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml
ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2
ECA-7680 - PatternLoggers should check if log level is enabled before doing work
ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message
ECA-7684 - Typo in error message on 'View Certificate' page
ECA-7689 - Update web.xml to Servlet 3.1 use correct JSF 2.2 schema in faces-config.xml
ECA-7692 - Add CSRs for unit testing the RSA Key Validator
ECA-7694 - Modify application.xml to reflect new JEE7 version
ECA-7696 - Add method to get filename from uploaded file
ECA-7701 - Upgrade persistence.xml to JEE7
ECA-7705 - AutoEnrollment Documentation Improvement
ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used
ECA-7738 - JDK11 Compliance: Patch CESeCore with provider fix from DSSINTER-289
ECA-7740 - Simplify ant build scripts to cut build time
ECA-7755 - The copyright year should be updated to include 2019
ECA-7761 - Minor security improvement
Bug Fixes
ECA-6865 - Failure to publish to a Peer Publisher gives no error message in log in some cases
ECA-7013 - RA Style is deselected while modifying access rules
ECA-7269 - Regression: JSF errors on JBoss AS 7.1.1
ECA-7273 - Certificate profiles appear to be (but aren't) editable for an Auditor
ECA-7282 - Poor error message for incorrectly formatted CT public keys: "Extra Data Detected in Stream"
ECA-7285 - Add HEAD request for the endpoint revokeCert
ECA-7286 - Fix NPE which happens when de-registering account with certbot
ECA-7326 - Bound Certificate under Internal Key Binding is displayed wrongly
ECA-7329 - NPE when you click on 'Republish' button on View Certificate page under Authentication Key Binding
ECA-7332 - OCSP Extensions configurations is applied to the newly created ones
ECA-7338 - Regression: clearPwd flag on WS editUser does not work
ECA-7342 - Check for legal characters is not working for some pages
ECA-7366 - dncomponents.properties.sample order of orgaizationIdentifier differs from default in DnCompoonents.java
ECA-7370 - ServiceManifestBuilder does not run with Java 11
ECA-7378 - PublicWeb check certificate status inly works with 8 octet cert serialNumber
ECA-7379 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec
ECA-7404 - CA Activation backlink broken
ECA-7433 - Dry-run parameter not respected when importing validators using Statedump
ECA-7434 - Add modular protocol configuration to Statedump
ECA-7438 - NullPointerException in some Adminweb pages if External Script Access is disabled and you have Custom Publishers
ECA-7443 - CAs and Fields in User Data Sources are stored as strings, causing ClassCastException
ECA-7445 - Missing exclude option for Validators in Statedump
ECA-7460 - NPE when importing a CA where a previous certificate exists without expireDate
ECA-7480 - When creating an EndEntity in RA Web and delete_end_entity accessrule is disabled, the process ends incorrectly with success but end entity is not created
ECA-7499 - java.lang.IllegalStateException when using browser back/forward button
ECA-7500 - Certificate Request Generated despite choosing the wrong format
ECA-7511 - EjbcaWSHelperSessionBean.caRenewCertRequest lacks an null check
ECA-7516 - Investigate and fix duplicate ID exception in editservice.xhtml
ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup
ECA-7524 - Regression: HttpMethodsTest fail because of unexpected HTTP header value
ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set
ECA-7529 - OcspExtensionsTest fails on community edition
ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals
ECA-7534 - DnFieldDumpHandler missing DnFieldExtractor.URI in Map.
ECA-7535 - Regression: Upgrade of customcertextensions.properties fails
ECA-7536 - CertificateCrlReaderSystemTest fails on Windows
ECA-7540 - Importing a CVCA certificate with error triggers CSRF error
ECA-7543 - CertSafePublisherTest fails on Windows due to line endings
ECA-7544 - Fix UpgradePublisherTest
ECA-7550 - Missing label and fields cleared erroneously in Edit Services page
ECA-7552 - StatedumpTest should use systemtests.properties
ECA-7558 - Admin Web returns redundant security headers
ECA-7568 - OCSP unathorized (6) error adds blank line to OCSP transaction log
ECA-7572 - Publisher queue status on home page looks weird since JSF conversion
ECA-7583 - Regression: Errors when creating a CA are not handled
ECA-7584 - USERAUTH fail when publishing with the SCP Publisher
ECA-7587 - Fix NPE when exception lacks an error message
ECA-7591 - Configdump CA is missing support for getLatestSubjectDN
ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently
ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently
ECA-7611 - Fix validity field in Edit CA page
ECA-7613 - CertificateCrlReaderSystemTest fails intermittently
ECA-7615 - Multigroup publisher errors handled incorrectly after conversion
ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest
ECA-7628 - configdump change causes test build failure in CE
ECA-7631 - Typo in Error message
ECA-7632 - RA Web enrollment, End entity removed if finishUser is unchecked in the CA
ECA-7647 - 'Receive Certificate Response' does not work for Externally signed CA
ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE
ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false
ECA-7665 - OutgoingPeerConnectionTest fails intermittently
ECA-7667 - Invalid single quotes in language file
ECA-7669 - The certificate link of an 'EJBCA Node Start' row in the Audit Log does not work
ECA-7676 - Nullcheck would have been NPE in BlacklistEntry
ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency
ECA-7697 - Regression: Default 'RA-Administrator' and 'Supervisor' roles gets 'Authorization Denied Cause: You are not authorized to view this page.'
ECA-7698 - Update example URL for external documentation
ECA-7699 - Can't access Admin web index page without /ca_functionality/view_ca access
ECA-7712 - Cannot save end entity profile where End Entity E-mail is disabled
ECA-7715 - Regression: Peer connectors cached in browser session not updated when cloning
ECA-7716 - Replace invalid double quotes in language files
ECA-7721 - Regression: CMP RA Name Generation Scheme don't use language strings anymore
ECA-7723 - Can't check "Critical" checkboxes on Edit CA page
ECA-7726 - Non-informative error message on Edit EST Aliases page
ECA-7730 - Clicking Logout in Adminweb gives NumberFormatException
ECA-7735 - Cloning a peer connector does not clone the flag for process incoming requests
ECA-7737 - Certificate of type "Sub CA" can't be published
ECA-7741 - Update tag library schemas for JEE7 in AdminWeb
ECA-7742 - CAA Validator fails DNSSEC validation for CH domains
ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa
ECA-7767 - Configdump validator export can fail with NPE
ECA-7769 - Fix warnings from DB CLI
Tasks
ECA-6864 - Set up a Jenkins instance to test JDK8/Wildfly10 using Docker
ECA-7261 - Map which ECAQA automatic tests which need to be remapped
ECA-7275 - Test ACME wildcard cert issuance and pre-authorization with certbot.
ECA-7331 - Verify if Swagger UI for works for ACME API. If it does, add documentation to confluence. If not, hide the ACME part from swaggerUI
ECA-7545 - New Docker job on Jenkins - EE_COS7_OpenJDK8_WF10_NOHSM_DB2
ECA-7551 - Exploratory testing on CMP configuration page
ECA-7695 - Update persistence.xml and orm-dbtype.xml to reflect JEE7 version
ECA-7763 - Test upgrade from 6.15.0 to 7.0.0
ECA-7768 - Update readme with license information for Hibernate jars