EJBCA 6.11 Release Notes
The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.11.
Release Highlights:
Read the EJBCA 6.11 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EST Protocol Support
EJBCA 6.11 introduces support for the Enrollment over Secure Transport (EST) protocol. For those of you now in the know, EST is an enrollment protocol similar to SCEP. Much like CMP and SCEP, EST can be configured through multiple aliases, and can like CMP also have calls proxied from an RA up a CA using the Peers Protocol. For more information, see EST.
External Command Certificate Validators
The second main feature of this release is the concept of External Validators, a feature which has been widely requested by quite a few of our enterprise users. An External Validator functions much like the existing validators (RSA, CAA, etc), but it runs on either a certificate or pre-certificate object and calls on local script on the local system.
As a security feature we have added a configuration value under System Configuration that disables both the External Validator and the General Purpose Custom Publisher. This configuration value is set to be disabled by default unless you're currently running a General Purpose Custom Publisher in your installation. To prevent a user from using the External Validator to run system commands, we have also added a command whitelist.
Modular Protocol Configuration
We have also added a few of features to make VA/RA installations more secure in the DMZ. In order to guard against possible 0-days or protocol vulnerabilities we have added the Protocol Configuration-tab to System Configuration. Through this tab all incoming protocols or servlets can be disabled.
Additionally, new access rules now allow prohibiting CMP and WS calls being sent from the RA/VA to the CA via Peers, in case the RA/VA runs the risk of being compromised.
Default OCSP Signature Algorithms Change
We have updated the VA so that SHA1WithRSA and SHA1WithECDSA are no longer acceptable signature algorithms for an OCSP responder. Fore details, see EJBCA 6.11 Upgrade Notes.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 6.11.0, refer to our JIRA Issue Tracker.
New Features
ECA-4220 - Support for EST protocol
ECA-4650 - GUI: View functionality for default certificate profiles
ECA-5869 - Add links to an End Entity's certificates in the RA EE Search page.
ECA-5870 - Allow for EE status change from the RA
ECA-5997 - StateDump Validators
ECA-6051 - Add post-processing to Validator framework
ECA-6083 - In the Create CA screen, add a warning to each key in the crypto token that is already used by another CA
ECA-6279 - Add GUI support for CAA misissuance reports w. IODEF
ECA-6280 - Add WS IODEF support in backend for CAA misissuance reports
ECA-6293 - Implement datatype for IODEF
ECA-6313 - Use XML converter for IODEF types
ECA-6315 - Support for CVC certificate extensions
ECA-6383 - Support for FIPS 201-2 PIV FASC-N subjectAltName
ECA-6404 - Include CMP Transaction ID in the log of CMP Proxy
ECA-6425 - Password generator in clientToolBox
ECA-6447 - Add a configurable whitelist to external validators
ECA-6455 - Write documentation for EST
Task
ECA-5944 - Go through RaMasterApi and verify that the presence of a certificate does not prevent forwarding of the request
Improvements
ECA-3838 - Move DummyApprovalRequest into a test module
ECA-3844 - Move all CRUD methods from CAData into CaSessionBean
ECA-4476 - Name constraints should be validated before approval request gets added
ECA-6155 - Make "treat lookup failure as permission to issue" configurable for CAA lookups
ECA-6229 - Clean up unused language keys
ECA-6246 - Introduce protocol configurations in system config
ECA-6247 - Deny access to disabled protocols globally
ECA-6249 - Modular Protocol Configuration to the RA over Peers
ECA-6257 - Code clean up in RA Preferences.
ECA-6285 - Improve comment about 'web.errorpage.notification' in 'web.properties.sample'
ECA-6286 - Standard Date/Time examples for the logs
ECA-6291 - Language files clean up, sorting "Mostly Configuration Module"
ECA-6329 - OcspKeybindings should display active status
ECA-6331 - Refactoring "HELPER" message keys in language files
ECA-6333 - Document modular protocol configuration
ECA-6366 - Add jboss-deployment-structure for BC provider on Oracle JDK for external RA SCEP server
ECA-6367 - Add a constant for key purpose 0, defaultKey
ECA-6368 - Remove old unused help links
ECA-6369 - Change default OCSP signature algorithm to use SHA-256
ECA-6370 - Update 'second' CSS style according to 'default' one
ECA-6377 - Move profile ID constants into the correct classes
ECA-6379 - Old list of Role Members is used when an Approval Request is created
ECA-6396 - Specify Bouncy Castle provider explicitly for audit log verification
ECA-6402 - Add test for expiration year filtering of CT Logs
ECA-6405 - Notify user when RA is offline
ECA-6407 - Modular protocol configuration over Peers using access rules
ECA-6409 - Internal Key Bindings page throws exceptions when there's a crypto token error
ECA-6410 - Modular protocol configuration improvements - Implement servlet filter
ECA-6418 - Improve error handling for CV certificates
ECA-6423 - Add Javadoc for CaConstants
ECA-6428 - Modular protocol configuration improvements - UI, Configuration
ECA-6430 - Custom CVC extensions in link certificates
ECA-6432 - Improve error message to distinguish between client and server cert in peer connector
ECA-6446 - Add a system configuration value for enabling External Command Validators
ECA-6452 - "External Command" text frame in External Command Certificate Validator should be wider
ECA-6457 - Create an upgrade routine that enables External Scripts (under System Configuration) only if any General Purpose Custom Publishers exist
Bug Fixes
ECA-6086 - Document CAA IODEF limitations
ECA-6120 - Document that CAA Validator requires TCP ports to be open in firewall
ECA-6187 - clientToolBox. SCEPTest compares the wrong types in responses
ECA-6199 - AdminWeb: Partitioned approval "Request has been executed"
ECA-6222 - Public key exponent min value can be larger than max value for the RSA Key Validator.
ECA-6223 - Possible to enter negative values in all numerical fields in RSA Key Validator
ECA-6236 - Titles "Import CRL" and "Basic Functions" are not localized
ECA-6237 - Display bug in Certificate Profile viewing
ECA-6238 - GUI: Unknown language keys found in Audit Log
ECA-6264 - Fix javadoc compilation errors
ECA-6326 - Error when listing tokens on a HSM
ECA-6330 - Error if default OCSP responder is set to NONE
ECA-6345 - EJBCA Certificate Enrollment Error page
ECA-6348 - when trying to navigate RA Web nothing happens (Blank page). Error message occured in logs
ECA-6371 - Status labels not localized in "Protocol Configuration"
ECA-6374 - ECC Key Validator shows incorrect label
ECA-6376 - Add fields in Partitioned Approval results in java.lang.NullPointerException
ECA-6388 - RA Web: Role Members issued by External CAs states "Unknown CA"
ECA-6391 - CT Log Lifetime table accepts negative values
ECA-6392 - Supervisor does not have access to certificate in audit log
ECA-6417 - MAXFAILEDLOGINATTEMPTS in ExtendedInformation can be saved as a string if set via WS
ECA-6421 - Regression: System Config cannot be saved, NPE
ECA-6422 - Google Ct Policy is reset after flushing cache and saving
ECA-6424 - Clicking on Add End Entity(request) in Approve actions page results in Internal Server Error
ECA-6427 - Misplaced null check in EST operations session bean
ECA-6429 - Regression: NPE in Admin GUI editing CVC CA that was created before validators
ECA-6433 - RA Web: End Entity status change doesn't work from external RA
ECA-6442 - Add dummy AlwaysAllowAuthenticationToken.InternalMatchValue in order to deserialize expired approval requests
ECA-6445 - Upgrade of CAA Validator not triggered when ValidatorBase changed
ECA-6449 - All form fields in End Entity Profiles page should have auto-complete disabled
ECA-6453 - ExternalCommandValidator: Testing non existing command gives stacktrace