EJBCA 6.4 Release Notes

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.4.

The following covers information on new features and improvements in the 6.4.x releases:

Read the EJBCA 6.4 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 6.4.0

Only our second major release for 2015, EJBCA 6.4.0 represents a huge step into the future for EJBCA, introducing a slew of new features and improving usability in the UI across the board. We have also ramped up QA efforts for this release, which makes us confident to the stability of this release.

New Features

  • Granular control has been added to DN and SAN elements in End Entity Profiles. Inputed values can be controlled using regular expressions.

  • Most of the UI has been given read-only rights, and a new role template (named Auditor) can be created and built upon to allow an auditor to view but not modify.

  • Custom Certificate Extensions and Extended Key Usages can now be added on the fly from the UI, so no longer is a JBoss restart required when new ones are added.

  • WildFly8 and WildFly9 are now supported platforms.

  • Upgrade procedure has been improved, and EJBCA now tracks its own version, allowing many steps that were previously performed as part of manual upgrades to be performed automatically instead. In future versions, manual upgrades will be available from the UI as well as the CLI.

Improvements

  • System Configuration has been split into sections and tabs

  • Exclude Active Manually-Activated CryptoTokens enabled by default in System Configuration, meaning that clearing caches won't by default deactivate all crypto tokens.

Bug Fixes

  • An XSS issue

  • Fixed a NullPointerException when Client Certificate Renewal was performed over SCEP under certain circumstances.

  • Setting "Allow merge DN Web Services" in the End Entity Profile caused SAN to be dropped.

  • Remote EJB deserialization of collections of certificates failed on JBoss 7.1.1 GA.

  • SCEP Client Certificate Renewal allowed renewal of expired certificates.

  • Information leakage pertaining to usernames from the public web.

  • ExternalRA GUI password was leaked to the logs.

Technology Changes

  • Support for XKMS has been removed and is no longer available.

  • Underlying BouncyCastle Library has been upgraded to version 1.53.

  • Support has been dropped for JDK6.

  • Support has been dropped for JBoss5.

Security notice
The Xalan 2.7.1 library previously bundled with EJBCA is subject to a potential security issue (CVE-2014-0107). EJBCA does not by itself use the vulnerable functions from Xalan and there is thus no real vulnerability in EJBCA. We have anyway chosen to remove this bundled library from EJBCA.

As the application server also uses Xalan, users are recommended to upgrade to JBoss EAP 6.3 or later which includes the newer Xalan version. Alternatively, Red Hat provides patches for earlier EAP versions. For JBoss AS 7.1.1 it is possible to follow our instructions in the installation guide for how to instead use the libraries bundled with EJBCA.

A selection of known issues

  • One test failure on DB2: ECA-3298

  • End entity profiles can't be deleted in high volume databases: ECA-4158

  • Some ECDSA key specifier missing in drop down menu for crypto tokens: ECA-4251

  • Certificate profile key length restriction ignored when creating CA: ECA-4310

  • Race condition when multiple RA threads are requesting certificates for the same user: ECA-4347

EJBCA 6.4.1

Improvements

  • Apache commons-collections library has been upgraded to version 3.2.2

Bug Fixes

  • Fixed checking CA authorization in CMP RA mode when using EndEntityCertificate authentication module

  • Regression: A technology upgrade cause relevant information to not be displayed in the approvals screen.

  • Regression: A usability issue regarding Notifications in End Entity Profiles has been solved.

A selection of known issues

  • One test failure on DB2: ECA-3298

  • End entity profiles can't be deleted in high volume databases: ECA-4158

  • Some ECDSA key specifier missing in drop down menu for crypto tokens: ECA-4251

  • Certificate profile key length restriction ignored when creating CA: ECA-4310

  • Race condition when multiple RA threads are requesting certificates for the same user: ECA-4347

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.4.x, refer to our JIRA Issue Tracker.

Issues Resolved in 6.4.0

Released on 26 October 2015

Bug Fixes

[ECA-3576] - 'Enforce unique DN' creates a stack trace in public web
[ECA-4016] - Unable to activate a crypto token imported by statedump after restarting JBoss
[ECA-4022] - Can not use Brainpool or explicit ECC curve in CLI (e.g. import CA certificate, list/export CA)
[ECA-4030] - "Key sequence" always set to 00000 when saving uninitialised CA with available crypto token
[ECA-4171] - Missing parameter for the --end-entity-password option does not cause statedump import command to fail immediately
[ECA-4172] - End entities inaccessible after changing the subject DN of an uninitialised CA
[ECA-4197] - Role access rules not updated when changing subject DN of an uninitialised CA
[ECA-4228] - Clean redundant method declaration in PublisherSession and PublisherSessionLocal
[ECA-4276] - External RA SCEP junit test broken after BC updates
[ECA-4283] - Warning about missing intresources running External RA SCEP
[ECA-4284] - Possible to create a rollover certificate for a CA waiting for CSR
[ECA-4286] - ClientToolBox PKCS11HSMKeyTool can no longer handle sun config file
[ECA-4288] - Change usage license info in csv_to_endentity.sh
[ECA-4295] - Incorrect documentation on "Finish User" setting.
[ECA-4296] - SCEP Client Certificate Renewal shouldn't demand a challenge password
[ECA-4298] - Probably wrong description of parameters in help for importcacert command
[ECA-4306] - Use UTF-8 in German Admin GUI translation
[ECA-4326] - CRLDownload service can't handle multiple revocation changes in a CRL
[ECA-4327] - Links from cert enrollment completed page for IE is broken
[ECA-4333] - Detect available EC curves in JDK by OID
[ECA-4339] - DirectoryName subjectAltName is not added
[ECA-4356] - Regression: Sorting of certificates has become random
[ECA-4357] - Regression: external-ra-gui doesn't deploy
[ECA-4364] - Regression: Error editing Publishers under CA Functions in Admin Web
[ECA-4367] - ejbca-ws-generate not run after the addition of CA rollover WS operations
[ECA-4368] - intresources missing in externalra-gui war file
[ECA-4369] - NPE when trying to create custom publisher that is not pre-edited
[ECA-4371] - SCEP Client Certificate Renewal allows renewal using expired certificates
[ECA-4381] - OCSP TransactionLogger prints SERIALNUMBER instead of SN for REQ_NAME
[ECA-4385] - Internal issue
[ECA-4397] - Include custpubl publishers in build
[ECA-4399] - System test auth token classes should be commonly accessible
[ECA-4400] - Security Issue
[ECA-4402] - Subject alternative names dropped when using "Allow merge DN Web Services"
[ECA-4405] - ra addendentity CLI command breaks when hard token issuers are enabled
[ECA-4414] - Typo error in System Configuration page
[ECA-4416] - Verification of CRLs on CAs using Brainpool ECC does not always work
[ECA-4418] - Expect OCSP signing if EKU in OCSP signing certificate is marked critical
[ECA-4419] - Statedump 6.3 can't import 6.2 dump because ValidationAuthorityPublisher in not on the classpath
[ECA-4435] - SCEP: Use empty content in CACert PKCS#7 messages
[ECA-4453] - Peerconnector tests and Statedump fails to start due to JNDI problems (NoInitialContextException)
[ECA-4457] - EjbcaWS.findCerts(username, isValid=true) should not fetch expired certificates from database
[ECA-4469] - 'Edit Service' page: uppercase/lowercase inconsistency in drop down menu
[ECA-4471] - Unable to view certificate with E field in issuer DN
[ECA-4472] - EJB CLI fails if standalone argument is used after a standalone-enabled switch
[ECA-4475] - Validation javascript on End Entity Profile page throws exception
[ECA-4479] - CMP RA requests with only notBefore requested does not work
[ECA-4483] - Remote EJB serialization of Collection<Certificate> hangs on JBoss 7.1.1.GA
[ECA-4484] - EjbcaEventTypes.CA_ROLLEDOVER is missing its language reference
[ECA-4489] - No checkbox "Renew keys” on 'Edit CA' page
[ECA-4492] - NPE during standard SCEP Certificate Renewal
[ECA-4494] - Single Active Certificate Constraint misses certificates due to subject DN differing between UserData and CertificateData
[ECA-4495] - NPE in EJBCA WS findCerts when no base64CertData is stored
[ECA-4503] - Test case in CertificateCreateSessionTest uses wrong status constants
[ECA-4510] - Can't delete admin in access role
[ECA-4513] - Unchecking auto-activate does not persist for auto-generated crypto tokens using default password
[ECA-4523] - Security Issue, information leak
[ECA-4525] - CustomCertExtensions and ExtendedKeyUsages are sorted alphabetically instead of numerically
[ECA-4536] - Regression: Approve Action Name not displayed
[ECA-4542] - 'List of End Entity Profiles' displays nothing in Auditor pre-defined role
[ECA-4554] - NPE in remote IKB page when multiple CA clusters connect to the same VA

Improvement
[ECA-3418] - Optimize JBoss reload during install
[ECA-3815] - Improve batch command instructions
[ECA-4034] - Include end entities in statedump export by default
[ECA-4113] - Modify BatchCreateTool to allow easy cleanup of files from p12 directory
[ECA-4163] - Move ScepRequestGenerator out of general code
[ECA-4174] - PKCS#11 symmetric key unwrapping for KeyRecovery broken for some HSMs on JDK >= 1.7.0_75
[ECA-4248] - Swap username and serialnumber for PUBLISHER_STORE_CERTIFICATE audit event
[ECA-4254] - Document prerequisite for trusting external CA's leaf cert from IKB
[ECA-4273] - Cosmetic cleanup of IEjbcaWS
[ECA-4281] - GUI: Optimization of the header banner of Admin GUI
[ECA-4287] - Pre-emptive rewrite of CertificateProfile cache
[ECA-4291] - Add system tests for EjbcaWS.caCertResponseForRollover
[ECA-4300] - Convert System Configuration page to JSF
[ECA-4301] - Add tabs to System Configuration Page
[ECA-4304] - Allow prefix for self registered users
[ECA-4305] - Disable choice in self registration when referenced profile does not exist
[ECA-4313] - Allow help text for custom publishers in language file
[ECA-4317] - Document how to encrypt the datasource password in standalone.xml for JBoss EAP 6.4/JBoss AS 7.1
[ECA-4325] - Remove CertificateCreationException from code
[ECA-4330] - Backport ECA-2576 to 6.2
[ECA-4331] - Make the static values for revocation reasons into a new type.
[ECA-4342] - Have cryptotokens excluded from Clear All Caches by default.
[ECA-4351] - Lower log level of misconfigured CertificatePolicies to WARN
[ECA-4352] - Always use EC curves OID when possible for key generation
[ECA-4361] - Add logging of 'X-Forwarded-For' in OCSP transaction log
[ECA-4365] - Document that Healtch check can be enabled/disabled per CA
[ECA-4376] - Add "All CAs" option to Rollover Service worker.
[ECA-4390] - GUI: System Configuration page usability
[ECA-4406] - Improve how upgrade versions are read, making migration from 6.2.10+ to 6.3+ possible
[ECA-4407] - Clarify Illegal key length exception message as limitation by certificate policy
[ECA-4415] - GUI: Certificate Profiles page usability
[ECA-4430] - Bundle JEE6 API library to minimize appserver build time dependency
[ECA-4431] - Update XML schemas for JEE6
[ECA-4440] - Fix use of deprecated version of storeCertificateRemote in CertificateStoreSessionRemote
[ECA-4441] - Rewrite the ExternalRA GUI to use JSF 2.0 and CSS
[ECA-4449] - GUI: CryptoToken page usability
[ECA-4454] - Certificate Profiles: Sort Custom Certificate Extension and EKUs alphabetically by label.
[ECA-4455] - CustomCertExtensions: Remove limit on number of certificate extensions (was: Identify by OID instead of ID)
[ECA-4456] - Allow EjbcaWS.findCerts(usename, isValid) to work without UserData
[ECA-4458] - Improvements to Certificate Extensions overview page
[ECA-4460] - Extended Key Usages overview page should be sorted by OID.
[ECA-4461] - Add input validation control to SAN in EEP
[ECA-4462] - Minor improvements to Auditor role
[ECA-4465] - GUI: End-Entity Profile usability
[ECA-4470] - Document how EKUs and CCEs are imported in upgrade
[ECA-4480] - ExtRA GUI DB2 support
[ECA-4490] - Upgrade EJBCA to BC 1.53
[ECA-4515] - Remove translation of CustomCertExtension displayname into readable text
[ECA-4517] - Buttons for type of Certificate Profile etc. are confusing for new users
[ECA-4531] - ExtendedKeyUsages: remove deprecated method
[ECA-4537] - 'End Entity Profiles' are not displayed in Access Rules

New Feature
[ECA-3436] - Support WildFly 8
[ECA-4264] - Ability to generate link certificate from key on HSM
[ECA-4279] - Add ability to specify revocation reason and revocation date when importing certificates in the CLI
[ECA-4282] - Allow CMP Proxy to work with External RA backend
[ECA-4341] - Add CertificateProfileID to OCSP transaction logs
[ECA-4343] - Custom Certificate Extensions and EKUs without recompilation
[ECA-4344] - Introduce a Read-Only admin to EJBCA
[ECA-4345] - Granular control over elements of the DN in End Entity Profiles
[ECA-4360] - SCEP Client Certificate Renewal on a rollover CA
[ECA-4372] - New setting for specifying certificate chain order in the public web.
[ECA-4396] - Compile and deploy on WildFly 9
[ECA-4459] - Certificate Extensions should define their own property fields
[ECA-4502] - Improve upgrade procedure with database version detection.

Task
[ECA-4289] - Remove outdated sample file change_p12_pwd.c
[ECA-4292] - Remove Support for XKMS
[ECA-4466] - AdminWeb CSS styles clean up
[ECA-4468] - Remove site:publish ant target

Master Ticket
[ECA-4432] - Remove JEE5 and JDK6 support
[ECA-4375] - Update documentation to reflect dropped JBoss5 and JDK6 support.
[ECA-4417] - Remove build and install script specifics for JEE5 app servers and JDK6.
[ECA-4433] - Get rid of Hibernate compatibility libs
[ECA-4437] - Update ExternalRA GUI to JEE6

Issues Resolved in 6.4.1

Released on 29 December 2015

Bug Fixes

[ECA-4262] - Name constraints encoding incorrect in a certain case
[ECA-4535] - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
[ECA-4582] - Regression: Edit end entity profile notifications bug
[ECA-4592] - Approvals contains no relevant information
[ECA-4602] - CMP: EEC authmodule - Checking for CA authorization does not work
[ECA-4623] - Handle CertificateCreateException with null ErrorCode in public web
[ECA-4631] - Security Issue

Improvements
[ECA-4574] - GUI: System Configuration sub-section order
[ECA-4575] - GUI: Better CryptoToken alias default value
[ECA-4576] - Several SAN DNSname in EMPTY profile
[ECA-4577] - GUI: SHA-256 by default in CA creation form
[ECA-4583] - GUI: CryptoToken page usability (private key export)
[ECA-4595] - GUI: CA creation form usability
[ECA-4612] - Security Issue

Issues Resolved in 6.4.2

Released on 29 December 2015

Bug Fixes

ECA-4555] - PKCS#11 credentials are displayed incorrectly when creating CryptoToken
[ECA-4646] - Clear caches failing with NPE in OcspExtensionsCache when an extension class is not found

Improvements
[ECA-4463] - Add additional pages to Auditor Role
[ECA-4682] - Log X-Forwarded-For if present in OCSP requests