Changes in This Release
On Ubuntu 18.04 LTS upgrading the Security Server from versions 6.22.1/6.23.0 to version 6.24.0 requires using apt install xroad-securityserver OR apt full-upgrade commands.
On RHEL7 upgrading the Security Server from versions 6.22.1/6.23.0 to version 6.24.0 is done using yum update.
Doing apt upgrade is not enough for this version upgrade since the command does not remove the xroad-jetty and xroad-nginx packages that are removed in the upgrade.
Please note that Security Server direct upgrade from versions < 6.22 to 6.24.0 is not supported. In case you’re running a Security Server version < 6.22, please upgrade to version 6.22.1 or 6.23.0 first, and then from version 6.22.1/6.23.0 to version 6.24.0.
- New user interface provides improved user experience (UX) for Security Server administrators.
- New intuitive user interface makes regular administrative tasks easier and supports streamlining the on-boarding process of new X-Road members.
- More information related to the new user interface can be found in Appendix 1.
- Common maintenance and configuration tasks can be automated using the management API.
- Support for running Security Server on Red Hat Enterprise Linux 8 (RHEL8).
- Technology updates and decreased technical debt.
- Updates on operational monitoring protocols that enable monitoring of SOAP and REST services in more consistent manner.
- N.B.! The updates cause breaking changes in the Operational Monitoring protocols.
- Better support for using external database services on different platforms (e.g. Amazon Web Services, Microsoft Azure, Google Cloud Platform) for both Central Server and Security Server.
- N.B.! Major changes in Central Server and Security Server database schemas.
- Changes in allowed characters in X-Road system identifiers and improved validation of the identifiers.
Add validation to client certificates expiration date. Before version 6.24.0 the Security Server does not validate the expiration date of a client information system's certificate. Starting from version 6.24.0 the expiration date of client certificates is validated, and in case the certificate is expired, a warning is logged in the proxy log by default. It is also possible to prevent the use of expired client certificates and block message processing in case an expired client certificate is detected. This can be achieved by adding the below configuration in "/etc/xroad/conf.d/local.ini" on Security Server:
Update the date and time format used in the X-Road application logs to be based on the international standard ISO 8601 so that it's consistent. Starting from version 6.24.0 the date and time format used in the X-Road application logs is "yyyy-MM-ddTHH:mm:ss.SSSZ".
Dates in log messages and exceptions use ISO 8601 with timezone. Timestamp formats in file names remain unchanged.
|XRDDEV-63||Fix||Fix signer-console reporting correctly closed akka connections as erros.|
|XRDDEV-68||Fix||Fix the usage of thread local variables in the Security Server.|
|XRDDEV-113||Improvement||Optimize message log archiving performance. The database query logic used in the archival process was updated to use streaming instead of multiple separate queries.|
Improve the Security Server architecture documentation by adding a description of contracts and responsibilities of different Security Server modules. The information is available in the Security Server Architecture document (ARC-SS).
|XRDDEV-142||Improvement||Add DNS name or IP that was used to register the Security Server to the Security Server UI. Starting from version 6.24.0 the DNS name or IP can be viewed in the Security Server UI by taking the mouse cursor over the Security Server name on the top banner.|
Improve Security Server's fault tolerance when internal load balancing is used. After the change requests are no longer being sent to Security Servers with a failing TLS handshake.
The fastest wins connection selection Security Server HA strategy was updated to take successful TLS handshake into account when choosing the winner. Before version 6.24.0 the fastest wins selection worked so that the Security Server that first responded to TCP connect request was selected as the winner. In case TLS handshake failed in a later phase of the message flow, the whole request failed. Starting from version 6.24.0 the fastest wins selection takes TLS handshake into account, and a Security Server with a failing TLS handshake cannot be selected as a winner. For example, a Security Server that is running without a valid authentication certificate or without PIN code being typed, does no longer receive requests from other Security Servers.
Improve failover for timestamping requests so that failover works also when the TSA certificate is incorrect and/or expired. Before the change failover worked only in case connection to the TSA failed, but starting from version 6.24.0 the failover is done also when connection succeeds, but the TSA response is invalid. After the change timestamping is more robust since all the configured TSAs are tried until a valid response is received. In case any of the configured TSAs is not able to provide a valid response, timestamping fails. However, the failover requires that the Security Server has more than one configured TSA.
Improve security and configurability by adding a separate database users for Security Server database migrations, so that the normal DB users used by the application cannot update the DB schema. Each Security Server database has its own admin user (by default serverconf_admin, messagelog_admin, opmonitor_admin) and normal DB user (by default serverconf, messagelog, opmonitor).
The migrations user is created on new installs, upgrades are not affected.
Update operational monitoring implementation and protocols so that separate fields for storing the same metric for SOAP and REST messages are not used. After the change there's a single field for each metric that is used for both SOAP and REST messages.
Changes in the "getSecurityServerOperationalData" response's "operational-monitoring-data.json.gz" attachment:
Changes in the "getSecurityServerHealthData" response:
Changes in the JMX metrics:
This is a major update to operational monitoring protocol (0.x → 1.0) which breaks compatibility with the previous version. The protocol is defined in the following documents:
Add new UI and management API package (xroad-proxy-ui-api) to the Security Server packaging. Remove the old UI package (xroad-jetty) and Nginx package (xroad-nginx) from the packaging.
During the Security Server version upgrade to version 6.24.0 the old UI's TLS key and certificate are migrated to the new UI.
SELinux configuration changes are removed from RHEL installations.
Removed log files and directories:
New log files:
Add support for returning Security Server generated error messages in different formats (JSON, XML). Starting from version 6.24.0 the Security Server respects "Accept" header value when providing error responses. The formats application/json, application/xml and text/xml are supported, application/json is the default.
Security Server respects the "Accept" header value only when the error response is generated by the Security Server. Error messages originating from service provider's information system are not converted or transformed - they are returned as-is. In other words, the "Accept" header value is not respected when the error response is not generated by the Security Server.
|XRDDEV-595||Improvement||Replace "-" characters with "_" in ansible scripts to fix deprecation warnings.|
Fix a problem that caused WSDL validation to return warnings as errors that cannot be ignored.
WSDL validation may return warnings that can be ignored and errors that cannot be ignored. The problem caused warnings to be interpreted as errors with the result that warnings caused WSDL validation to fail without the possibility to ignore them.
Optimize serverconf caching and access rights evaluation. Before version 6.24.0 service access rights were fetched from database separately for every incoming request. Starting from version 6.24.0 the access rights are fetched from the database periodically and cached for 60 seconds by default. Therefore, changes in the service access rights not applied immediately, but within 60 seconds from the change.
Access rights and other frequently accessed server configurations are now cached (by default for 60 seconds). Due to this, changes in the access rights are not applied immediately.
|XRDDEV-712||Improvement||Update Ansible scripts to support Ubuntu 18 minimal OS.|
|XRDDEV-728||Fix||Remove old, unused RHEL7 port forwarding scripts and all references to these scripts from RHEL7 packaging.|
Clarify documentation related to downloading service descriptions.
|XRDDEV-745||Fix||Fix a problem that caused rsyslog and nginx configuration changes not to be applied on fresh RHEL install without restarting rsyslogd and nginx.|
|XRDDEV-747||Improvement||Improve configurability by splitting nginx default-xroad.conf so that it can be updated independently for Central Server and Security Server.|
|XRDDEV-752||Improvement||Update Akka to version 2.6.|
Update ansible scripts to allow the Central Server to be installed with a remote database.
More information can be found here.
Improve security and configurability by moving Security Server DB tables to a separate schema instead of using the default "public" schema, so that maintenance does not require super-user rights. The change also enables user defined database names and users which makes it possible to host several databases in the same PostgreSQL cluster (instance). Before version 6.24.0, database names and users were hard-coded which prevented sharing the same PostgreSQL cluster among multiple Security Servers.
When upgrading to version 6.24.0, the serverconf database schema is renamed and the migration requires that installer can access the database using administrative permissions. In case sufficient permissions are not available, the upgrade will fail and some manual steps are needed. The manual steps are documented here.
Please note, that messagelog and opmonitor schemas are not renamed during an upgrade. Instead, new installations will use separate schemas.
Backups taken from a previous version are not compatible with version 6.24. After a successful upgrade, take a backup of the system configuration.
Improve security by moving Central Server DB tables to a separate schema instead of using the default "public" schema, so that maintenance does not require super-user rights.
Backups taken from a previous version are not compatible with version 6.24. After a successful upgrade, take a backup of the system configuration.
|XRDDEV-814||Improvement||Update license in source code file headers.|
Make the Security Server listen to connections from client information systems only on localhost when the Estonian meta package is installed.
Only new installations are affected by the change. Existing installations continue to listen connections on the same interfaces than before the upgrade to version 6.24.0.
To enable connections from outside of localhost on new installations, the default configuration must be overridden in the "/etc/xroad/conf.d/local.ini" configuration file.
This applies to xroad-securityserver-ee package only. The vanilla version and other country specific versions are not affected.
|XRDDEV-825||Improvement||Remove the deprecated HTTP GET metaservice interface for fetching WSDL descriptions. Starting from version 6.24.0 the "getWsdl" metaservice is available through the HTTP POST metaservice interface only.|
Add validation of X-Road identifiers for restricted characters when identifiers are added or modified using the Security Server REST management API.
Check the warning listed below for ticket XRDDEV-827 listing new rules that are applied for X-Road identifiers.
Add validation of X-Road identifiers for restricted characters when identifiers are added or modified on the Central Server, during management request processing on the Central Server and during message processing on the Security Server:
Restricted characters are:
The restricted characters are applied to the following identifiers:
If there are invalid identifiers in messages going through the Security Server it may produce lots of warnings in the logs files (depending on the amount of traffic).
Add support for configuring database super-user name for the Security Server and Central Server.
Before version 6.24.0 the Central Server and Security Server used a hard-coded database super-user "postgres". However, some environments / platforms use other super-user name which made the installation fail. Starting from version 6.24.0 is is possible to configure the database super-user name in xroad.properties file.
|XRDDEV-874||Improvement||Improve Central Server HA migration guides here and here.|
|XRDDEV-911||New||Create Security Server installation packages for Red Hat Enterprise Linux 8 (RHEL8).|
|XRDDEV-913||Fix||Fix a problem that caused xroad-opmonitor standalone installation fail on Ubuntu 18.|
|XRDDEV-925||Improvement||Implement ordering of the configured TSA providers on the Security Server so that the same ordering is used by the Security Server management REST API, UI and proxy in message processing. Before version 6.24.0 the ordering of TSA providers wasn't explicitly defined and the ordering may have varied between different Security Server components. Starting from version 6.24.0 all the Security Server components use the same ordering.|
Document manually upgrading the Security Server DB schema to 6.24 in case the automated process fails.
The documentation is available here.
|XRDDEV-999||Fix||Update Rake version to 13.0.1.|
Fix a problem that caused the operational monitoring getSecurityServerOperationalData response json file to contain responses which were not made by the requesting client. The problem occurred only with result sets exceeding the max-records-in-payload (10000 by default) limit.
|XRDDEV-1011||Improvement||Add summary output to HA cluster status check in Central Server system status API. The summary status is presented by the "all_nodes_ok" property, and it's value is true if the status of all nodes is "OK" and false otherwise.|
|XRDDEV-1017||Improvement||Make signer client recover faster from signer connection failures to avoid long hanging connections. When connection is lost, signer client tries to re-establish the connection as soon as possible. Signer client is used by other X-Road modules (e.g., proxy, proxy-ui-api) that need to connect to signer.|
|XRDDEV-1021||Fix||Update jackson-databind version to 2.10.3.|
|XRDDEV-1123||Improvement||Remove unnecessary OCSP fetching of root certificates when Security Server diagnostics information is accessed. Before version 6.24.0 accessing the Security Server diagnostics information caused an error in the signer log, because fetching of root certificates was attempted. Starting from version 6.24.0 accessing the Security Server diagnostics information does not cause false error messages in the logs.|
|XRDDEV-1156||Fix||Improve security by making rsyslog listen for connections on localhost only by default. Before version 6.24.0 rsyslog listened for connections on all interfaces by default.|
|XRDDEV-1157||Improvement||Publish X-Road release repository sign key on key servers maintained by a trusted third party (SKS key servers) for improved trust. Add X-Road release repository sign key details to installation guides.|
Improve security by disabling Security Server JMX interfaces by default.
The change affects all existing and new Security Server installations. Before the change, the operational monitoring JMX interface was enabled by default and listened on all available interfaces. After the change, the operational monitoring JMX interface is disabled by default. In case it was utlised, the interface must be manually enabled after the upgrade. Instructions how to enable JMX have been added to the documentation.
Environmental monitoring JMX interface was already disabled by default. Users utilising environmental monitoring JMX interface are not affected by this change.
Improve security by auto generating the default password for Central Server database user "centerui" during installation process.
This password is only generated for fresh installations. Upgrades remain unaffected.
|XRDDEV-1161||Improvement||Turn message body logging off on the Security Server for the Icelandic Security Server meta package ("xroad-securityserver-is").|
Enable enforcing token PIN policy in the Estonian meta package. After the change the token PIN policy is enforced when "xroad-securityserver-ee" package is installed.
Software token pin is required to be at least 10 ASCII characters from at least tree character classes:
|XRDDEV-1180||Improvement||Add more detailed instructions on required network configuration in the Security Server installation guides.|
|XRDDEV-1181||Fix||Upgrade dependencies jackson-databind and cxf-tools-validator.|
|XRDDEV-1201||Improvement||Improve security by unifying file permissions on Security Server RHEL installations. After the change all the X-Road executables are owned by the root user. The xroad user has read and execute permissions.|
|XRDDEV-1207||Fix||Update the Icelandic certificate profile.|
|XRDDEV-1209||New||Add Security Server meta package ("xroad-securityserver-fo") and certificate profile for the Faroe Islands.|
|XRDDEV-1281||Fix||Remove an unused secret token from the Central Server's code base.|
|-||New||The issues related to the new Security Server admin UI and API are listed here.|
Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).
|Dependency||Old Version||New Version||Notes|
|akka||2.4.20||2.6.7||New logging functionality|
|spring-boot||2.2.8||Added with new UI|
|spring-framework||5.2.7||Added with new UI|
|spring-boot-starter-security||2.2.8||Added with new UI|
|spring-boot-starter-web||2.2.8||Added with new UI|
|spring-boot-starter-actuator||2.2.8||Added with new UI|
|spring-boot-starter-data-jpa||2.2.8||Added with new UI|
|spring-boot-starter-cache||2.2.8||Added with new UI|
|spring-cloud-starter-sleuth||2.2.2||Added with new UI|
|libpam4j||1.11||Added with new UI|
|commons-compress||1.20||Added with new UI|
|wsdl4j||1.6.3||Added with new UI|
|bucket4j||4.10.0||Added with new UI|
|swagger-parser||2.0.20||Added with new UI|
|openapi-generator||4.2.0||Added with new UI|
|tomcat||9.0.37||Added with new UI|
|hibernate||5.3.10||Added with new UI|
|hikaricp||3.2.0||Added with new UI|
The following developers have contributed to the development of this release version. A contribution means at least one Git commit that is included in the release. The full list of contributors of different X-Road® versions is available here.
deb https://artifactory.niis.org/xroad-release-deb bionic-<version> main
|RPM / RHEL7|
|RPM / RHEL8|
Repository Sign Key Details
|Fingerprint||A01B FE41 B9D8 EAF4 872F A3F1 FB0D 532C 10F6 EC5B|
|3rd party key server||SKS key servers|
RPM / RHEL7
RPM / RHEL8