EJBCA 6.2 Upgrade Notes
EJBCA 6.2.x to EJBCA 6.2.8
The following lists important notes on upgrading to EJBCA 6.2.x versions:
For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
For details of the new features and improvements in the releases, see the EJBCA Release Notes.
EJBCA 6.2.7 to EJBCA 6.2.8
A very minor change has been made to how the "EMPTY" (default) End Entity Profile is handled. Previous versions required root access (access to "/" in the admin rules tree) to use this profile, but since we since a few versions back generate rights for this profile like any other, those are now used instead.
The signature of OCSP responses are only verified for the first created response per issuer after a OCSP signer cache reload. Previously we always checked each response. (This is intended to detect failing HSMs. The security aspect of response validation is the OCSP client's responsibility.) Use the health check to detect failing HSMs if you cache the OCSP signers for a long time and want to detect this.
Rules for using the GUI have been made for fine grained.
Differences are:
- End Entity Profiles are access via "/endentityprofilesrules" instead of the deprecated "/super_administrator"
- The "EMPTY" end entity profile has access rules like any other profile.
- System Configuration is now accessed via /system_functionality/edit_systemconfiguration instead of "/" in previous versions
- The rule /ca_functionality/edit_publishers is now all that is required to access the Publisher's page in the GUI, and all publishers assigned
to a CA that the admin has access to, or unassigned to any CA, will show up on the list. The "CA Administrator" role template has been given access to this rule.
These changes require no action during or after upgrade. Since earlier rules were either lower level or non-selectable due to deprecation, any user with access to those rules much have access to the new ones as well. Since the new rules are more specific than the old ones, any users gaining access to the affected resources is presumed to be intentional, but testing should be made for any custom roles.
EJBCA 6.2.x to EJBCA 6.2.7
Behavior of OCSP responder has been changed slightly in order to improve performance. Status of the OCSP signing certificate's CA is now only checked when the cache is reloaded, instead of at every request. If unsure how long the timeout is set for, check the value ocsp.signingCertsValidTime in ocsp.properties.
EJBCA 6.2.x to EJBCA 6.2.4
The configuration from for the OCSP default responder has been moved from ocsp.properties into the global configuration, into a new cache with ID=OCSP.
The old value will automatically be committed into the database by the first upgraded node. If ocsp.properties didn't point to a subject DN matching an existent CA or OCSP keybinding, the old value will be retained until either a CA or keybinding matching it has been created or a valid CA or keybinding has been selected in the GUI.
Default behavior of the default responder has been modified to automatically reply for all externally imported CAs which lack specific OCSP keybindings. Be aware that this may cause unexpected behavior in the case of where an inactivated (due to responder certificate being revoked or expiring) keybinding exists, and that keybinding has a different behavior in regards to unknown certificates than the default responder.