Below are important changes and requirements when upgrading from EJBCA 7.4.2 to EJBCA 7.4.3. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA. For details of the new features and improvements in this release, see the EJBCA 7.4.3 Release Notes.
Backward Incompatible Peer Connector Protocol Change Affecting EST
A backward incompatible change was required in the peer connector protocol to enforce domain security for RAs. This change impacts EST proxying from RA to CA and was implemented by adding a new method call in the protocol and disabling the old one.
To avoid any uptime issues when upgrading:
- Upgrade the RAs before you upgrade the CA
- If you wish to upgrade the CA before the RA or run RAs on version 7.4.2 or older, with a CA on 7.4.3 or newer, you need to set the property
raapi.legacyest.enabled=truein the configuration file
conf/web.properties, and then re-build and redeploy EJBCA to re-enable the old EST method call. Note that the old method call does not enforce the domain security of the RA, i.e. restrictions set out in the peer connector role will not be enforced.
Failover for the CRL Updater Service
The CRL updater service will fail over to another node in the cluster if it is unable to complete its work. Before running, it will check if the CRL signing key is accessible by performing a test signature. If at least one CRL signing key for an active CA is inaccessible, the work is deferred to give another node in the cluster a chance to run the service. In previous versions of EJBCA, the service would fail and then run again on the same node.
An important side-effect to be aware of is that if a CRL signing key is inaccessible for one CA it will block issuance of CRLs for all CAs on that instance. If the CRL signing key is accessible on another node in the cluster, the work will be handed over automatically. If not, you need to deactivate the CA - whose CRL signing key is inaccessible, before the service can run again.
Being a minor release, no post upgrade is required.