EJBCA 7.0.0 Release Notes

It's not often that we get to celebrate the emergence of a major release of EJBCA, and this has been a long time coming. World, meet EJBCA 7!

So what's new you ask? New workflows? VR based UI? Is everything solved using blockchains, machine learning and quantum cryptography?

Well, we're afraid not. What we actually have done is dug down and replaced nearly all of the backing code for the UI, some of which has been around ever since EJBCA's inception back in 2002. Same old trusty EJBCA, but with a newly furnished engine. While this may sound a bit lackluster at first glance, this is the first major beachhead that will allow the PrimeKey team to start making great strides in improving EJBCA's user experience for our customers and their clients. This is not the end, but the start of an exciting new journey.

Technology Leap to JDK8/JEE7

Probably the most impactful change of upgrading to EJBCA 7 is that we're dropping support of JDK7, and by extension JEE6 reliant application servers. In essence, from here on in that means that the minimum supported application server is JBoss EAP7/Wildfly 10. If your current installation is running on an earlier JDK or application server we recommend upgrading those first, going through an intermediate release of EJBCA if necessary. The EJBCA Upgrade Guide has detailed instructions for which workflow to follow if this applies to you. 

This leap is partly motivated by the end of professional support for JDK7 from Oracle coming this summer, but also because it both allows us to upgrade older libraries (which have long since ceased receiving security updates) and to be able to make use of much of the newer technology which has been developed in the intervening years in order to improve your user experience. 

JDK11 Support

While not completely tried and tested yet, we've begun implementing support for JDK11, and have it working in our test environment. For production environments, we recommend sticking to JDK8 for the time being, but for the adventurous among you, we would by all means appreciate any feedback. 

Roadmap Update

Deprecating the Public Web and slimming down the CA Web UI

As mentioned above, we're heading into an exciting new era for EJBCA. The time has come for us to finally begin deprecating old functionality, and as we have mentioned before, two primary sections are on the chopping block: RA functionality in the CA Web and the Public Web, with the intent of them being fully replaced by the RA Web. Our goal in the coming months is to replicate the remaining missing features in the RA Web (we're nearly there), and further improve workflows in order to minimize context switching between the UIs, leading to a more natural user experience for EJBCA administrators. Once we feel secure that this is done we're going to perform a soft drop of the pages (hiding them by default, but still making them available if needed) before dropping them entirely in the long term. If your workflows still rely on those two feature sets, we recommend taking a look at the RA Web. 

Appliance Release

EJBCA 7 (or a later minor release) will be included in Appliance version 3.3.0 and is scheduled towards the end of Q1. 

Upgrade Information

Read the EJBCA Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.0.0, refer to our JIRA Issue Tracker.

Issues Resolved in 7.0.0

Released on February 7th 2019

New Features

ECA-3076 - Detect and audit log when an administrator logs out of the CA Web UI

ECA-6777 - Create new DB column for storing CSR in CertificateData

ECA-7225 - Note in approvals that values have been changed from the default

ECA-7256 - Allow the creation of unenrolled EEs from the RA Web

ECA-7339 - PSD2 ASN.1 module and API code

ECA-7383 - Core API support for multi-value RDN and End Entity Profile validation of multi-value RDNs

ECA-7401 - Implement ConfigDump export for MultiGroupPublisher

ECA-7413 - Add SHA348withRSAandMGF1 and SHA512withRSAandMGF1 to the list of selectable signature algorithms

ECA-7414 - Make EJBCA build with Java 11

ECA-7419 - Can't paste ACME root anchor with tabs

ECA-7440 - Configdump exports parts of ACME configuration even if excluded

ECA-7444 - User Data Source access control does not let superadmins select "Any CA"

ECA-7470 - Possibility to add array values in edit CA CLI

ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC

ECA-7556 - ClientToolBox command for running a health check

ECA-7562 - Add WS CLI method to get remaining number of approvals

ECA-7586 - Implement a session timeout from the CA Web UI

Improvements

ECA-3724 - Convert Certificate Profiles pages to JSF

ECA-4348 - Remove remaining NetID integration code

ECA-4377 - CertTools.isCertificateValid logging refers to OCSP.

ECA-4630 - Convert Edit End Entity Profile page to JSF

ECA-5804 - Make ApprovalSessionTest less timing sensetive

ECA-5851 - Convert Certificate Authority pages to JSF

ECA-5932 - Upgrade bundled Hibernate jars

ECA-6210 - Stop using Ejb3Configuration in DatabaseSchemaScriptCommand

ECA-6801 - Convert EJBCA Home page to JSF

ECA-6802 - Convert CA Activation Page to JSF

ECA-6803 - Convert CA Structure & CRLs page to JSF

ECA-6804 - Convert Edit Crypto Tokens page to XHTML

ECA-6805 - Convert Manage Crypto Tokens page to XHTML

ECA-6806 - Convert Manage Publishers page to JSF

ECA-6807 - Convert Edit Publishers page to JSF

ECA-6808 - Convert Manage End Entity Profiles page to JSF

ECA-6810 - Convert Manage User Data Sources page to JSF

ECA-6811 - Convert Edit User Data Source page to JSF

ECA-6812 - Convert Manage Hard Token Issuers page to JSF

ECA-6813 - Convert Edit Hard Token Issuers page to JSF

ECA-6816 - Convert Manage Approval Profiles page to XHTML

ECA-6817 - Convert Edit Approval Profile page to XHTML

ECA-6818 - Convert Audit Log page to XHTML

ECA-6819 - Convert Manage Keybindings page to XHTML

ECA-6820 - Convert Edit Keybindings page to XHTML

ECA-6821 - Convert Manage Peer Connectors page to XHTML

ECA-6822 - Convert Edit Peer Connectors page to XHTML

ECA-6824 - Convert Manage Services page to XHTML

ECA-6825 - Convert Edit Services page to XHTML

ECA-6826 - Convert Manage CMP Aliases page to JSF

ECA-6827 - Convert Edit CMP Alias page to JSF

ECA-6828 - Convert Manage EST Aliases page to JSF

ECA-6829 - Convert Edit EST Alias page to JSF

ECA-6830 - Convert Manage SCEP aliases page to XHTML

ECA-6831 - Convert Manage SCEP alias page to XHTML

ECA-6832 - Convert System Configuration page to XHTML

ECA-6833 - Convert Preferences page to JSF

ECA-7263 - Remove "Administration" title from CA UI

ECA-7276 - Database CLI import from XML format

ECA-7284 - Fix broken web tests for JSF conversion

ECA-7289 - Improvements to Certificate Transparency section in certificate profiles

ECA-7292 - Add proper error handling for JSF

ECA-7298 - EJBCA CLI's "Merge CA Tokens" leaves unused crypto tokens behind

ECA-7312 - Increase initial size of ProtectionStringBuilder for Certificate Profiles to avoid unessecary warnings in debug log

ECA-7313 - Change mime type for CRLs from application/x-x509-crl to application/pkix-crl as defined in RFC5280

ECA-7314 - Implement "Custom Certificate Extension Data" field for RA enrollment

ECA-7315 - findCertificatesByExpireTime API calls, CLI and RA UI, should not return already expired certificates

ECA-7317 - SCEP error messages when CA can not be found are not complete

ECA-7325 - Extend tests for Custom Certificate Extensions

ECA-7327 - Convert viewcainfo.jsp and viewcertificate.jsp popUps to jsf

ECA-7334 - Review End Entity Profiles UI Tests

ECA-7343 - Refactor org.ejbca.webtest.helper.CaHelper

ECA-7344 - Refactor org.ejbca.webtest.helper.AdminRolesHelper

ECA-7348 - Introduce a CaStructureHelper for UI tests

ECA-7355 - Review Convert CA Structure & CRLs UI tests

ECA-7356 - Introduce an ApprovalProfilesHelper for UI tests

ECA-7357 - Review Approval Profiles UI tests

ECA-7362 - Review Administrator Roles UI Tests

ECA-7365 - Add a Jenkins job for EJBCA UI Tests

ECA-7367 - Acme must be in status unavailable under System Configuration (community edition)

ECA-7371 - Usage of sun.security.pkcs11 is not allowed when compiling in Java 11

ECA-7375 - Crypto Tokens page messages are displayed twice.

ECA-7380 - Missing space between 'Title' and '?' in Manage Crypto Tokens page

ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET'

ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest

ECA-7437 - Clean up unused imports, parameterize, remove unused variables ect.

ECA-7456 - VendorAuthenticationTest.test01_3GPPMode depends on server time zone

ECA-7471 - Allow system tests to run with EJBCA not on localhost

ECA-7491 - Use relative URLs in AdminGUI

ECA-7492 - Fun refactoring task - WebLanguages class uses property arrays, but should be remade in more OOP way

ECA-7508 - EJBCA-CLI: Do not add duplicate role members

ECA-7514 - Fix failing tests in EjbcaRestHelperUnitTest

ECA-7518 - Allow tests to run with TLS certificates not issued by ManagementCA

ECA-7522 - Add proper configuration to jenkins-files/*/conf/

ECA-7527 - Investigate and fix ACME failing tests in trunk

ECA-7530 - Convert ACME Configuration page to xhtml

ECA-7531 - Convert ACME Alias Configuration page to xhtml

ECA-7532 - Add Deviation List Signer Extended Key Usage

ECA-7537 - Simplify and improve configuration of CMP tests

ECA-7541 - Change CT log policy labels to not use mathematical symbols

ECA-7546 - Make API and log use of requestID and approvalID consistent and easier to understand

ECA-7547 - Allow OCSP KeyBinding certificate without Key Usage

ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job

ECA-7557 - Fix failing CMP TCP system tests

ECA-7563 - Separate out EjbcaWSTest.test02FindUser into its own test class

ECA-7566 - EjbcaWS.findUser() does not work for subjectEmail

ECA-7567 - Allow browser binary to be configured for Web Tests

ECA-7573 - Improve error handling and remove dead code in AdminWeb

ECA-7574 - Convert Approval Actions page to XHTML

ECA-7575 - Convert Approval Action page to XHTML

ECA-7576 - Clarifications in the Multi Group Publisher documentation

ECA-7579 - Editing EE functionality in RA Web is hidden behind the View-button

ECA-7594 - fun refactoring task: ViewCertificateManagedBean parseRequest method needs the button control logic refactored out into their own methods

ECA-7604 - Get rid of PublisherDataHandler class

ECA-7605 - Fix admin-gui build.xml

ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage

ECA-7612 - VendorAuthenticationTest test case fail in Jenkins

ECA-7614 - Implement ECAQA-196 test scenario.

ECA-7616 - Code refactoring in MultiGroup Publisher Data class.

ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes

ECA-7634 - ACME test improvements

ECA-7636 - Update system requirements in documentation

ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost

ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user

ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files

ECA-7645 - CrmfRAPbeRequestTest fails on community edition

ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure

ECA-7649 - POC Automate profiles installation for Firefox

ECA-7650 - Ability to upload CT log key in raw B64 format

ECA-7654 - Update '© 2002–2018 PrimeKey Solutions AB' to 2019

ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml

ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2

ECA-7680 - PatternLoggers should check if log level is enabled before doing work

ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message

ECA-7684 - Typo in error message on 'View Certificate' page

ECA-7689 - Update web.xml to Servlet 3.1 use correct JSF 2.2 schema in faces-config.xml

ECA-7692 - Add CSRs for unit testing the RSA Key Validator

ECA-7694 - Modify application.xml to reflect new JEE7 version

ECA-7696 - Add method to get filename from uploaded file

ECA-7701 - Upgrade persistence.xml to JEE7

ECA-7705 - AutoEnrollment Documentation Improvement

ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used

ECA-7738 - JDK11 Compliance: Patch CESeCore with provider fix from DSSINTER-289

ECA-7740 - Simplify ant build scripts to cut build time

ECA-7755 - The copyright year should be updated to include 2019

ECA-7761 - Minor security improvement

Bug Fixes

ECA-6865 - Failure to publish to a Peer Publisher gives no error message in log in some cases

ECA-7013 - RA Style is deselected while modifying access rules

ECA-7269 - Regression: JSF errors on JBoss AS 7.1.1

ECA-7273 - Certificate profiles appear to be (but aren't) editable for an Auditor

ECA-7282 - Poor error message for incorrectly formatted CT public keys: "Extra Data Detected in Stream"

ECA-7285 - Add HEAD request for the endpoint revokeCert

ECA-7286 - Fix NPE which happens when de-registering account with certbot

ECA-7326 - Bound Certificate under Internal Key Binding is displayed wrongly

ECA-7329 - NPE when you click on 'Republish' button on View Certificate page under Authentication Key Binding

ECA-7332 - OCSP Extensions configurations is applied to the newly created ones

ECA-7338 - Regression: clearPwd flag on WS editUser does not work

ECA-7342 - Check for legal characters is not working for some pages

ECA-7366 - dncomponents.properties.sample order of orgaizationIdentifier differs from default in DnCompoonents.java

ECA-7370 - ServiceManifestBuilder does not run with Java 11

ECA-7378 - PublicWeb check certificate status inly works with 8 octet cert serialNumber

ECA-7379 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec

ECA-7404 - CA Activation backlink broken

ECA-7433 - Dry-run parameter not respected when importing validators using Statedump

ECA-7434 - Add modular protocol configuration to Statedump

ECA-7438 - NullPointerException in some Adminweb pages if External Script Access is disabled and you have Custom Publishers

ECA-7443 - CAs and Fields in User Data Sources are stored as strings, causing ClassCastException

ECA-7445 - Missing exclude option for Validators in Statedump

ECA-7460 - NPE when importing a CA where a previous certificate exists without expireDate

ECA-7480 - When creating an EndEntity in RA Web and delete_end_entity accessrule is disabled, the process ends incorrectly with success but end entity is not created

ECA-7499 - java.lang.IllegalStateException when using browser back/forward button

ECA-7500 - Certificate Request Generated despite choosing the wrong format

ECA-7511 - EjbcaWSHelperSessionBean.caRenewCertRequest lacks an null check

ECA-7516 - Investigate and fix duplicate ID exception in editservice.xhtml

ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup

ECA-7524 - Regression: HttpMethodsTest fail because of unexpected HTTP header value

ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set

ECA-7529 - OcspExtensionsTest fails on community edition

ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals

ECA-7534 - DnFieldDumpHandler missing DnFieldExtractor.URI in Map.

ECA-7535 - Regression: Upgrade of customcertextensions.properties fails

ECA-7536 - CertificateCrlReaderSystemTest fails on Windows

ECA-7540 - Importing a CVCA certificate with error triggers CSRF error

ECA-7543 - CertSafePublisherTest fails on Windows due to line endings

ECA-7544 - Fix UpgradePublisherTest

ECA-7550 - Missing label and fields cleared erroneously in Edit Services page

ECA-7552 - StatedumpTest should use systemtests.properties

ECA-7558 - Admin Web returns redundant security headers

ECA-7568 - OCSP unathorized (6) error adds blank line to OCSP transaction log

ECA-7572 - Publisher queue status on home page looks weird since JSF conversion

ECA-7583 - Regression: Errors when creating a CA are not handled

ECA-7584 - USERAUTH fail when publishing with the SCP Publisher

ECA-7587 - Fix NPE when exception lacks an error message

ECA-7591 - Configdump CA is missing support for getLatestSubjectDN

ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently

ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently

ECA-7611 - Fix validity field in Edit CA page

ECA-7613 - CertificateCrlReaderSystemTest fails intermittently

ECA-7615 - Multigroup publisher errors handled incorrectly after conversion

ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest

ECA-7628 - configdump change causes test build failure in CE

ECA-7631 - Typo in Error message

ECA-7632 - RA Web enrollment, End entity removed if finishUser is unchecked in the CA

ECA-7647 - 'Receive Certificate Response' does not work for Externally signed CA

ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE

ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false

ECA-7665 - OutgoingPeerConnectionTest fails intermittently

ECA-7667 - Invalid single quotes in language file

ECA-7669 - The certificate link of an 'EJBCA Node Start' row in the Audit Log does not work

ECA-7676 - Nullcheck would have been NPE in BlacklistEntry

ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency

ECA-7697 - Regression: Default 'RA-Administrator' and 'Supervisor' roles gets 'Authorization Denied Cause: You are not authorized to view this page.'

ECA-7698 - Update example URL for external documentation

ECA-7699 - Can't access Admin web index page without /ca_functionality/view_ca access

ECA-7712 - Cannot save end entity profile where End Entity E-mail is disabled

ECA-7715 - Regression: Peer connectors cached in browser session not updated when cloning

ECA-7716 - Replace invalid double quotes in language files

ECA-7721 - Regression: CMP RA Name Generation Scheme don't use language strings anymore

ECA-7723 - Can't check "Critical" checkboxes on Edit CA page

ECA-7726 - Non-informative error message on Edit EST Aliases page

ECA-7730 - Clicking Logout in Adminweb gives NumberFormatException

ECA-7735 - Cloning a peer connector does not clone the flag for process incoming requests

ECA-7737 - Certificate of type "Sub CA" can't be published

ECA-7741 - Update tag library schemas for JEE7 in AdminWeb

ECA-7742 - CAA Validator fails DNSSEC validation for CH domains

ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa

ECA-7767 - Configdump validator export can fail with NPE

ECA-7769 - Fix warnings from DB CLI

Tasks

ECA-6864 - Set up a Jenkins instance to test JDK8/Wildfly10 using Docker

ECA-7261 - Map which ECAQA automatic tests which need to be remapped

ECA-7275 - Test ACME wildcard cert issuance and pre-authorization with certbot.

ECA-7331 - Verify if Swagger UI for works for ACME API. If it does, add documentation to confluence. If not, hide the ACME part from swaggerUI

ECA-7545 - New Docker job on Jenkins - EE_COS7_OpenJDK8_WF10_NOHSM_DB2

ECA-7551 - Exploratory testing on CMP configuration page

ECA-7695 - Update persistence.xml and orm-dbtype.xml to reflect JEE7 version

ECA-7763 - Test upgrade from 6.15.0 to 7.0.0

ECA-7768 - Update readme with license information for Hibernate jars