EJBCA 7.5 Upgrade Notes
Below are important changes and requirements when upgrading from EJBCA 7.4 to EJBCA 7.5.0.1. (EJBCA 7.5.0 was an internal release, not generally available for customers.)
For upgrade instructions and information on upgrade paths, see Upgrading EJBCA. For details of the new features and improvements in this release, see the EJBCA 7.5 Release Notes.
Database Changes
EJBCA 7.5.0.1 contains the new columns accountBindingId
in CertificateData and tokenProviderId
in RoleMemberData as well as subjectDn, email
in ApprovalData (added in EJBCA 7.4.3).
The columns are created automatically by Hibernate when EJBCA 7.5.0.1 is deployed for the first time. However, if your EJBCA database user does not have GRANT privileges, you need to run the ALTER commands in the upgrade SQL scripts before deploying EJBCA. Corresponding SQL scripts are located under src/upgrade/
.
Behavioral Changes
New Secure Authentication Web Property
To support authentication with both certificate and OAuth2 token, a new web.reqauth
property has been added to the web.properties configuration file, replacing and deprecating the former property web.reqcert.
The new web.reqauth
property enforces secure authentication by the client TLS certificate or OAuth2 token to access the EJBCA Administration interface. The change is backward compatible and thus the former web.reqcert
property can still be used in existing configurations. Note, however, that new installations should only use the web.reqauth
property.
Improved RA and CA Approvals Handling
RA approvals and CA approvals are now handled in their respective UIs.
RA Related Approvals Moved To RA UI
Approvals for the following actions are now managed using the RA UI and are no longer listed in the CA UI:
- Add/Edit End Entity
- Key recovery
- Revocation
CA Related Approvals Moved To CA UI
CA related approvals are shown in the CA UI (Supervision Functions > Approve Actions) and approvals for the CA Token Activation are no longer listed in RA UI. For more information, see Approving Actions.
Default Encoding of Policy Notice Text X.509 Certificate Extension Changed to UTF-8
When creating a new CA, the option Use UTF-8 in policy notice text previously defaulted to false in order to support older versions of Windows. Since Windows now supports the standard UTF-8 encoding, the default value of Use UTF-8 in policy notice text has been changed to true (enabled). The change only applies to creating new CAs and values of existing CAs are not changed.
Removed Support for Native Browser Enrollment
The Public Web menu option Create Browser Certificate has been removed since relevant browsers no longer support this functionality.
eIDAS Edition
If upgrading a software installation of EJBCA eIDAS edition, the following two options need to be enabled in conf/web.properties
in order for the Utimaco CP5 HSM options to be visible in the Admin UI when creating new crypto tokens and activating keys in crypto tokens.
p11ng.cryptotoken.enabled=true
p11ng.utimacocp5.enabled=true