.png){kind=logo}
EJBCA 7.0.0 Release Notes
It's not often that we get to celebrate the emergence of a major release of EJBCA, and this has been a long time coming. World, meet EJBCA 7!
So what's new you ask? New workflows? VR based UI? Is everything solved using blockchains, machine learning and quantum cryptography?
Well, we're afraid not. What we actually have done is dug down and replaced nearly all of the backing code for the UI, some of which has been around ever since EJBCA's inception back in 2002. Same old trusty EJBCA, but with a newly furnished engine. While this may sound a bit lackluster at first glance, this is the first major beachhead that will allow the PrimeKey team to start making great strides in improving EJBCA's user experience for our customers and their clients. This is not the end, but the start of an exciting new journey.
Technology Leap to JDK8/JEE7
Probably the most impactful change of upgrading to EJBCA 7 is that we're dropping support of JDK7, and by extension JEE6 reliant application servers. In essence, from here on in that means that the minimum supported application server is JBoss EAP7/Wildfly 10. If your current installation is running on an earlier JDK or application server we recommend upgrading those first, going through an intermediate release of EJBCA if necessary. The EJBCA Upgrade Guide has detailed instructions for which workflow to follow if this applies to you.
This leap is partly motivated by the end of professional support for JDK7 from Oracle coming this summer, but also because it both allows us to upgrade older libraries (which have long since ceased receiving security updates) and to be able to make use of much of the newer technology which has been developed in the intervening years in order to improve your user experience.
JDK11 Support
While not completely tried and tested yet, we've begun implementing support for JDK11, and have it working in our test environment. For production environments, we recommend sticking to JDK8 for the time being, but for the adventurous among you, we would by all means appreciate any feedback.
Roadmap Update
Deprecating the Public Web and slimming down the CA Web UI
As mentioned above, we're heading into an exciting new era for EJBCA. The time has come for us to finally begin deprecating old functionality, and as we have mentioned before, two primary sections are on the chopping block: RA functionality in the CA Web and the Public Web, with the intent of them being fully replaced by the RA Web. Our goal in the coming months is to replicate the remaining missing features in the RA Web (we're nearly there), and further improve workflows in order to minimize context switching between the UIs, leading to a more natural user experience for EJBCA administrators. Once we feel secure that this is done we're going to perform a soft drop of the pages (hiding them by default, but still making them available if needed) before dropping them entirely in the long term. If your workflows still rely on those two feature sets, we recommend taking a look at the RA Web.
Appliance Release
EJBCA 7 (or a later minor release) will be included in Appliance version 3.3.0 and is scheduled towards the end of Q1.
Upgrade Information
Read the EJBCA Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 7.0.0, refer to our JIRA Issue Tracker.
Issues Resolved in 7.0.0
Released on February 7th 2019 ECA-3076 - Detect and audit log when an administrator logs out of the CA Web UI ECA-6777 - Create new DB column for storing CSR in CertificateData ECA-7225 - Note in approvals that values have been changed from the default ECA-7256 - Allow the creation of unenrolled EEs from the RA Web ECA-7339 - PSD2 ASN.1 module and API code ECA-7383 - Core API support for multi-value RDN and End Entity Profile validation of multi-value RDNs ECA-7401 - Implement ConfigDump export for MultiGroupPublisher ECA-7413 - Add SHA348withRSAandMGF1 and SHA512withRSAandMGF1 to the list of selectable signature algorithms ECA-7414 - Make EJBCA build with Java 11 ECA-7419 - Can't paste ACME root anchor with tabs ECA-7440 - Configdump exports parts of ACME configuration even if excluded ECA-7444 - User Data Source access control does not let superadmins select "Any CA" ECA-7470 - Possibility to add array values in edit CA CLI ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC ECA-7556 - ClientToolBox command for running a health check ECA-7562 - Add WS CLI method to get remaining number of approvals ECA-7586 - Implement a session timeout from the CA Web UI ECA-3724 - Convert Certificate Profiles pages to JSF ECA-4348 - Remove remaining NetID integration code ECA-4377 - CertTools.isCertificateValid logging refers to OCSP. ECA-4630 - Convert Edit End Entity Profile page to JSF ECA-5804 - Make ApprovalSessionTest less timing sensetive ECA-5851 - Convert Certificate Authority pages to JSF ECA-5932 - Upgrade bundled Hibernate jars ECA-6210 - Stop using Ejb3Configuration in DatabaseSchemaScriptCommand ECA-6801 - Convert EJBCA Home page to JSF ECA-6802 - Convert CA Activation Page to JSF ECA-6803 - Convert CA Structure & CRLs page to JSF ECA-6804 - Convert Edit Crypto Tokens page to XHTML ECA-6805 - Convert Manage Crypto Tokens page to XHTML ECA-6806 - Convert Manage Publishers page to JSF ECA-6807 - Convert Edit Publishers page to JSF ECA-6808 - Convert Manage End Entity Profiles page to JSF ECA-6810 - Convert Manage User Data Sources page to JSF ECA-6811 - Convert Edit User Data Source page to JSF ECA-6812 - Convert Manage Hard Token Issuers page to JSF ECA-6813 - Convert Edit Hard Token Issuers page to JSF ECA-6816 - Convert Manage Approval Profiles page to XHTML ECA-6817 - Convert Edit Approval Profile page to XHTML ECA-6818 - Convert Audit Log page to XHTML ECA-6819 - Convert Manage Keybindings page to XHTML ECA-6820 - Convert Edit Keybindings page to XHTML ECA-6821 - Convert Manage Peer Connectors page to XHTML ECA-6822 - Convert Edit Peer Connectors page to XHTML ECA-6824 - Convert Manage Services page to XHTML ECA-6825 - Convert Edit Services page to XHTML ECA-6826 - Convert Manage CMP Aliases page to JSF ECA-6827 - Convert Edit CMP Alias page to JSF ECA-6828 - Convert Manage EST Aliases page to JSF ECA-6829 - Convert Edit EST Alias page to JSF ECA-6830 - Convert Manage SCEP aliases page to XHTML ECA-6831 - Convert Manage SCEP alias page to XHTML ECA-6832 - Convert System Configuration page to XHTML ECA-6833 - Convert Preferences page to JSF ECA-7263 - Remove "Administration" title from CA UI ECA-7276 - Database CLI import from XML format ECA-7284 - Fix broken web tests for JSF conversion ECA-7289 - Improvements to Certificate Transparency section in certificate profiles ECA-7292 - Add proper error handling for JSF ECA-7298 - EJBCA CLI's "Merge CA Tokens" leaves unused crypto tokens behind ECA-7312 - Increase initial size of ProtectionStringBuilder for Certificate Profiles to avoid unessecary warnings in debug log ECA-7313 - Change mime type for CRLs from application/x-x509-crl to application/pkix-crl as defined in RFC5280 ECA-7314 - Implement "Custom Certificate Extension Data" field for RA enrollment ECA-7315 - findCertificatesByExpireTime API calls, CLI and RA UI, should not return already expired certificates ECA-7317 - SCEP error messages when CA can not be found are not complete ECA-7325 - Extend tests for Custom Certificate Extensions ECA-7327 - Convert viewcainfo.jsp and viewcertificate.jsp popUps to jsf ECA-7334 - Review End Entity Profiles UI Tests ECA-7343 - Refactor org.ejbca.webtest.helper.CaHelper ECA-7344 - Refactor org.ejbca.webtest.helper.AdminRolesHelper ECA-7348 - Introduce a CaStructureHelper for UI tests ECA-7355 - Review Convert CA Structure & CRLs UI tests ECA-7356 - Introduce an ApprovalProfilesHelper for UI tests ECA-7357 - Review Approval Profiles UI tests ECA-7362 - Review Administrator Roles UI Tests ECA-7365 - Add a Jenkins job for EJBCA UI Tests ECA-7367 - Acme must be in status unavailable under System Configuration (community edition) ECA-7371 - Usage of sun.security.pkcs11 is not allowed when compiling in Java 11 ECA-7375 - Crypto Tokens page messages are displayed twice. ECA-7380 - Missing space between 'Title' and '?' in Manage Crypto Tokens page ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET' ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest ECA-7437 - Clean up unused imports, parameterize, remove unused variables ect. ECA-7456 - VendorAuthenticationTest.test01_3GPPMode depends on server time zone ECA-7471 - Allow system tests to run with EJBCA not on localhost ECA-7491 - Use relative URLs in AdminGUI ECA-7492 - Fun refactoring task - WebLanguages class uses property arrays, but should be remade in more OOP way ECA-7508 - EJBCA-CLI: Do not add duplicate role members ECA-7514 - Fix failing tests in EjbcaRestHelperUnitTest ECA-7518 - Allow tests to run with TLS certificates not issued by ManagementCA ECA-7522 - Add proper configuration to jenkins-files/*/conf/ ECA-7527 - Investigate and fix ACME failing tests in trunk ECA-7530 - Convert ACME Configuration page to xhtml ECA-7531 - Convert ACME Alias Configuration page to xhtml ECA-7532 - Add Deviation List Signer Extended Key Usage ECA-7537 - Simplify and improve configuration of CMP tests ECA-7541 - Change CT log policy labels to not use mathematical symbols ECA-7546 - Make API and log use of requestID and approvalID consistent and easier to understand ECA-7547 - Allow OCSP KeyBinding certificate without Key Usage ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job ECA-7557 - Fix failing CMP TCP system tests ECA-7563 - Separate out EjbcaWSTest.test02FindUser into its own test class ECA-7566 - EjbcaWS.findUser() does not work for subjectEmail ECA-7567 - Allow browser binary to be configured for Web Tests ECA-7573 - Improve error handling and remove dead code in AdminWeb ECA-7574 - Convert Approval Actions page to XHTML ECA-7575 - Convert Approval Action page to XHTML ECA-7576 - Clarifications in the Multi Group Publisher documentation ECA-7579 - Editing EE functionality in RA Web is hidden behind the View-button ECA-7594 - fun refactoring task: ViewCertificateManagedBean parseRequest method needs the button control logic refactored out into their own methods ECA-7604 - Get rid of PublisherDataHandler class ECA-7605 - Fix admin-gui build.xml ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage ECA-7612 - VendorAuthenticationTest test case fail in Jenkins ECA-7614 - Implement ECAQA-196 test scenario. ECA-7616 - Code refactoring in MultiGroup Publisher Data class. ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes ECA-7634 - ACME test improvements ECA-7636 - Update system requirements in documentation ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files ECA-7645 - CrmfRAPbeRequestTest fails on community edition ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure ECA-7649 - POC Automate profiles installation for Firefox ECA-7650 - Ability to upload CT log key in raw B64 format ECA-7654 - Update '© 2002–2018 PrimeKey Solutions AB' to 2019 ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2 ECA-7680 - PatternLoggers should check if log level is enabled before doing work ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message ECA-7684 - Typo in error message on 'View Certificate' page ECA-7689 - Update web.xml to Servlet 3.1 use correct JSF 2.2 schema in faces-config.xml ECA-7692 - Add CSRs for unit testing the RSA Key Validator ECA-7694 - Modify application.xml to reflect new JEE7 version ECA-7696 - Add method to get filename from uploaded file ECA-7701 - Upgrade persistence.xml to JEE7 ECA-7705 - AutoEnrollment Documentation Improvement ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used ECA-7738 - JDK11 Compliance: Patch CESeCore with provider fix from DSSINTER-289 ECA-7740 - Simplify ant build scripts to cut build time ECA-7755 - The copyright year should be updated to include 2019 ECA-7761 - Minor security improvement ECA-6865 - Failure to publish to a Peer Publisher gives no error message in log in some cases ECA-7013 - RA Style is deselected while modifying access rules ECA-7269 - Regression: JSF errors on JBoss AS 7.1.1 ECA-7273 - Certificate profiles appear to be (but aren't) editable for an Auditor ECA-7282 - Poor error message for incorrectly formatted CT public keys: "Extra Data Detected in Stream" ECA-7285 - Add HEAD request for the endpoint revokeCert ECA-7286 - Fix NPE which happens when de-registering account with certbot ECA-7326 - Bound Certificate under Internal Key Binding is displayed wrongly ECA-7329 - NPE when you click on 'Republish' button on View Certificate page under Authentication Key Binding ECA-7332 - OCSP Extensions configurations is applied to the newly created ones ECA-7338 - Regression: clearPwd flag on WS editUser does not work ECA-7342 - Check for legal characters is not working for some pages ECA-7366 - dncomponents.properties.sample order of orgaizationIdentifier differs from default in DnCompoonents.java ECA-7370 - ServiceManifestBuilder does not run with Java 11 ECA-7378 - PublicWeb check certificate status inly works with 8 octet cert serialNumber ECA-7379 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec ECA-7404 - CA Activation backlink broken ECA-7433 - Dry-run parameter not respected when importing validators using Statedump ECA-7434 - Add modular protocol configuration to Statedump ECA-7438 - NullPointerException in some Adminweb pages if External Script Access is disabled and you have Custom Publishers ECA-7443 - CAs and Fields in User Data Sources are stored as strings, causing ClassCastException ECA-7445 - Missing exclude option for Validators in Statedump ECA-7460 - NPE when importing a CA where a previous certificate exists without expireDate ECA-7480 - When creating an EndEntity in RA Web and delete_end_entity accessrule is disabled, the process ends incorrectly with success but end entity is not created ECA-7499 - java.lang.IllegalStateException when using browser back/forward button ECA-7500 - Certificate Request Generated despite choosing the wrong format ECA-7511 - EjbcaWSHelperSessionBean.caRenewCertRequest lacks an null check ECA-7516 - Investigate and fix duplicate ID exception in editservice.xhtml ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup ECA-7524 - Regression: HttpMethodsTest fail because of unexpected HTTP header value ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set ECA-7529 - OcspExtensionsTest fails on community edition ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals ECA-7534 - DnFieldDumpHandler missing DnFieldExtractor.URI in Map. ECA-7535 - Regression: Upgrade of customcertextensions.properties fails ECA-7536 - CertificateCrlReaderSystemTest fails on Windows ECA-7540 - Importing a CVCA certificate with error triggers CSRF error ECA-7543 - CertSafePublisherTest fails on Windows due to line endings ECA-7544 - Fix UpgradePublisherTest ECA-7550 - Missing label and fields cleared erroneously in Edit Services page ECA-7552 - StatedumpTest should use systemtests.properties ECA-7558 - Admin Web returns redundant security headers ECA-7568 - OCSP unathorized (6) error adds blank line to OCSP transaction log ECA-7572 - Publisher queue status on home page looks weird since JSF conversion ECA-7583 - Regression: Errors when creating a CA are not handled ECA-7584 - USERAUTH fail when publishing with the SCP Publisher ECA-7587 - Fix NPE when exception lacks an error message ECA-7591 - Configdump CA is missing support for getLatestSubjectDN ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently ECA-7611 - Fix validity field in Edit CA page ECA-7613 - CertificateCrlReaderSystemTest fails intermittently ECA-7615 - Multigroup publisher errors handled incorrectly after conversion ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest ECA-7628 - configdump change causes test build failure in CE ECA-7631 - Typo in Error message ECA-7632 - RA Web enrollment, End entity removed if finishUser is unchecked in the CA ECA-7647 - 'Receive Certificate Response' does not work for Externally signed CA ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false ECA-7665 - OutgoingPeerConnectionTest fails intermittently ECA-7667 - Invalid single quotes in language file ECA-7669 - The certificate link of an 'EJBCA Node Start' row in the Audit Log does not work ECA-7676 - Nullcheck would have been NPE in BlacklistEntry ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency ECA-7697 - Regression: Default 'RA-Administrator' and 'Supervisor' roles gets 'Authorization Denied Cause: You are not authorized to view this page.' ECA-7698 - Update example URL for external documentation ECA-7699 - Can't access Admin web index page without /ca_functionality/view_ca access ECA-7712 - Cannot save end entity profile where End Entity E-mail is disabled ECA-7715 - Regression: Peer connectors cached in browser session not updated when cloning ECA-7716 - Replace invalid double quotes in language files ECA-7721 - Regression: CMP RA Name Generation Scheme don't use language strings anymore ECA-7723 - Can't check "Critical" checkboxes on Edit CA page ECA-7726 - Non-informative error message on Edit EST Aliases page ECA-7730 - Clicking Logout in Adminweb gives NumberFormatException ECA-7735 - Cloning a peer connector does not clone the flag for process incoming requests ECA-7737 - Certificate of type "Sub CA" can't be published ECA-7741 - Update tag library schemas for JEE7 in AdminWeb ECA-7742 - CAA Validator fails DNSSEC validation for CH domains ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa ECA-7767 - Configdump validator export can fail with NPE ECA-7769 - Fix warnings from DB CLI ECA-6864 - Set up a Jenkins instance to test JDK8/Wildfly10 using Docker ECA-7261 - Map which ECAQA automatic tests which need to be remapped ECA-7275 - Test ACME wildcard cert issuance and pre-authorization with certbot. ECA-7331 - Verify if Swagger UI for works for ACME API. If it does, add documentation to confluence. If not, hide the ACME part from swaggerUI ECA-7545 - New Docker job on Jenkins - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 ECA-7551 - Exploratory testing on CMP configuration page ECA-7695 - Update persistence.xml and orm-dbtype.xml to reflect JEE7 version ECA-7763 - Test upgrade from 6.15.0 to 7.0.0 ECA-7768 - Update readme with license information for Hibernate jarsNew Features
Improvements
Bug Fixes
Tasks