Release Notes
V1.3
Migration
Fix Holder Types to enable HolderView
The HolderView requires correct entries in column type:
X509CAfor certificate issuing holderX509EEfor end-entities
You can list all X509 Root CA with
select * from Holder where parentId IS NULL and certificateType = 2;
then you can update the type with
update Holder set type = "X509CA" where parentId IS NULL and certificateType = 2;
To list intermediate CAs use the id of the CA holder as parentId
select * from Holder where parentId = <id> and certificateType = 2;
update accordingly. For end-entities set the type with
update Holder set type = "X509EE" where parentId = <id> and certificateType = 2;
Add TokenManager Role to first Subject
The new role TokenManager may no be granted to the first user. Add the role assignment with
insert into AssignedRole (subjectId, roleId, serviceRequestId) values (1, 7, 1);
Deprecated SRCA Plugin
Starting with 1.0.75 of the SE-Management-Service (SEMS), the SRCA Plugin is deprecated and functionality has moved to the SEMS. Please remove the sc-hsm-srca dependency from ivy.xml.
The SRCA related service requests are disabled by default. The need to be enabled using the enableSRCA setting in etc/configuration.js.
sems: {
rtURL: "http://localhost:8081/rt/sems",
apiURL: "https://localhost:8443",
enableSRCA: true
},
Subjects of type SchemeRootCA are deprecated, as the SRCA is now a function of a trust center. Existing subjects of type SchemeRootCA are automatically handled as trust center subjects. To update the database and complete the transition you can run
update Subject set type = "TrustCenter" where type = "SchemeRootCA";
A trust center can hold an arbitrary number of SRCA instances.
Requesting a MICA certificate has been moved to the Mission-CA-Service (MCAS).
Migrating Device Issuer
Starting with 1.0.75 of the SE-Management-Service (SEMS), the Device Issuer subject is deprecated. Instead the device issuer is now a function of a trust center. Existing subjects of type DeviceIssuer are automatically handled as subjects of type TrustCenter.
You can cleanup the database with
update Subject set type = "TrustCenter" where type = "DeviceIssuer";
Migrating X509Signer
Starting with 1.2.353 the X.509 and EST functionality is moved from the core into separate plugins.
In the transitions phase, the X.509 and EST functions in the core portal can be disabled with
Config.global = {
...
disableBuildinX509: true,
...
}
To use the X.509 and EST functionality that were moved into separate plugins, you need to add the plugins to pkiaas/ivy.xml:
<dependency org="org.openscdp" name="x509-ca-service-plugin" rev="latest.integration"/>
<dependency org="org.openscdp" name="est-service-plugin" rev="latest.integration"/>
To switch to the new display format for X.509 CA, you need to change Holder.type in the database:
update Holder set type = "X509CA" where certificateType = 2 and signerNo != 0;
Migrating TLS Client Authentication
Starting with 1.2.352 the TLS configuration for authenticating the portal against backend service (SEMS, DFN, PDF, EJBCA, EST) has moved to etc/server.conf. This allows sharing the TLS context and improves connection establishment when talking to backends.
The following section is required in etc/server.conf:
scriptingserver.tls.keystore=etc/tls/clientkeystore.p12
scriptingserver.tls.keystorepassword=password
scriptingserver.tls.keystorekeypassword=password
scriptingserver.tls.truststore=etc/tls/truststore.p12
scriptingserver.tls.truststorepassword=password
The keyStore, keyPassword and trustStore configuration entries in etc/configuration.js can be removed:
ejbca: {
rtURL: "https://test.pki-as-a-service.net/ejbca-connector-rt",
apiURL: "https://ejbca-connector-lab:8443",
// keyStore: new KeyStore("BC", "PKCS12", "../etc/tls/clientkeystore.p12", "password"),
// keyPassword: "password",
// trustStore: new KeyStore("BC", "PKCS12", "../etc/tls/truststore.p12", "password"),
},
sems: {
rtURL: "https://test.pki-as-a-service.net/sems-rt/sems",
apiURL: "https://sems-lab:8443",
enableFirmwareUpdate: true,
// keyStore: new KeyStore("BC", "PKCS12", "../etc/tls/clientkeystore.p12", "password"),
// keyPassword: "password",
// trustStore: new KeyStore("BC", "PKCS12", "../etc/tls/truststore.p12", "password"),
},