Release Notes

Release notes for the PKI-as-a-Service Backend and Frontend.

Other release notes for plugins and backend services can be found in

• PDF Generator
• SEMS
• DFN-PKI-Connector
• DFN-PKI-Plugin

V1.3

• Frontend 1.3.386
• Backend 1.3.18

Added

• Feature #257: Show holder elements in Subject view
• Feature #258: Create Key Escrow Service to ensure mobility of keys
• Feature #259: Add a Holder List View to show Childs of a Holder Parent

Changed

• X509 functionality moved to plugin

Migration

Fix Holder Types to enable HolderView

The HolderView requires correct entries in column type:

• X509CA for certificate issuing holder
• X509EE for end-entities

You can list all X509 Root CA with

select * from Holder where parentId IS NULL and certificateType = 2;

then you can update the type with

update Holder set type = "X509CA" where parentId IS NULL and certificateType = 2;

To list intermediate CAs use the id of the CA holder as parentId

select * from Holder where parentId = <id> and certificateType = 2;

update accordingly. For end-entities set the type with

update Holder set type = "X509EE" where parentId = <id> and certificateType = 2;

Add TokenManager Role to first Subject

The new role TokenManager is now granted to the first user when the database is created. Add the role assignment with

insert into AssignedRole (subjectId, roleId, serviceRequestId) values (1, 7, 1);

Migrating X509Signer

Starting with 1.2.353 the X.509 and EST functionality is moved from the core into separate plugins.

To use the X.509 and EST functionality you need to add the plugins to pkiaas/ivy.xml:

    <dependency org="org.openscdp" name="x509-ca-service-plugin" rev="latest.integration"/>
    <dependency org="org.openscdp" name="est-service-plugin" rev="latest.integration"/>

Migrating TLS Client Authentication

Starting with 1.2.352 the TLS configuration for authenticating the portal against backend service (SEMS, DFN, PDF, EJBCA, EST) has moved to etc/server.conf. This allows sharing the TLS context and improves connection establishment when talking to backends.

The following section is required in etc/server.conf:

scriptingserver.tls.keystore=etc/tls/clientkeystore.p12
scriptingserver.tls.keystorepassword=password
scriptingserver.tls.keystorekeypassword=password
scriptingserver.tls.truststore=etc/tls/truststore.p12
scriptingserver.tls.truststorepassword=password

The keyStore, keyPassword and trustStore configuration entries in etc/configuration.js can be removed:

ejbca: {
    rtURL: "https://test.pki-as-a-service.net/ejbca-connector-rt",
    apiURL: "https://ejbca-connector-lab:8443",
//  keyStore: new KeyStore("BC", "PKCS12", "../etc/tls/clientkeystore.p12", "password"),
//  keyPassword: "password",
//  trustStore: new KeyStore("BC", "PKCS12", "../etc/tls/truststore.p12", "password"),
},
sems: {
    rtURL: "https://test.pki-as-a-service.net/sems-rt/sems",
    apiURL: "https://sems-lab:8443",
    enableFirmwareUpdate: true,

//  keyStore: new KeyStore("BC", "PKCS12", "../etc/tls/clientkeystore.p12", "password"),
//  keyPassword: "password",
//  trustStore: new KeyStore("BC", "PKCS12", "../etc/tls/truststore.p12", "password"),
},