Merge pull request #2507 from nordic-institute/XRDDEV-2782_start-7.7

chore: backmerge 7.6 to develop

CHANGELOG.md

@@ -1,6 +1,8 @@
 # Change Log
 
-## 7.6.0 - UNRELEASED
+## 7.7.0 - UNRELEASED
+
+## 7.6.0 - 2025-12-01
 - XRDDEV-2185: As a Security Server Administrator I want the information system TLS certificate table under the subsystem internal server tab to show more information regarding the certificate so that I can differentiate them better
 - XRDDEV-2536: As a Security Server Administrator I want the software to automatically renew signing and authentication certificates issued by trusted CA-s that support ACME so that the renewal would happen automatically
 - XRDDEV-2542: As a Security Server Administrator I would like to be able to log the CN field of the client certificate that is used to send a query to the Security Server so that I can better monitor the connections
@@ -11,9 +13,11 @@
 - XRDDEV-2659: Disabled subsystem can be deleted on the Security Server without unregistering first, causing a faulty state
 - XRDDEV-2665: Signer port 5558 must be removed source code and configuration files, because it's not used anymore.
 - XRDDEV-2667: As a Security Server Administrator I want to be notified if automatic certificate renewal using ACME fails or succeeds so that I know what the certificate renewal status is.
+- XRDDEV-2668: As a Security Server Administrator I want to have more specific error messages in the Security Server UI so that it's easier to understand what's the problem.
 - XRDDEV-2682: As a System Administrator, I want backups to work in Kubernetes when a volume is added for /var/lib/xroad/ so that automatic backups work as expected
 - XRDDEV-2683: As a Developer I want to ensure the configuration files override-securityserver-ee.ini and override-docker.ini have consistent and appropriate settings for Docker environments
 - XRDDEV-2686: As a Developer I want to redirect the Security Server API UI access logs in the sidecar image to standard output instead of files within the container to align with container best practices
+- XRDDEV-2687: As a Developer I want to update our signing and verification process so that verification of ASIC-E containers succeeds for both batched and non-batched signing
 - XRDDEV-2692: Re-ordering keys with multiple CSR-s and certificates causes duplicates to appear in the table
 - XRDDEV-2693: As a Developer I want the Security Server encryption and verification code to be refactored so that it would better support adding new crypto algorithms
 - XRDDEV-2694: As a Developer I want to add EC key support to the Security Server and test backwards compatibility so that we can use it in the product
@@ -23,12 +27,20 @@
 - XRDDEV-2714: As a Developer I want the sidecar to correctly output ConfigurationVerifier logs for the confclient so that troubleshooting issues with global conf in sidecar is easier
 - XRDDEV-2718: Issues with database custom database configuration when using backup/restore
 - XRDDEV-2723: As a Developer I want to update our PKCS11 library so that we have the latest fixes
+- XRDDEV-2728: As a Central Server and Security Server Administrator I want to be able to switch the UI language so that I can use the UI in my preferred language.
 - XRDDEV-2729: Unable to delete a subsystem that is both a consumer and producer on the same Security Server
 - XRDDEV-2731: As a Developer I want the potential CSPT to be fixed so that we are hardened against future issues
 - XRDDEV-2732: As a Developer I want to disable port 4000 for ACME challenges so that we don't expose it needlessly
 - XRDDEV-2733: As a Developer I want to harden the way we handle use input in ACME challenges so that we don't leave a potential opening in the future
-- XRDDEV-2759: Fix an issue on the Security Server that caused the proxy-ui-api service not being started automatically after a fresh metapackage install
+- XRDDEV-2759: Fresh install fails for Security Server Estonian metapackage on Ubuntu 24.04 with X-Road 7.5.1
+- XRDDEV-2764: As a Developer I want to introduce caching to the SavedServiceEndpoint.getPathIfExists method so that performance is improved
+- XRDDEV-2765: As a Developer I want to maintain consistency in the system parameter naming convention so that it is more straightforward to use
 - XRDDEV-2773: Broken notifications breaks Certificate status change flow
+- XRDDEV-2783: RHEL and Dockerized versions of the Security Server do not support migrating contacts from acme.yml to mail.yml
+- XRDDEV-2786: The Operational Monitoring Protocol document doesn't include restMethod and restEndpoint elements.
+- XRDDEV-2787: As an Administrator I want to use the Central Server and Security Server UIs in Spanish so that I can use my preferred language.
+- XRDDEV-2788: As a Security Server Administrator I want to use the Security Server UI in Estonian so that I can use my preferred language.
+- XRDDEV-2790: Setting up a Security Server cluster for Noble need verifying
 
 ## 7.5.1 - 2024-09-02
 - XRDDEV-2669: As an Administrator I would like to be able to override the database host in the environments file as well so that it can be used in scripts

doc/Sidecar/kubernetes_security_server_sidecar_user_guide.md

@@ -1,6 +1,6 @@
 # Kubernetes Security Server Sidecar User Guide <!-- omit in toc -->
 
-Version: 1.12  
+Version: 1.13  
 Doc. ID: UG-K-SS-SIDECAR
 
 ## Version history <!-- omit in toc -->
@@ -20,6 +20,7 @@ Doc. ID: UG-K-SS-SIDECAR
 | 13.05.2024 | 1.10    | Add additional upgrade details for Sidecar 7.5        | Ovidijus Narkevicius      |
 | 10.07.2024 | 1.11    | Fix incorrect section numbering                       | Petteri Kivimäki          |
 | 02.10.2024 | 1.12    | Add example of set up the volume for backups          | Eneli Reimets             |
+| 23.12.2024 | 1.13    | Minor documentation updates                           | Eneli Reimets             |
 ## License
 
 This document is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
@@ -141,11 +142,14 @@ The table below lists the required connections between different components.
 | Inbound    | Other Security Servers      | Sidecar                     | 5500, 5577       | tcp      |                               |
 | Inbound    | Consumer Information System | Sidecar                     | 8080, 8443       | tcp      | From "internal" network       |
 | Inbound    | Admin                       | Sidecar                     | 4000             | https    | From "internal" network       |
-| Outbound   | Sidecar                     | Central Server              | 80, 4001         | http(s)  |                               |
+| Inbound    | ACME Server                 | Sidecar                     | 80               | http     | From "internal" network       |
+| Outbound   | Sidecar                     | Central Server              | 80, 443, 4001    | http(s)  |                               |
 | Outbound   | Sidecar                     | OCSP Service                | 80 / 443 / other | http(s)  |                               |
 | Outbound   | Sidecar                     | Timestamping Service        | 80 / 443 / other | http(s)  | Not used by *slim*            |
 | Outbound   | Sidecar                     | Other Security Server(s)    | 5500, 5577       | tcp      |                               |
 | Outbound   | Sidecar                     | Producer Information System | 80, 443, other   | http(s)  | To "internal" network         |
+| Outbound   | Sidecar                     | ACME Server                 | 80 / 443         | http(s)  |                               |
+| Outbound   | Sidecar                     | Mail server                 | 587              | tcp      |                               |
 | Inbound    | Sidecar (secondary)         | Sidecar (primary)           | 22               | ssh      | Configuration synchronization |
 
 ### 4.4 Reference Data
@@ -471,19 +475,19 @@ spec:
       value: "<xroad db password>"
     - name: XROAD_DATABASE_NAME
       value: "<database name>"
-  startupProbe:
-    httpGet:
-      path: /
-      port: 8080
-    periodSeconds: 10
-    failureThreshold: 60
-  livenessProbe:
-    httpGet:
-      path: /
-      port: 8080
-    periodSeconds: 10
-    successThreshold: 1
-    failureThreshold: 5
+    startupProbe:
+      httpGet:
+        path: /
+        port: 8080
+      periodSeconds: 10
+      failureThreshold: 60
+    livenessProbe:
+      httpGet:
+       path: /
+       port: 8080
+      periodSeconds: 10
+      successThreshold: 1
+      failureThreshold: 5
     ports:
     - containerPort: 4000
     - containerPort: 5588
@@ -527,7 +531,7 @@ spec:
     name: xroad-message-transport
   - port: 5577
     targetPort: 5577
-    protocol: HTTP
+    protocol: TCP
     name: xroad-ocsp
 ---
 apiVersion: v1

doc/Sidecar/security_server_sidecar_security_guide.md

@@ -1,17 +1,18 @@
 # Security Server Sidecar Security Guide <!-- omit in toc -->
 
-Version: 1.3  
+Version: 1.4  
 Doc. ID: UG-SS-SEC-SIDECAR
 
 ## Version history <!-- omit in toc -->
 
- Date       | Version | Description            | Author
- ---------- |---------|------------------------| --------------------
- 05.02.2021 | 1.0     | Initial version        | Raul Martinez Lopez
- 28.11.2021 | 1.1     | Add license info       | Petteri Kivimäki
- 11.10.2022 | 1.2     | Updating links         | Monika Liutkute
- 06.07.2023 | 1.3     | Sidecar repo migration | Eneli Reimets
-
+| Date       | Version | Description                 | Author              |
+|------------|---------|-----------------------------|---------------------|
+| 05.02.2021 | 1.0     | Initial version             | Raul Martinez Lopez |
+| 28.11.2021 | 1.1     | Add license info            | Petteri Kivimäki    |
+| 11.10.2022 | 1.2     | Updating links              | Monika Liutkute     |
+| 06.07.2023 | 1.3     | Sidecar repo migration      | Eneli Reimets       |
+| 23.12.2024 | 1.4     | Minor documentation updates | Eneli Reimets       |
+
 ## License
 
 This document is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
@@ -64,17 +65,17 @@ The document is intended for readers with a moderate knowledge of Linux server m
 
 ### 1.2 Environment assumptions
 
-The regular version of the Sidecar includes message log, operational monitoring, and environmental monitoring modules, whereas the Sidecar slim version does not include the aforementioned modules. Both the slim and regular versions of the Sidecar can be used for both consuming and producing services. In addition, there are country-specific configuration versions available, such as the Finnish meta-package (currently the only one). More information can be found on the Security Server Sidecar User Guide for the different [image versions](security_server_sidecar_user_guide.md#22-x-road-security-server-sidecar-images).
+The regular version of the Sidecar includes message log, operational monitoring, and environmental monitoring modules, whereas the Sidecar slim version does not include the aforementioned modules. Both the slim and regular versions of the Sidecar can be used for both consuming and producing services. In addition, there are country-specific configuration versions available, such as the Finnish meta-package. More information can be found on the Security Server Sidecar User Guide for the different [image versions](security_server_sidecar_user_guide.md#22-x-road-security-server-sidecar-images).
 
-Note(1) For the scope of this document, we will assume the regular Security Server Sidecar image version is used.
+>**Note(1)** For the scope of this document, we will assume the regular Security Server Sidecar image version is used.
 
 The Security Server Sidecar can run alongside the client or service information system in the same host but in separate containers. In a production environment, a single Security Server Sidecar container may be shared between different information systems. However, the footprint of the Sidecar container is relatively high compared to the footprint of average containers and it has to be taken into account for dimensioning the host where the containers should run. More information can be found on the Security Server Sidecar User Guide for the [requirements to run a Security Server Sidecar container](security_server_sidecar_user_guide.md#24-requirements-for-the-x-road-security-server-sidecar).
 
-Note(2) For the scope of this document, we will assume a single Security Server Sidecar container is running alongside an information system for consuming or providing services.
+>**Note(2)** For the scope of this document, we will assume a single Security Server Sidecar container is running alongside an information system for consuming or providing services.
 
 The Security Server Sidecar can be configured to use either a local database running inside the container or a remote database running externally. Since the Security Server is a stateful application, it is recommended to configure the Sidecar container to use a remote database and persistent file storage external to the container. More information can be found on the Security Server Sidecar User Guide to [set up an external database](security_server_sidecar_user_guide.md#27-external-database) and [bind an external volume](security_server_sidecar_user_guide.md#29-volume-support).
 
-Note(3) For the scope of this document, we will assume the Security Server sidecar is configured to use an external database for storing server configuration, message logs and operational monitoring data and an external volume to store configuration files.
+>**Note(3)** For the scope of this document, we will assume the Security Server sidecar is configured to use an external database for storing server configuration, message logs and operational monitoring data and an external volume to store configuration files.
 
 ### 1.3 References