EJBCA 9.3 Upgrade Notes

Below are important changes and requirements when upgrading from EJBCA 9.2 to EJBCA 9.3.

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA. For details of the new features and improvements in this release, see the EJBCA 9.3 Release Notes.

Behavioral Changes

Evaluation of Microsoft Auto-enrollment Kerberos Token Extra SID Group Membership

In EJBCA 9.3, we have added a code to the Kerberos ticket validation class to allow our Microsoft Auto-enrollment solution to read and evaluate additional Security Identifier (SID) group memberships through the Privilege Attribute Certificate (PAC) data within the Kerberos ticket.

As a result, if a Microsoft user or entity has assigned group membership SIDs present in the Kerberos ticket's PAC data, those SIDs will be evaluated. Enrollment actions will then be performed based on the permissions associated with those groups, in addition to the standard group SIDs the user may already possess.

For more information on Kerberos Token Extra SID Group Membership Support, see Microsoft Auto-enrollment Operations.

MPIC Support for API v2 Specification (3.3.0)

MPIC has been updated to support the latest API version, which is implemented by MPIC Lambda version 1.0.0 for:

• CAA TLS Validator

• CAA SMIME Validator

• ACME http-01 challenge

• ACME dns-01 challenge

If using an older version of MPIC Lambda, update MPIC Lambda to the latest release (1.0.0) to ensure full support for ACME challenges.

Removal of User Data Sources

The User Data Source feature has been removed in version 9.3. Any access rules associated with this feature are automatically removed from all roles in the database during the post-upgrade process.

After the upgrade has been performed on all nodes, the related table can be safely dropped (though not doing so has no adverse effects).